Microsoft’s new Cloud App Security (CAS) is a new product feature that comes with Microsoft’s Enterprise Mobility + Security E5 line of products. The solution is a cloud-based application model built on Azure Active Directory but can also be used independently, although the dataset will not be as rich.
The idea is for customers to be able to gain deep insight into what apps their end-users are consuming, identify data drift and leakage, be able to “sanction” or “unsanctioned” applications, and even generate a block script to block those unsanctioned apps at the firewall level. There are two paths to gathering this data: Firewall Logs and Connected apps.
You can discover information by manually importing firewall logs or even setup a connector VM which will gather the logs and upload them to the CAS for you. This is not much different than technologies offered by the firewall providers themselves and, in many cases, will not provide as quick of a reaction as you’d receive from those vendor provided solutions. The connector, by default, uploads logs from the firewall every 20 minutes and imports those into the CAS.
What I believe separates Cloud App Security different from the firewall provider solutions is that it integrates with Connected apps. A Connected app is an application where CAS leverages APIs provided by the cloud provider. Each provider has its own framework and limitations, so the functionality for each may depend on how much the provider has extended the API.
There are currently few Connected Apps that CAS supports but I’ve found that the biggest bang for your buck will be the Office 365 suite of applications. This allows the CAS to see usage of the standard suite of Office apps and your Azure AD connected users.
With the data gathered from the Connected apps, you can see information on File usage, owner information, app name, Collaborators, and more. You will be able to tell who is accessing what files and who those files have been shared with. You can drill down on particular user activity and see all of the apps and traffic volumes for their particular usage.
The Cloud Discovery Dashboard provides a rich view of information from a graphical perspective including dashboard items like App Categories which highlight usage based on categories such as CRM, Collaboration, Accounting, Storage apps, and more. Other items on the dashboard show top discovered apps, top users, and even a geographical map of usage based on where the apps are being used.
Through alerts you may be made aware of Risky IP addresses, Mass downloads, New Cloud app usage, and more. If a particular user is a concern, you even have the ability to suspend usage of a particular connected app for a particular user. This adds a layer of security that a standard firewall report may not provide – especially if the user roams to another location off-premise where your firewall is not present.
Using the policies feature, I can set an alert, notify the user and CC their manager, or even suspend the user based on the several configuration policies that are available to me via the console. This allows me to mitigate threats as they happen instead of waiting for a review of alerts or logs, possibly days or even weeks after the events occurred.
To summarize on Microsoft’s Cloud App Security, I would have to say that they are opening the door to rich integration with cloud based apps and providing another avenue to secure your corporate data. With the deep integration of Office 365, those that have the E5 licensing should definitely take advantage of this product. Even those interested, but not licensed can subscribe for a trial version and use the firewall discovery solution to get an immediate view of what’s being used internally. This will allow your organization to have that much-needed discussion on BYOD and the security risks that ultimately partner with an open door policy.
If setup properly, adding Cloud App Security to your environment can greatly increase the level of security your organization has regarding the mobility of your data and users!
For More information, review the following useful links: