Matt Soseman, Senior Security Architect, One Commercial Partner @ Microsoft
As an IT professional of 20 years, I can recall the days of supporting line of business applications hosted in a corporate datacenter, behind a firewall, where IT had complete control. As Software as a Service (SaaS) started becoming the new modern line of business apps, a new challenge presented itself – the infrastructure behind that app is outside IT’s control. Not having controls to govern access (nor the data) in the app posed significant risks to the organization, not to mention a lack of visibility into the compliance and security posture of the app.
Fast forward to present day, SaaS apps are mission critical components to successful operations for an organization – cloud storage, online meetings, customer relationship management, inventory control, payroll and so much more. SaaS provides the organization with the modern technology to meet business needs, without a large infrastructure investment. However, SaaS needs to be trusted by the IT department and be carefully considered as part of a security and compliance strategy.
Matt’s Insight: As I am sure you would agree, reality looks something like:
Business: “I want my SaaS apps now!”
IT: “What do you need me to support? Do you have funding and staffing? Will this app touch security, compliance, is governance needed, etc.?”
Business: “I am already using SaaS apps, and you don’t know I am using them”
More SaaS Apps, More SaaS Problems:
As SaaS becomes more popular and the business is setting expectations of usage, from an IT perspective SaaS presents many challenges. Some of the common challenges that often come up are:
How does your organization discover SaaS apps:
- Discover new and existing SaaS apps in my environment?
- Determine which apps can be used, and which can be blocked?
- Evaluate the security and compliance risks of the app?
- Identify who is using the apps and how much is used?
- Get notified when new apps are discovered?
- Get notified when an app has a public data breach?
How does your organization block SaaS apps:
- Block SaaS apps I do not want users to access?
- Ensure the block is occurring at not only the firewall layer, but also the client layer?
How does your organization approve and provision access to SaaS apps:
- Approve new/existing SaaS apps to be used?
- Consider an automated workflow?
- Provision access to approved apps?
- Remove access to approved apps?
- Govern access to the app?
- Ensure access encompasses Multi-Factor Authentication and Single Sign On?
- Require/verify the app is only accessed only from a managed device?
Data Loss Prevention:
- Block downloads of sensitive data?
- Block uploads of sensitive data?
- Control the types of data in specific activities? (i.e. printing, instant messaging, copy/paste, etc)
- See if data is being shared externally?
- Monitor for abnormal activities?
- Scan all the data in the app and discover sensitive data, and apply appropriate controls?
Matt’s Insight: The priority is to always strike a balance between productivity and security. There are so many more challenges that come up with SaaS app usage than what is listed above. It starts with gaining visibility to the apps, then using those insights to build a strategy on how to block/govern/control the apps. As I am sure you will agree, this is a journey and not a destination.
How can a Cloud Access Security Broker help?
When I think about how to use a CASB, it comes down to the outcome I am trying to drive. I need to clearly understand what I am trying to accomplish, why it needs to be done and the business outcome it will drive. I cannot stress enough understanding the why as a critical component of your decision-making process: ask yourself if the SaaS app is truly a requirement or a ‘nice to have.’ This helps to ensure it is being used for the right reasons – ultimately helping to transform the business with users who are more productive with proper security in place.
One approach is to address these concerns with each SaaS app individually using the app’s administrative controls. However, the problem with this approach is that SaaS apps are not always centrally managed. This is critical to centralize alerting, activity visibility, common policy, dashboards/reporting, and more. This is where a Cloud Access Security Broker (CASB) comes in. The CASB offers many capabilities to help you address challenges such as:
- Discover new and existing SaaS apps in the environment.
- Identify security and compliance risk for discovered SaaS apps.
- Provide visibility and governance to all user/admin activity within SaaS apps.
- Apply policy controls to govern how an app is accessed and how data in an app can be used (i.e., Data Loss Prevention).
- Robust reporting on SaaS app usage.
- Alerting on policy violations.
- Anomalous behavior detection and mitigation.
- Real-time session controls.
- And more!
Another way to get ideas for how a CASB can be used is to review some common use cases, for example from Microsoft’s Top 20 CASB Use Cases:
1) Discover all cloud apps and services used in your organization
2) Assess the risk and compliance of your cloud apps
3) Govern discovered cloud apps and explore enterprise-ready alternatives
4) Enable continuous monitoring to automatically detect new and risky cloud apps
5) Detect when data is being exfiltrated from your corporate apps
6) Discover OAuth apps that have access to your environment
7) Gain visibility into corporate data stored in the cloud
8) Enforce DLP and compliance policies for sensitive data stored in your cloud apps
9) Ensure safe collaboration and data sharing practices in the cloud
10) Protect your data when it’s downloaded to unmanaged devices
11) Enforce adaptive session controls to manage user actions in real-time
12) Record an audit trail for all user activities across hybrid environments
13) Identify compromised user accounts
14) Detect threats from users inside your organization
15) Detect threats from privileged accounts
16) Identify and revoke access to risky OAuth apps
17) Detect and remediate malware in your cloud apps
18) Audit the configuration of your IaaS environments
19) Monitor user activities to protect against threats in your IaaS environments
20) Capture user activities within custom cloud and on-premises apps
Matt’s Insight: When looking to add a CASB to my toolbox, understanding what business challenges and security objectives I need to meet is critical. Bringing in a subject matter expert from a Microsoft Partner can help me build that business justification by identifying the why and the outcome I need to achieve. It can be helpful to bring in someone who has done this for organizations like mine and who can bring new insights that perhaps I have not thought of. That experience is invaluable and can help me build the business case and a plan of action.
How does a Cloud App Security Broker Work?
For this, I am going to reference Microsoft’s CASB – Microsoft Cloud App Security (MCAS). The following diagram is a high-level architecture of MCAS to use as a reference in this section:
Microsoft Cloud App Security supports various deployment modes including log collection, API connectors, and reverse proxies. It provides rich visibility, control over data travel, and analytics to identify and combat cyberthreats across your Microsoft and third-party cloud services. Yes, I wrote third-party cloud services (read on)!
I am often asked if MCAS requires a client-side proxy agent to be installed on the user’s device. The answer is no, it does not; the proxy capability with session control is achieved through identity and Single Sign On (supporting both Azure Active Directory and 3rd party identity providers). This flexibility allows governance and protection for users accessing SaaS apps from either a corporate or Bring Your Own Device (BYOD).
If I were to summarize the capabilities of MCAS, it would come down to five main pillars:
1) Shadow IT discovery and control
2) Information Protection
3) Secure Access
4) Threat Protection
5) Cloud Security Posture Management
Matt’s Insight: Microsoft Cloud App Security is a multi-purpose tool, with many capabilities that we will get deeper into with each blog. Afterall, that is the intent of the MCAS Ninja Blog Series, to dive deep into everything MCAS! A key feature is that it does not require a client-side agent making deployment simpler and transparent to end-users. If you are a Microsoft Partner, start thinking about how MCAS can be used with your clients to help them be successful with their SaaS apps. For customers, begin thinking about prioritizing the pillars mentioned above and focus on it within MCAS to start.
Wrap Up & Conclusion:
As you can see, a Cloud Access Security Broker wears many hats to perform jobs that help manage SaaS app usage in your organization. I see the CASB as a core solution to enable secure remote work and key to digital transformation. CASBs allows organizations to use the SaaS apps they need while enabling IT to provide the security (and in some cases even compliance) they require.
How are you using a CASB in your organization? What use cases do you find valuable? Let me know in the comments below as I am anxious to hear your insights. More blog posts are on the way in the MCAS Ninja series. The next blog post will focus entirely on architecture and design of Microsoft Cloud App Security.
I am honored to have you on this journey with me, see you soon!
P.S. Stay up to date on all the MCAS Ninja training at http://aka.ms/MCASNinja