Microsoft Cloud App Security – A First Look

I’ve been eagerly awaiting the release of the Microsoft Cloud App Security service for quite some time.

The official Microsoft product page, (http://www.cloudappsecurity.com ), just became available today (6th April, 2016). I recommend that you treat this as a jump page to find out more about the service.

Although the term doesn’t appear on the product page, Cloud App Security is essentially a Cloud Access Security Broker  (CASB) solution that came about through Microsoft’s purchase of Adallom in 2015. I’m not sure who first invented the term, but a vendor-neutral definition of a CASB is provided by Gartner¹ as follows:

“Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”

Cloud App Security Trial

If you want a trial of this service there are at least two ways to go about getting one:

  1. Ask your Microsoft partner to send you a trial
  2. Select the “Buy now” link from the official product page

Note: The standard trial is for 25 users and is valid for 30 days.

Once you have added the trial to your Azure subscription, perhaps the easiest way to access the service is via the Office 365 admin portal using the “Admin Center” called “Cloud App Security“. If you select this option, then a new window will open in your browser at the following location (https://portal.cloudappsecurity.com/ ).

01 Cloud App Security Dashboard

Playing around with the dashboard

My first impression, based on the dashboard, was that this service would be fairly simple to use with few configuration options. I still believe that Microsoft have done a good job regarding the ease of use, but the more I explored, the more configuration options I found! The following is a quick overview of what I accomplished in the first 15 minutes.

Step 1: Cloud Discovery

Microsoft recommends that you initially configure cloud discovery by uploading log files from devices such as a firewall or other gateway protection service. Some of the popular sources that are immediately available include CheckPoint, Cisco ASA Firewall, Squid, WebSense and the now discontinued Microsoft Threat Management Gateway (TMG) product. We are still using TMG at work, so I’m hoping to try this option out sometime in the future.

Since I didn’t have any log source immediately available, I skipped this step.

Step 2: Connect Apps

From the “Connect apps” link in the dashboard, you have the ability to monitor (sanction) about a dozen of the more common apps. Additional apps can be sanctioned from the “Cloud app catalog” which is provided with the service. The documentation says that there are currently more than 13,000 apps available in the catalog.

In a couple of minutes I had configured the following apps:

  • Exchange Online
  • Office 365

After I had added the above two apps, the dashboard included all the following:

02 Selection of sanctioned apps

Exchange Online App

To connect to the Exchange Online app, you need to configure access to a working Exchange Online mailbox. Microsoft recommends that you create a dedicated service account (i.e. a dedicated user in Office 365) for this purpose. Ideally, the service account has a very strong password so you can safely disable the option for password expiration.

Note: By disabling password expiration, you can avoid loss of monitoring, in case you forget to change the password before it expires. Usually, you only get warned about your password expiring when you login with that particular account; you wouldn’t usually have any reason to interactively login with a service account so it’s quite easy to forget to change the password.

I simply used the credentials of my global admin account.

Office 365 App

Connecting to the Office 365 app was a bit more detailed than the Exchange Online app. As shown in the following figure, I chose the “Standard Office 365 settings” option.

03 Office 365 App 1

After saving the settings, I then clicked on the link (shown as “follow this link” in the above figure) and had to agree to a lengthy list of changes.

04 Office 365 App 2

Advanced Office 365 settings (Branded URL)

I still haven’t worked out exactly what advantage this option provides or why it might be needed. The values shown were configured after I had already gone through the process of configuring the Standard Office 365 settings. You can then go back and edit the settings.

In this case, my trial tenant was called “contosocypruslab4.onmicrosoft.com“.

05 Office 365 App - Advanced

Step 3: Create Policies

Policies allow you to define the way you want your users to behave in the cloud. The types of policies that you can create are shown in the following figure:

By default, the service enables the following anomaly detection policies. Both can be modified to suit your needs.

Cloud Discovery anomaly detection This policy is automatically enabled to alert you when anomalous behaviour is detected in discovered users, IP addresses and services, such as: large amounts of uploaded data compared to other users, large service transactions compared to the service’s history.
General anomaly detection The pre-configured anomaly detection policy is applied to all activity in your environment to provide protection from anomalous login, access and account activities. Additional anomaly detection policies can be created that are focused on a specific scope of activity (e.g. specific users, groups and services). The number of alerts per week can be specified in the settings below. Alerts can be adjusted by excluding entities you would like to suppress.

 

Cloud App Security comes with several predefined policy templates that you can utilise or modify to suit your needs. You can also create policies with no predefined settings.

In my case, I created a couple of activity policies. Activity policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of a certain type of activity. I created the following based on the predefined policy templates:

Mass download by a single user Alert when a single user performs more than 30 downloads within 5 minutes.
Administrative activity from a non-administrative IP address Alert when an admin user performs an administrative activity from an IP address that is not included in a specific IP range category. You can set additional risky IP addresses by going to the Settings page, and selecting IP address ranges.

Step 4: License Users

This involved allocating the Cloud App Security license to each user that I wanted to monitor and control.

A look at Cloud App Security in the Azure portal

I wanted to see if Cloud App Security had any component within Azure. In my Azure portal, I located the following reference to Cloud App Security within the Active Directory service:

07 Cloud App Security in the Azure portal

Closing Thoughts

Over the next few days I’m looking forward to exploring this new service in more detail. I’m hoping that Microsoft will make it available to partners so we can see it in action with some real data. Based on what I’ve seen so far, I’d already like to hold a couple of small workshops with some of our more security conscious customers and show them how this service can help to meet their security and compliance needs.

Sources

  1. Gartner IT Glossary – Cloud Access Security Brokers (CASBs). Retrieved 6th April, 2016. ( http://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs )

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.