Digital transformation has revolutionized the way organizations operate, improved their productivity, enabled greater collaboration and enhanced business workflows with state-of-the-art technologies like AI. Digital transformation also created new threats of business data leakage as well as new regulations such as the new European Union’s General Data Protection (GDPR) governing how the organization should store and protect sensitive business data. More than ever before, data protection is top of mind for many central IT teams.
Power BI adoption by large enterprises is growing very fast. To reduce the risk for data leakage, up until now some organizations have chosen to block export from Power BI and/or limit user access to sensitive data, at the expense of productivity. Others have chosen just to rely on their employees following the organization’s data protection guidelines, in order to maintain high productivity. Both options require IT teams, to make a compromise between data protection and productivity.
Over the past six months, the Power BI team has worked closely with the Microsoft Information Protection and Cloud App Security teams to provide a solution that will enable Power BI customers to have their data protected while maintaining high productivity.
It is now possible to:
1. Classify and label sensitive Power BI data using the familiar Microsoft Information Protection sensitivity labels used in Office.
2. Enforce governance policies even when Power BI content is exported to Excel, PowerPoint, or PDF, to help ensure data is protected even when it leaves Power BI.
3. Monitor and protect user activity on sensitive data in real-time with alerts, session monitoring, and risk remediation using Microsoft Cloud App Security.
4. Empower security administrators who use data protection reports and security investigation capabilities with Microsoft Cloud App Security to enhance organizational oversight.
Sensitivity labels in Power BI
A sensitivity label is a tag that you can apply on Power BI datasets, reports, dashboards and dataflows, it is:
1. Customizable to the organization's needs – By defining sensitivity labels, organizations can create categories for different levels of sensitive content, such as Personal, Public, General, Confidential, and Highly Confidential.
2. Easily visible – It’s easy for content creators to apply sensitive labels as part of the content creation flow. Once the label has been applied to any consumer that interacts with the content can see the content sensitivity.
3. Persistent – after a sensitivity label has been applied to content in Power BI, it persists applying both the label and protection when it is exported to Excel, PowerPoint, and PDF.
The beauty of this new capability is that these are the same sensitivity labels often used by organizations to classify, label and protect Office 365 files such as Excel, PowerPoint, Word, and Outlook emails.
Once a sensitivity label is applied to a report, Power BI extends applicable protection policies to that report data when it is exported from Power BI to Excel, PowerPoint and PDF files.
For example, if the sensitivity label on a report has a file protection policy when data is exported from this report to an Excel file, authorized users will be able to view the file, whereas the file is protected against access by unauthorized users.
Microsoft Cloud App Security is one of the world’s leading cloud access security brokers used to secure the use of cloud apps. It enables organizations to monitor and control, in real-time, risky Power BI sessions such as user access from unmanaged devices. Security administrators can define policies to control user actions, such as downloading reports with sensitive information.
For example, if a user connects to Power BI from an unmanaged device, the session can be monitored by Microsoft Cloud App Security’s real-time controls, and risky actions, such as downloading data that has the “Highly Confidential” sensitivity label applied to it, can be blocked in real-time.
Additionally, with Microsoft Cloud App Security, administrators have real-time visibility and control over Power BI user activities concerning data that has sensitivity labels. This visibility and control include security alerts for Power BI service activities such as mass or suspicious report sharing (preview), etc.