CLOUD SERVICES
      Back to home
      1. Safetica
      2. MANAGEMENT: Manage your environment
      3. CLOUD SERVICES

      Understanding policies and data classification in Safetica Cloud Protection

      Learn how Safetica Cloud Protection applies policies to Microsoft 365 email and file operations and how it handles classified files.

      In this article, you will learn more about:

       

      Introduction

      With Safetica Cloud Protection you can:

      1. Protect files classified with existing classification: Files classified by third-party tools that added classification identifiers into them (e.g. Microsoft MIP, Boldon James, or Tukan GREENmod) can be audited and blocked in SharePoint (both files and folders), OneDrive for Business, Teams, or Outlook on the web, even on devices without Safetica Client.
      2. Protect files without existing classification: Policies based on other than existing classification work only for operations made from devices with Safetica Client (or if the files are not modified in the cloud).
      3. Audit all file sharing and other file movements: Sharing, download, and upload to and from Microsoft 365 can be audited even on devices without Safetica Client.

      File uploads to Microsoft 365 can only be blocked by devices with installed Safetica Client. Uploads from devices without Safetica Client are only audited.

       

       

      Policies in Safetica Cloud Protection

      Once Microsoft 365 email protection and Microsoft 365 file protection are activated, Safetica Cloud Protection starts applying policies for Email and M365 file sharing operations performed by users in your Microsoft 365 tenant.

      To apply email blocking policies, you must use our Outlook add-in (will be available in the near future). 

       

      Creating sharing and email protection policies

      Learn how to create a policy here.

      • Use the M365 file sharing destination type to protect files shared via Outlook on the web, SharePoint, OneDrive for Business, or Teams.
      • Use the Email destination type to protect files sent as attachments via Outlook on the web.
      • Data destinations settings work the same way for both emails and file sharing. 

      We do not check the email body for sensitive content. 

       

      Example: The admin decides that @safetica.com is a safe domain and adds it into the Safe destinations column in Data destinations. Then the admin creates a policy that blocks Email and M365 file sharing to All except safe destinations. What will happen?

      Files sent as email attachments or shared via SharePoint, Teams, or OneDrive for Business to users with @safetica.com addresses will not violate the policy, since the domain is considered safe. The emails will be sent and the files will be shared.

      Email attachments and file sharing to users with other email domains will violate the policy and will be blocked.

       

      Accessing records related to Microsoft 365 email and file operations

      • View records related to Outlook on the web and SharePoint, OneDrive for Business, and Teams file activity in the Data section of Safetica console.
      • To only see records from Microsoft 365, set the Application filter to Exchange Online, SharePoint Online, and Microsoft Teams.

       

       

      Data classification in Safetica Cloud Protection

      Safetica Cloud Protection focuses primarily on protecting files that are sent via Outlook on the web or shared via SharePoint, OneDrive for Business, and Teams from devices with Safetica Client.

      There are 2 ways of working with classified files in the cloud:

      1. Files sent via Outlook on the web or shared via SharePoint, OneDrive for Business, or Teams from a device with Safetica Client:
        • Safetica Cloud Protection knows the whole history of files that were uploaded to Microsoft 365 from devices with Safetica Client and were not changed in the cloud (e.g. from what app it was exported, from what location on the device it was sent, if any sensitive content was found in it, etc.).
        • For such files, data classification works as usual and to its full extent.
        • When Safetica Cloud Protection recognizes such a classified file, it applies the appropriate policies linked to the classification.
      2. Files that were changed or created in the cloud or transferred to the cloud from a device without Safetica Client:
        • For such files, Safetica Cloud Protection relies only on Existing classification.
        • If a file was previously classified by a tool that added classification identifiers into it (e.g. Microsoft MIP, Boldon James, or Tukan GREENmod), these identifiers will persist even when the file is transferred into the cloud, changed in the cloud, or has never been on a device with Safetica Client.
        • When Safetica Cloud Protection recognizes a file with such an Existing classification identifier, it will apply the appropriate policies linked to the data classification.