More organizations are moving their data out of their data centers and into the cloud, which complicates IT’s efforts to keep track of applications in use. With the new Microsoft Cloud App Security within Microsoft Azure, IT and security teams can step up application discovery and apply controls in line with existing security, privacy, and compliance policies.
Most enterprises rely on cloud applications, whether or not they are officially sanctioned. Shadow IT is pervasive, with employees signing up for SaaS applications on their own without first going through IT. According to Microsoft’s statistics, an employee uses 17 cloud applications on average, and an organization shares 13 percent of its files externally, of which a quarter are shared publicly. Business units do what they must to get the job done, but IT is left in the dark about what applications employees use and where corporate data is stored.
Security teams need deep visibility, strong controls, and threat protection for cloud applications. That’s where Cloud App Security, originally announced in February and now generally available, comes in. To use Cloud App Security, organizations will need a Microsoft Azure subscription, which supports Azure Rights Management (RMS), such as Office 365.
"Microsoft Cloud App Security brings the same level of visibility and control that IT departments have in their on-premises network to their SaaS applications, including apps like Box, Salesforce, ServiceNow, Ariba, and of course Office 365," Microsoft said.
Simply upload network logs from any supported egress network device, and Cloud App Security provides a detailed list of all the applications in use. Supported devices include firewalls and proxies from most major vendors, among them Blue Coat, Cisco, Zscaler, Fortigate, Palo Alto, Check Point, Websense, Juniper, and Microsoft’s own Forefront Threat Management Gateway. There is also a way to set up an automatic collector to upload logs and refresh the list of applications periodically.
More than app discovery alone
For application discovery to be useful, IT needs more than a list of applications in operation. Knowing who is using the application and from which device is necessary, as well as whether the application fits the organization's security, privacy, and compliance requirements. But there are thousands of cloud applications, and IT can’t always know the risk of running a given app.
When Cloud App Security generates a list of applications used on the network, it also attaches a risk score for each app, giving IT and security teams a starting point for risk assessment. The risk score is based on Microsoft’s cloud app catalog, which rates more than 13,000 cloud applications based on regulatory certifications, industry standards, and best practices. IT can then tweak the scores to reflect the organization’s needs. They can choose to sanction or unsanction applications based on the risk scores.
Organizations using Office 365 can see which other cloud services are running, how users are collaborating on documents, and how much data is uploaded to applications and services outside of Office 365. Cloud App Security powers Office 365 app permissions, which lets IT approve or revoke permissions of third-party applications trying to access Office 365 data.
Apply security policies to applications
Discovery is only the first step, since IT and security teams can’t simply know what is being used; they need to be able to secure the data within that application. Cloud App Security takes care of that by “connecting” to applications so that IT can investigate how the application is being used and apply controls.
For example, Microsoft said that 70 percent of organizations allow users to perform administrator tasks on the cloud applications from noncorporate and unsecured networks. IT can set policies to restrict who can perform cloud admin activities and from which devices. Microsoft said that more than 90 percent of organizations allow employees to use their personal accounts to access corporate cloud storage.
Microsoft noted that 75 percent of privileged cloud accounts aren’t being used. This suggests that some users have heightened privileges and are performing specialized tasks from their own accounts. If that user gets compromised, via a phishing attack or brute-forcing weak credentials, the attacker will be able to cause more damage.
App connectors rely on the cloud application’s APIs to query the cloud application for activity logs and pull that information into Cloud App Security for analysis. Once connected, an OAuth token is created and Cloud App Security can scan accounts and data stored in the service. IT will be able to create and enforce policies for data loss prevention, access management, file sharing controls, and more.
More data is moving to the cloud, a significant portion of it in unauthorized cloud applications. But that doesn’t mean they can’t be managed. Instead of trying to restrict access to the applications entirely, IT can use new tools to extend policies and controls to wherever the data is residing.