How to control activity between users and apps used by your company using Microsoft Defender for Cloud Apps
Security is a critical aspect for any company that is in the cloud. According to a study carried out by Microsoft, an average of 17 cloud applications are used in companies, sometimes some with the knowledge of IT managers but often without their authorization (for example, Facebook, Gmail, Dropbox, etc. ..), exposing companies to unknown security risks and breaches of privacy policies. Faced with this situation, many IT managers ask themselves : How can we detect which cloud applications our users use as part of their activity? and... then... How can we control the activity that these users carry out in these applications, taking into account that it is often sensitive data?
The solution: Microsoft Defender for Cloud Apps
What happens if a properly identified and authenticated employee does something wrong with your data? What's more... What if that employee is no longer loyal or acts under duress? or… What if your computer wasn't properly protected and malware was reading data on your behalf? This is where Microsoft Defender for Cloud Apps would step in.
What exactly does it offer you?
- Application detection: Monitor your network traffic in real time and detect used cloud applications, gain visibility into unauthorized ones and assess risk.
- Visibility of user activity in cloud applications : Through Cloud Discovery you will be able to obtain detailed information on activities, users, traffic and files used in the cloud, as well as personalized reports of activity logs in the cloud per user.
- Greater control and protection of your critical data : Control the use of your company's data through access and data sharing policies and data loss prevention (DLP). For example, your company may have a file policy enabled that alerts you when a user has shared a company document with an external domain.
- Intelligent protection: Cloud App Security is informed by millions of unique data points received by device signals from the Microsoft customer base to detect incidents and abnormal user behavior patterns that may be indicative of a security risk to your business .
- App risk assessment: Cloud App Security relies on information from millions of signals received from Microsoft customer devices to detect incidents and abnormal user behavior patterns that may be indicative of a security risk to your business.
- Integration with Azure AD: You can consolidate the various identifiers that Cloud App Security collects from a user when accessing different applications in the cloud and unify them with their identification name in your company's Active Directory. In this way you will be able to more easily control the activity in the cloud and can also create personalized reports by groups of users or departments (This functionality requires a configuration in the company's Firewall)
Powered by native integration with identity and security solutions like Azure Active Directory, Intune, and Azure Information Protection, you gain visibility into all your cloud apps and services by leveraging sophisticated analytics to identify and combat cyber threats and control how data is consumed , no matter where they reside.
Cloud App Security dashboards provide an overview of the activities and characteristics of the cloud applications that are being used and allow you to measure that use by the number of users, the volume of traffic or the IP's from which it is accessed. To help you investigate the applications in your environment you can consult:
- Dashboard: Overview of cloud status (users, files, and activities), as well as required actions (alerts, activity violations, and content violations)
- Data: Analysis of the data stored in the application; breakdown by file type and by level of file sharing.
- Files: Detail of files, possibility to filter by owner, level of sharing, etc., as well as carrying out government actions (such as quarantining)
- Third-party applications: Detail of the third-party applications deployed in the company, such as G Suite, and definition of policies for those applications.
- User: Complete overview of the user's cloud profile, including groups, locations, recent activities, related alerts, and browsers used.
From this tab you can carry out a detailed analysis of the applications used in the company and carry out actions with the unwanted ones, because they are considered risky applications or because they do not comply with the company's policies, marking them as Unauthorized .
Once an application is marked as unauthorized, you can perform two types of actions on it:
- Not prevent usage, but more easily monitor usage through Cloud Discovery reports.
- Prevent its use by blocking access to the application throughout the company (this function requires a specific configuration in the company's firewall)
Through this view you can connect applications and track the actions that are performed in them, such as:
- Consult the map of active users and monitoring in real time
- Control the actions that are carried out (data or documents)
- View the user accounts that use the application
- Enforce your policy policies.
Cloud App Security uses the APIs provided by cloud app providers to connect and gain control over them.
Policy policy to control applications
The actions carried out by employees with the applications can be managed and controlled based on policies and, if necessary, apply the necessary policies to mitigate the risks in your company. For example, through policies you can allow users to access certain applications in the cloud from the company, but prohibit them from downloading documents.
There are several types of policies that correlate to the different types of information you want to collect about your cloud environment and the types of corrective actions you want to take:
- Activity policy: They allow you to monitor specific activities carried out by different users or to follow unexpectedly high levels of traffic of a certain type of activity.
- Anomaly detection policy: They allow you to search for unusual activity in the cloud to issue alerts when something different from the organization's baseline or normal user activity occurs.
- Application detection policy: Allows you to set alerts that notify you when new applications used in the organization's network are detected.
- Cloud Discovery Anomaly Detection Policy: This policy examines company network traffic and looks for abnormal behavior. For example, when a user who has never used Dropbox suddenly uploads 600 GB or when there are many more transactions than usual in a certain application.
- File Policy: Allow cloud applications to be examined for specific file types or files (shared, shared with external domains), data (proprietary information, personal information, credit card information, etc.), and apply policies necessary to comply with company regulations.
This view provides complete visibility into any suspicious activity or violation of established company policies by helping administrators determine the nature of the incident and the response required for each alert. Additionally, Cloud App Security alerts help you adapt policies or create new ones based on incidents. For example, if you receive an alert that a user in your company has logged in from Greenland, and no user in your organization has ever logged in from that location, you can create a policy that automatically suspends any account when access is attempted from that location. .
Alert dashboard view showing suspicious activity and abnormal logins
Control in Azure
You can seamlessly monitor all Azure subscriptions and protect your environment through:
- Visibility of all the activities carried out through the portal.
- Ability to create custom policies to alert on unwanted behavior, as well as the ability to automatically protect against risky users by suspending or requiring them to log in again.
- All activities in Azure are covered by the anomaly detection engine, which will automatically alert on any suspicious behavior in the Azure portal, such as abnormal logins, massive suspicious activity, and activity from a new country.
In recent months, Microsoft Cloud App Security has received interesting improvements, among which, for example, the possibility of viewing which applications and services are running on Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) subscriptions stands out, regardless of whether are running on Azure, AWS, or Google Cloud.
Microsoft Cloud App Security and the GDPR
Thanks to the integration with Azure Information Protection (AIP) , Cloud App Security can help your company with GDPR compliance by allowing you to apply AIP classification labels to files in the cloud to protect and identify them. With the integration you can:
- Apply classification labels as a governance action to files that match the policies.
- View all classified files in one central location.
- Conduct investigations based on classification level and quantify the exposure of sensitive information in cloud applications.
- Create policies to ensure that classified files are properly handled.
Cloud App Security licensing options
- Cloud App Discovery (Basic functionality): Provides information about which cloud applications not managed by you are being used in your company, with the aim of controlling shadow IT. This product comes integrated with Azure Active Directory Premium andEnterprise Mobility + Security E3 .
- Office 365 Cloud App Security (Intermediate functionality): Includes threat detection based on user activity logs, detecting more than 750 Office 365 applications or applications with similar functionalities. This version comes integrated with Office 365 Enterprise E5.
- Microsoft Cloud App Security (Full Functionality): The most complete solution that provides detailed visibility and threat protection of both Office 365 and SaaS applications, with a complete catalog of more than 16,000 applications in the cloud . It also allows labeling and classification thanks to the integration with Azure Information Protection. This version comes bundled with Enterprise Mobility + Security E5, Microsoft 365 E5, or as a standalone product.
With Cloud App Security you can reap the benefits of the cloud with confidence, while staying safe, secure, and compliant.
Do you want to know more about Microsoft Cloud App Security? Contact us!