A changing culture of work is driving a rapid increase in cloud app usage by employees. According to our own telemetry, the average organization has more than 25 different cloud storage apps and more than 40 collaboration apps routinely used by its employees. With this fast transition to cloud app usage, helping you protect your corporate data is a top priority for the Microsoft Cloud App Security team.
Earlier this week at Ignite, Microsoft announced new Microsoft 365 Security capabilities – including important enhancements to and new integrations with Microsoft Cloud App Security. In this blog, I will provide you a more detailed understanding of these capabilities.
Control and limit access to cloud apps with proxy
With the rising number of cybersecurity attacks, our first objective is to protect your organization right at the front door. Our approach in Microsoft Enterprise Mobility + Security (EMS) starts with providing you a strong conditional access and modern authentication strategy. With Azure Active Directory conditional access, criteria such as user identity, device health, location and sign in risk driven from Microsoft’s Intelligent Security Graph, are applied to help you secure access.
As showcased at Ignite keynote sessions, we’re extending these conditional access capabilities to monitor user sessions and control content access and downloads directly inside SaaS apps through a unique integration between Microsoft Cloud App Security and Azure AD conditional access. So, what does this mean? As explained in the Microsoft defense in-depth whitepaper, Cloud App Security will act “like a security escort” between cloud apps and users. For example, you can allow access to browser-based cloud apps from unmanaged devices or an unfamiliar location while blocking the download of sensitive documents from within the application.
This exciting new capability will be released for Public Preview in October 2017.
How does this work?
Controlling and limiting access to cloud apps ties together the capabilities of Azure AD conditional access with the Cloud App Security proxy. In-session controls are created through the integration of conditional access policies and the Cloud App Security proxy session policies. When a conditional access control is triggered, Azure AD will redirect the user to the Cloud App Security proxy. At this point, the proxy session policies are evaluated, and a user’s session is monitored or controlled. Let’s explore each step of the process.
Step 1. To control and limit access to cloud apps, we start with an Azure AD conditional access policy. These policies employ both conditions and controls. Conditions define the who, what, and how a policy is applied. Based on a set of conditions, policies will trigger access controls. Session controls (as seen in the screenshot below) help you control and limit access to applications.
Azure Active Directory conditional access policy
What happens after this conditional access policy is built? For every sign-in, Azure AD identifies if there is a conditional access policy in place. When proxy restrictions for cloud apps is checked within a policy, Azure AD sends the specific user and context information to the Cloud App Security proxy.
Step 2. Azure AD conditional access policies and the Cloud App Security proxy session policies work together to perform real-time monitoring and control. The proxy does another evaluation of the user against session policies set in the Cloud App Security portal where conditions such as device state or user location can be evaluated. If there is a relevant policy, the user session will be routed through the Cloud App Security proxy where each user action can be monitored and controlled. At this point, Cloud App Security can block the download of a sensitive document or scan, label, and enforce protection on a file even it was not protected in the first place. User actions and session analytics can then be reviewed in the Cloud App Security activity log and discovery dashboard.
Microsoft Cloud App Security proxy – session policy settings
The integration between Azure AD conditional access and the Cloud App Security proxy showcases our commitment to providing a holistic solution that allows users to be productive while protecting against data breaches and leaks in real time. This compliments the existing conditional access integration between Azure AD and SharePoint and is another building block in the journey to secure productivity.
Enhanced information protection capabilities in Microsoft Cloud App Security
After safeguarding your resources at the front door, the next step is to protect data anywhere and prevent data loss. Today, data travels through many locations – across devices, apps, cloud services, and on-premises. It is important to build the protection into the file, so this protection stays with the data itself.
As Microsoft’s Information Protection solutions expand and develop, we take great strides in ensuring Cloud App Security integrates these advancements into our existing services.
Azure Information Protection (AIP) provides persistent data protection by classifying, labelling, and protecting sensitive files and emails. Labels are used to apply the classification to a document or email, such as “General” or “Confidential.” Additionally, AIP allows for encryption and authorization, ensuring users must successfully authenticate to access the material.
At Ignite 2016, we showcased how Cloud App Security can read files classified by AIP and set policies based on the file labels. Now, we’re integrating these solutions even more to enhance the protection of your data as it travels to cloud applications. Cloud App Security will scan and classify sensitive files in the cloud apps and automatically apply AIP labels for protection.
How does this work?
In the Cloud App Security portal, you can configure a file policy using:
- Filters to select conditions such as access level, classification label, specific collaborators, and parent folders
- Governance actions to automatically apply an AIP label with protection
Microsoft Cloud App Security file policy – apply classification label
These labels are configured in the Azure Information Protection portal and protection will be applied to any file that is supported by native protection. This means that Word, PowerPoint, or Excel files protected by Cloud App Security using AIP will open in Office apps on all platforms without requiring a plug-in or any additional settings. This capability will roll out in October 2017.
Applying AIP classification labels directly to files from Cloud App Security is an important step in the continuous evolution of Microsoft’s Information Protection capabilities. This helps you create policies seamlessly and enforce data protection across your security solutions.
The new and enhanced Cloud App Discovery experience in Azure AD
Shadow IT application use is an important security concern. Lack of Shadow IT visibility, knowledge, and control can increase your attack surface and leave you vulnerable. Visibility is the first key step for data protection – if you cannot see it, you cannot prevent it. For that reason, we developed a new and enhanced Azure AD Cloud App Discovery experience to provide deeper visibility into cloud app usage in your organization. This experience is powered by Microsoft Cloud App Security Discovery and is now available to all Azure AD Premium P1 and EMS E3 customers.
New and enhanced Azure AD Cloud App Discovery
How is the new Azure AD Cloud App Discovery different?
- Provides deeper visibility into cloud app usage: the new Cloud App Discovery in Azure AD discovers more than 15,000 cloud apps, leveraging the Microsoft Cloud App Security cloud app catalog.
- No agents required: This analysis does not require agents to be installed on user devices. Instead, discovery is performed based on log files imported from your firewalls and proxies. You can discover apps across all organizational network traffic, regardless of the device or operating system.
- Ongoing analytics and alerts: the new Cloud App Discovery in Azure AD provides detailed and ongoing analysis, as well as alerts when there is a new app in use. You can now gain more in-depth knowledge of cloud app usage in your organization, such as information on inbound and outbound traffic, and top users for discovered apps.
You can get started today by logging in to the new enhanced experience with your Azure AD credentials.
Detailed technical documentation for the conditional access with the Cloud App Security proxy integration and the enhanced Azure Information Protection integration will be available at our documentation site at public preview. If you have any suggestions, questions or comments, please visit and provide us feedback at Tech Community page.