How to use shadow IT discovery in Microsoft Cloud App Security to help remote workers stay secure and save bandwidth.
With so many people working from home due to COVID-19, cloud applications have become the way to stay connected and get work done, whether that’s with Teams, Office 365, Salesforce, Zoom, virtual desktops – or something you’ve never heard of that an employee has found for themselves and started using. Even more than in an office, the proliferation of cloud apps can turn into a shadow IT security worry – and depending on how access to company data is set up, it might impact home internet bandwidth.
The cloud app discovery tools in Microsoft Cloud App Security (MCAS) are usually seen as a way to get shadow IT under control because they handle SaaS, IaaS and PaaS resources. But simply blocking a service that someone is using to get their job done will only drive them to try a different one. A better approach is to use MCAS to assess which apps are in use, set policies for what’s acceptable, and educate staff on alternatives. In combination with other tools like Microsoft Endpoint Manager, IT departments can prioritise productivity as well as security, improving staff experience as well as protecting data.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
That’s the sort of approach Microsoft cybersecurity CVP Ann Johnson calls digital empathy: providing both strong security and a great user experience.
Forrester’s new report, The Total Economic Impact Of Microsoft Cloud App Security, suggests that the service pays for itself in three months, and shows just how many cloud apps are in use that IT teams know nothing about. Using logs from firewalls, secure web gateways and Security Information and Event Management (SIEM) solutions, connectors and reverse-proxy integration with identity and access management tools, MCAS discovered more than 5,000 cloud apps in use at all four organisations in the study.
One medical device manufacturer found almost 9,000 cloud apps in use on their 50,000 devices – 1,600 of which it wanted to shut down straight away because MCAS shows that they don’t comply with regulations to which the company is subject. Ironically, knowing which cloud apps were compliant meant the company could actually move more data to cloud services than before, because it was confident about compliance, governance and the ability to audit data usage. Making the switch to cloud apps means that employees working from home aren’t limited by the VPN bandwidth to on-premise applications they’re now accessing remotely; many organisations have found that to be a bottleneck they couldn’t scale quickly during lockdown.
The companies in Forrester’s study also found they had 75% fewer security issues, and were discovering security issues much quicker. Partly that’s getting alerts for anomalies and suspicious behaviour on user accounts that have been compromised, like mass downloads, and typical malware or ransomware activity. But it’s important just to know what you have, Joanna Harding, product marketing manager for Microsoft Cloud App Security, told TechRepublic. “You can’t reduce time to remediate if you don’t know what you have in your environment.”
Microsoft has been using the service to monitor cloud app usage on its own employee devices since 2017 (and no, the 156,000 Microsoft staff don’t only use Microsoft applications). Cloud apps that don’t meet company policies get blocked, while popular apps that do meet the standards are added to the Azure AD single sign-on list to make them easier to use. Microsoft also applies security controls to the apps (like enforcing least privilege so users aren’t using admin accounts everywhere) and monitors usage for anomalies that could mean an attacker has compromised an employee account.
Seeing all the signals in the same place makes it easier for security analysts in the Security Operations Center (SOC) to see not just the alerts that suspicious activity triggers, but also what other systems might have been affected, says Harding — who used to work in Microsoft’s SOC. Queries can also be customised so that behaviour which is normal for your employees in the current situation doesn’t trigger alerts – even if it might have counted as suspicious six months ago when staff weren’t working from home. That reduces false positives.
“When something happens that does get through the safety net and we end up getting an alert, then we can backtrack with MCAS and quickly see all of the places that particular entity or identity touched, and then write very accurate policies against that to prevent it from happening again. So what comes into the true positive queue really is a clean signal,” Harding explained. That means you can use the option in the dashboard to revoke a user token and force them to sign in again using MFA to block attackers without affecting the productivity of employees who are in the middle of actual work.
SEE: Windows 10: What Microsoft’s Project Reunion means for your applications
When it comes to moving users off the shadow IT cloud apps that you’re not comfortable with, you can make the experience more helpful than just blocking the app so employees can’t get into it, Harding pointed out.
“There are ways to customise the policy for a particular interaction. Let’s say an end user goes to click on an application that they’re using, and the security team has decided to close down that application. They can customise the policy to say in a splash screen ‘hey, we’re not using this application anymore, you can go here, you can use that application’; they can redirect their users in a very functional way to help them. There’s also a lot of user coaching that has been deployed recently within MCAS to help users understand what it is that they’re interacting with; that [an app] is blocked because it’s proxying a session, or what have you. There are lots of ways the user is impacted in a positive way.”
MCAS collects (anonymised) data about apps over time, including how much bandwidth they consume. This can be combined with the new Productivity and Network scores in Microsoft Endpoint Manager (available under Reports in the Microsoft 365 Admin Center for any location where you have computers running the OneDrive for Business sync client), which show how quickly devices boot and whether they have good connectivity to Office 365 resources like Exchange and Teams. You can then include coaching in the custom messages about cloud apps that consume a lot of network traffic, directing employees to the apps you’d prefer them to use that won’t put as much strain on their internet connection.