Data exfiltration protection access controls

Data exfiltration is an attack whereby an internal or external actor completes an unauthorized data transfer of sensitive corporate resources. The exfiltration of sensitive corporate resources is often accomplished due to a lack of appropriate authentication and authorization controls. Microsoft seeks to guard against malicious access and the exfiltration of data to locations outside of their intended organizational scope by employing a suite of mitigating controls to address multiple risk scenarios. By doing so, Microsoft supports the defense-in-depth posture of its customers and reduces the threat of data exfiltration.

This article provides an in-depth look at the holistic approach Microsoft takes for data exfiltration protection on behalf of its customers. It shows how Microsoft’s suite of mitigating controls detect and prevent malicious behavior, manage access between tenants, and protect against replay attacks.

Microsoft Defender for Cloud Apps

Actions that would compromise the security of customer data must be detected and prevented. For example, employees may be using an unapproved cloud application for storing sensitive corporate data or downloading a vast number of sensitive files for exfiltration. These actions can be prevented by Microsoft Defender for Cloud Apps.

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). CASBs control access in real time between enterprise users and the cloud resources they use, wherever users are located and regardless of the device they are using. Microsoft Defender for Cloud Apps prevents malicious activity across all Microsoft and third-party cloud services by discovering and providing visibility into shadow IT and app use, monitoring user activities for anomalous behavior, controlling access to resources, providing the ability to classify and prevent sensitive information leaks, and assessing the compliance of cloud services. Microsoft Defender for Cloud Apps supports various deployment modes including log collection, API connectors, and reverse proxy. This CASB offering allows organizations to sanction and block the use of specified cloud applications and to block malicious file downloads using Conditional Access App Control.

Microsoft Defender for Cloud Apps Conditional Access App Control (CAAC) uses reverse proxy architecture to provide the tools needed for real-time visibility and control over access to and activities performed within a cloud environment. CAAC can be used to:

  • Avoid data leaks by blocking downloads

  • Set rules that force data stored in the cloud to be protected with encryption.

  • Highlight unprotected endpoints so that organizations can monitor what's being done on unmanaged devices

  • Control access from non-corporate networks or risky IP addresses.

  • Reevaluate conditional access policies when a sensitive action occurs in the session. Allowing, for example, the download of a highly confidential file to require multi-factor authentication.

Continuous Access Evaluation

Risky user behavior that precedes data exfiltration can also be detected and prevented, by Continuous Access Evaluation (CAE). CAE works to enforce access policies in near-real time based on signals from users, sessions, and devices, and can revoke sessions when risk is present. For example:

  • When a user has been terminated and their access to corporate resources must be immediately revoked.

  • When a user authenticates within the corporate boundary, only to walk across the street to a coffee shop, connecting to the riskier network while still being authenticated into cloud resources containing sensitive data.

  • When a user account is deleted or disabled.

  • When the password for a user is changed or reset.

  • When the administrator explicitly revokes all refresh tokens for the user.

  • When high user risk is detected by Microsoft Entra ID Protection (device non-compliance, impossible travel, etc.)

CAE can also be used to prevent token export, a common data exfiltration risk. Tokens e.g., access tokens, are provided to an authorized user when a session is initiated. Using developer tools, these tokens can be exported outside of the internal network to external users who then supply the token to a Microsoft 365 service, circumventing Microsoft Entra ID, and gaining access to that resource and the data within. CAE prevents token export by restricting access to corporate resources to trusted IP addresses and always-on VPN. In a token export scenario, CAE would detect the access request coming from an unauthorized location and revoke access to the resource, preventing data exfiltration.

Mitigating the risk of unauthorized tenant access

Microsoft understands that a key part of business involves collaboration and communication with other enterprises. Collaboration and guest access carry their own inherent risks. Employees can be invited to use their home identities to become guests in another tenant or invite guests from another tenant into their own. Employees might also attempt to use the enterprise accounts of another tenant to access said tenant from within their network, creating an exfiltration channel. Malicious or negligent users may also use their personal Microsoft resources for storage of sensitive corporate data (e.g., Outlook, personal OneDrive). This is why Microsoft employs Tenant Restrictions v2 (TRv2). TRv2 is a cloud-policy based authorization control plane that allows control over employee access to external tenants. With TRv2, users on organizationally managed devices or devices inside the corporate network can be blocked from accessing unsanctioned foreign tenants. Cross-Tenant access policies (XTAP) further enable control over how you collaborate within other organization’s tenants (outbound) and how other organizations collaborate within your own organization (inbound). Using XTAP, users can become guests in only explicitly approved tenants.

TRv2 can also be used to prevent token import. Token import takes place when a user logs into an unapproved external tenant from outside the corporate network, then their token is sent to an associate inside the corporate network. The user inside the corporate network then attempts to use the access token to log into an unapproved tenant for the purpose of data exfiltration. TRv2 prevents token import by blocking the internal user from accessing non-allowlisted foreign tenants. In this scenario, the user would not be able to authenticate to the external tenant with the token because of TRv2.