Data security and privacy practices for Defender for Cloud Apps
Note
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender, which correlates signals from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capabilities. For more information, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
Note
This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
Microsoft Defender for Cloud Apps is a critical component of the Microsoft Cloud Security stack. It's a comprehensive solution that helps your organization take full advantage of the promise of cloud applications. Defender for Cloud Apps keeps you in control through comprehensive visibility, auditing, and granular controls over your sensitive data.
Defender for Cloud Apps has tools that help uncover shadow IT and assess risk while enabling you to enforce policies and investigate activities. It helps you control access in real time and stop threats so your organization can more safely move to the cloud.
Defender for Cloud Apps compliance
In a world where data breaches and attacks are daily occurrences, it's essential for organizations to choose a Cloud Access Security Broker (CASB) that makes every effort to protect their data. Defender for Cloud Apps, like all Microsoft cloud products and services, is built to address the rigorous security and privacy demands of our customers.
To help organizations comply with national/regional and industry-specific requirements governing the collection and use of individuals' data, Defender for Cloud Apps provides a comprehensive set of compliance offerings. The compliance offerings include certifications and attestations.
Compliance framework and offerings
Defender for Cloud Apps meets many international and industry-specific compliance standards including, but not limited to:
| Organization | Title | Description |
|---|---|---|
 |
CSA STAR Attestation | Azure and Intune were awarded Cloud Security Alliance STAR Attestation based on an independent audit. |
 |
CSA STAR Certification | Azure, Intune, and Power BI were awarded Cloud Security Alliance STAR Certification at the Gold level. |
 |
EU Model Clauses | Microsoft offers EU Standard Contractual Clauses, guarantees for transfers of personal data. |
 |
HIPAA/HITECH | Microsoft offers Health Insurance Portability & Accountability Act Business Associate Agreements (BAAs). |
 |
ISO 9001 | Microsoft is certified for its implementation of these quality management standards. |
 |
ISO/IEC 27001 | Microsoft is certified for its implementation of these information security management standards. |
 |
ISO/IEC 27018 | Microsoft was the first cloud provider to adhere to this code of practice for cloud privacy. |
 |
PCI DSS | Azure complies with Payment Card Industry Data Security Standards Level 1 version 3.1. |
 |
SOC 1 and SOC 2 Type 2 Reports | Microsoft cloud services comply with Service Organization Controls standards for operational security. |
|
SOC 3 | Microsoft cloud services comply with Service Organization Controls standards for operational security. |
 |
UK G-Cloud | The Crown Commercial Service renewed the Microsoft cloud services classification to Government Cloud v6. |
For more information, go to Microsoft Compliance Offerings.
Privacy
You're the owner of your data
In Defender for Cloud Apps, your administrators can view the identifiable personal data stored in the service from the portal using the Search bar.
Admins can search for a specific user's metadata or user's activity. Selecting an entity opens the Users page. The Users page provides you with comprehensive details about the entity that are pulled from connected cloud applications. It also provides the user's activity history and security alerts related to the user.
You own your data and can cancel subscriptions and request deletion of your data at any time. If you don't renew your subscription, your data will be deleted within the timeline specified in the Online Services Terms.
If you ever choose to terminate the service, you can take your data with you.
Defender for Cloud Apps is the processor of your data
Defender for Cloud Apps uses your data only for purposes that are consistent with providing the services to which you subscribe.
If a government approaches Microsoft for access to your data, Microsoft redirects the inquiry to you, the customer, whenever possible. Microsoft has challenged legal demands that weren't valid, which prohibited disclosure of a government request for customer data. Learn more about who can access your data and on what terms.
Privacy controls
- Privacy controls help you configure who in your organization has access to the service and what they can access.
Updating personal data
Personal data about users is derived from the user's object in the SaaS applications used. Because of this, any changes made to the user profile in these applications are reflected in Defender for Cloud Apps.
Data location
Defender for Cloud Apps currently operates in datacenters in the European Union, the United Kingdom, and the United States (each a "Geo").
Defender for Cloud Apps uses Azure Data Centers around the world to provide optimized performance through geolocation. This means that a user's session may be hosted outside of a particular region, depending on traffic patterns and their location. However, to protect your privacy, no session data is stored in these data centers.
For more information, see the Microsoft Trust Center.
Defender for Cloud Apps data storage locations
Customer data collected by the service is stored at rest as follows:
| Customer provisioning location | Data storage location |
|---|---|
| Customers whose tenants are provisioned in the European Union or the United Kingdom | Either the European Union or the United Kingdom |
| All other customers | The Geo that is nearest to the location of where the customer's Azure Active Directory tenant has been provisioned |
If Defender for Cloud Apps uses another Microsoft online service, such as Azure Active Directory or Azure CDN to process such data, the data geo location is defined by the data storage rules of that other online service.
App governance data storage locations
Customer data collected by the service is stored at rest as follows:
| Customer provisioning location | Data storage location |
|---|---|
| Customers whose tenants are provisioned in the United States | United States |
| Customers whose tenants are provisioned in the European Union or the United Kingdom | Either the European Union or the United Kingdom |
| Customers whose tenants are provisioned in the Asia Pacific | Either Asia Pacific or the United States |
| Customers whose tenants are provisioned in Canada | Canada or the United States |
| Customers whose tenants are provisioned in India | Either India or the United States |
| Customers whose tenants are provisioned in any other region | The United States or a data center in the Geo that is nearest to the location of where the customer's Azure Active Directory tenant has been provisioned |
If App governance uses another Microsoft online service, such as Azure Active Directory or Azure CDN to process such data, the data geo location is defined by the data storage rules of that other online service.
App governance is now part of Microsoft Defender for Cloud Apps. For existing customers, by June 2024, we will be moving your data to match your Microsoft Defender for Cloud Apps data residency. There is no work required on your side and there won’t be any service disruptions. For more information, see Defender for Cloud Apps data storage locations.
Transparency
Microsoft provides transparency about its practices:
- Sharing with you where your data is stored.
- Affirming that your data is used only to deliver agreed-upon services.
- Specifying how Microsoft engineers and approved subcontractors use this data to provide services.
Microsoft uses strict controls to govern access to customer data, granting the lowest level of access required to complete key tasks and revoking access when it's no longer needed.
Data protection
Defender for Cloud Apps enforces data protection during content inspection. File content isn't stored in the Defender for Cloud Apps datacenter. Only the metadata of the file records and any matches that were identified are stored.
Data retention
Defender for Cloud Apps retains data as follows:
- Activity log: 180 days
- Discovery data: 90 days
- Alerts: 180 days
- Governance log: 120 days
You can learn more about Microsoft data practices by reading the Online Service Terms.
Data sharing
Defender for Cloud Apps shares data, including customer data, among the following Microsoft products also licensed by the customer:
- Microsoft Defender for Cloud
- Microsoft Sentinel
- Microsoft Defender for Endpoint
Deleting personal data
After a user's account is deleted from a connected cloud application, Defender for Cloud Apps will automatically delete the copy of the data within two years.
Exporting personal data
Defender for Cloud Apps provides you with the ability to export to CSV all user activity and security alert information.
Data flow
Defender for Cloud Apps provides you with the convenience of working with some data, such as alerts and activities, without disrupting your usual security workflow. For example, SecOps may prefer to view alerts in their preferred SIEM product such as Microsoft Sentinel. To enable such workflows, when integrating with Microsoft or third-party products, Defender for Cloud Apps exposes some data through them.
The following table show what data is surfaced for each product integration:
Microsoft products
| Product | Exposed data | Configuration |
|---|---|---|
| Microsoft 365 Defender | Alerts and user activities | Enabled automatically on Microsoft 365 Defender upon onboarding |
| Microsoft Sentinel | Alerts and discovery data | Enabled in Defender for Cloud Apps and configured in Microsoft Sentinel |
| Microsoft Purview compliance portal | Alerts for Microsoft 365 | Automatically streamed to Microsoft Purview compliance portal |
| Microsoft Defender for Cloud | Alerts for Azure | Enabled by default in Defender for Cloud Apps; can be disabled in Microsoft Defender for Cloud |
| Microsoft Graph Security API | Alerts | Available via Microsoft Graph Security API |
| Microsoft Power Automate | Alerts sent to trigger an automated flow | Configured in Defender for Cloud Apps |
| Microsoft Threat Experts | Alerts | Automatically streamed to Microsoft Threat Experts |
| Azure Active Directory Identity Protection | Alerts | Automatically streamed to Azure Active Directory Identity Protection |
| Microsoft Azure AD Identity Protection | Subset of alerts for identity risk model | Enabled automatically on Azure AD Identity Protection upon onboarding |
Third-party products
| Integration type | Exposed data | Configuration |
|---|---|---|
| Using a SIEM agent | Alerts and events | Enabled and configured in Defender for Cloud Apps |
| Using the Defender for Cloud Apps REST API | Alerts and events | Enabled and configured in Defender for Cloud Apps |
| ICAP connector | File for DLP scan | Enabled and configured in Defender for Cloud Apps |
Note
Other products may not enforce Defender for Cloud Apps role-based security permissions to control who has access to what data. Therefore, before integrating with other products, make sure you understand what data is sent to the product you want to use and who has access to it.
Security
Encryption
Microsoft uses encryption technology to protect your data while at rest in a Microsoft database and when it travels between user devices and Defender for Cloud Apps datacenters. Additionally, all communication between Defender for Cloud Apps and connected apps is encrypted using HTTPS.
Note
Defender for Cloud Apps leverages Transport Layer Security (TLS) protocols 1.2+ to provide best-in class encryption. Native client applications and browsers that do not support TLS 1.2+, will not be accessible when configured with session control. However, SaaS apps that use TLS 1.1 or lower will appear in the browser as using TLS 1.2+ when configured with Defender for Cloud Apps.
Identity and access management
Defender for Cloud Apps enables you to limit access of administrators to the portal based on geolocation using Azure Active Directory. It's possible to require multi-factor authentication to access the Defender for Cloud Apps portal by using Azure Active Directory.
Permissions
Defender for Cloud Apps supports role-based access control. Microsoft 365 and Azure Active Directory Global admin and Security admin roles have full access to Defender for Cloud Apps, and Security readers have read access. For more information.
Customer controls for organizational compliance
Scoped deployment
Defender for Cloud Apps enables you to scope your deployment. Scoping enables you to govern only specific groups using Defender for Cloud Apps, or to exclude specific groups from Defender for Cloud Apps governance. For more information, see Scoped deployment.
Anonymization
You can choose to keep Cloud Discovery reports anonymous. After your log files are uploaded to Microsoft Defender for Cloud Apps, all username information is replaced with encrypted usernames. For specific security investigations, you can resolve the real username. Private data is encrypted using AES-128 with a dedicated key per tenant. For more information.
Security and Privacy for Defender for Cloud Apps US Government GCC High customers
For information on Defender for Cloud Apps compliance standards and the location of data for US Government GCC High customers, see Enterprise Mobility + Security for US Government service description.
Next steps
- Defender for Cloud Apps overview
- Defender for Cloud Apps documentation
- Sign up for Defender for Cloud Apps
Get a free trial of Defender for Cloud Apps, and see how it meets your business challenges.
Feedback
Submit and view feedback for