This post is authored by @Boris_Kacevich
For most customers, cloud apps run the workplace. While we see an average of 129 IT-managed applications, Discovery data from our Cloud Access Security Broker (CASB) shows that the total number of apps accessed by employees in large organizations often exceeds 1,000.
Now, let’s think back to 1985. Windows 1.0 launched and provided the ability to display content in different spaces at the same time, a revolution in the OS space at the time. Fast forward back to 2019 and today the average employee switches between 35 job-critical applications more than 1,100 times every day. Sound like a lot? Take a look at how many cloud applications are open in your browser right now while you are reading this blog.
There is no debate today that our working environment and the tools we use in order to maintain our productivity continue to change rapidly. As the cloud transformation continues, it enables organizations to optimize their employee productivity by giving them the ability to choose the tools that are right for them across apps, devices and more.
But this flexibility and power of choice comes with great responsibility. The freedom to use any cloud app introduces a requirement to consider what you are doing with it and the risk you may bring to a business. According to LogicMonitor’s cloud report, 83% of business workloads will have migrated to the cloud by 2020, although most agree that the information is migrating much faster than this, while the security controls that are able to protect it lag behind. This is a clear risk as evidenced by the Box information leakage which was caused by insufficient control of the uploaded data.
But expecting users to take responsibility for this is simply not going to work and is not an option for most organizations. The right security controls need to be put in place to ensure that no sensitive information leaks out of the organization, even when flexibility is provided for the adoption of cloud apps.
To help you with this, we have compiled some general best practices to help protect your organization in this world of flexibility:
- Set up single sign-on for adopted apps in your organization to enable a better authentication experience for users and enforce appropriate elevated assessments with conditional access and MFA
- Minimize and control permission scopes given to users and OAuth apps being used in your organization to limit the potential impact of a breach
- Control the information being upload to cloud services – limit the type of documents being uploaded, classify uploaded documents and encrypt them when required
- Limit external sharing permissions by enabling controls for things like the creation of public links or sharing with external users
- Leverage cross service UEBA capabilities to detect potentially compromised accounts or insider threats
- Manage ALL users and devices, do not allow unmanaged guest users or un-monitored usage from un-managed devices.
- Monitor and control all your environments continuously, do not rely only on periodic reports and audits. Detecting policy violations in real time or near real time minimizes the risk for a wide exposure.
As Microsoft Cloud App Security became a leading CASB in the market, we took the approach of protecting all cloud apps, not just our own, recognizing that this was the correct set of outcomes for customers. It is important that as a multi-mode CASB, we provide rich visibility, control over data, and sophisticated analytics to identify and combat cyberthreats across ALL your cloud services.
So let’s beyond the realm of theory and bring this to life by exploring a few scenarios.
Protect your sensitive information
According to Varonis more than 30% of companies have more than 1000 sensitive folders which are accessible by everyone. Microsoft Cloud App Security enables granular control and DLP capabilities over the content shared on leading apps like G Suite, Box, Dropbox and Salesforce, protecting sensitive client information on platforms like ServiceNow, making sure there are no S3 AWS buckets left open and exposed to the wide world and preventing users from sharing sensitive files with external users in Webex chat rooms. Information exposure control via a unified labeling mechanism is also available for non-MSFT apps like G Suite and Box via a native integration with Microsoft Azure Information Protection.
Protect against insider threats and anomalous behaviors
According to the Insider Threat Report 2018, 90% of organizations feel vulnerable to insider threat attacks, whether they are malicious, accidental or due to compromised accounts. Microsoft Cloud App Security provides advanced UEBA capabilities to detect anomalous behaviors by users, detecting abuse of privileged accounts or performing activities from an unusual location, client or device. The native integration with Azure Active Directory enables further enrichment of user identity and improves detection capabilities across used non-MSFT apps. These detection capabilities are enabled out of the box for apps like Salesforce, ServiceNow, G Suite, Google Cloud Platform, Box, Dropbox, Okta and WebEx teams.
Protect against threats, malware and ransomware
Microsoft Cloud App Security utilizes the MSFT security eco-system and deep integration with the Intelligent security graph to provide wide coverage of potential threats from Tor-based access, to potential Ransomware and Malware attacks back to potentially leaked credentials. The protection is available across all connected services that are available in Microsoft Cloud App Security.
Gain investigation capabilities into complex environments
In today’s complex environments, whether it is the usage of multiple cloud apps or the use of a one with complex structure like Salesforce it is not enough to have periodic audits on per app basis. To get the broader picture, stay up to date and be able to control incidents across your entire environment it is critical to have full visibility of what is happening across all of the apps in your environment. The ability to control the activities, set clear policies and automate the process is crucial to maintain a secure and controlled workplace. Microsoft Cloud App Security enables a cross app unified policy and investigation capabilities to get clear visibility and control over user activities in the connected apps.
Get real-time controls for user access and sessions from managed and un-managed devices
Microsoft Cloud App Security enables granular access and session controls for all governed users in the system. Controlling risky access and session enables admins to limit app access, block downloads and restrict activities like copy/paste in web-based cloud apps. Microsoft Cloud App Security also enables to control the access and session from unmanaged devices while the user tries to access enterprise managed apps. These controls are enabled for more than 25 leading SaaS apps like Box, Concur, GitHub, G Suite, Confluence, Salesforce, Slack, Workday and also available for any cloud web-based app using SAML and SSO.
Protect against malicious OAuth apps in leading SaaS platforms
Microsoft Cloud App Security enables IT to gain an overview of authorized applications across their cloud services Office 365, Salesforce and G-Suite. The capabilities allow them to continuously monitor new app permissions and provides controls to prevent and remediate malicious OAuth apps from gaining access to the corporate data.
Going beyond the top Cloud apps we can recognize a large amount of growing productivity, Finance, HR and CRM apps like Workplace by Facebook, SAP Concur, Citrix Sharefile, Atlassian Confluence and Zoom that are being adopted by organizations or more specifically by the users in these organizations.
Being able to scale protection and align with the growth of this eco-system is one of Microsoft Cloud App Security’ top missions in the upcoming future.
@Adam Hall on behalf of the entire MCAS team