Using Microsoft Cloud App Security to secure your data outside of Microsoft 365

Previously, we’ve covered information protection capabilities such as, sensitivity labelling and data loss prevention. These two solutions assist in meeting your data protection requirements, by classifying and protecting data throughout the document life cycle. However, they will only detect data that is inside the organisation. This includes all Microsoft 365 locations, including Teams, OneDrive, SharePoint and on-premise file servers.

What about the data that sits outside of these spaces, such as cloud-based CRM solutions like Salesforce or ServiceNow? By default, the information protection capabilities of Microsoft 365 won’t extend to data that already exists in these locations. Some of your most sensitive data is likely to reside here. As such, we really want to be classifying and protecting this data in the same way as in 365. Fortunately, we can leverage Microsoft Cloud App Security to do just that.

What is Microsoft Cloud App Security?

Microsoft Cloud App Security (MCAS) is a powerful, cloud-based security solution that performs three main duties. It detects and protects cloud apps, protects information within your connected cloud apps and detects anomalous user behaviour.

Detect and protect Cloud Apps

MCAS can be used to tackle something referred to as Shadow IT. This is the concept of staff using unsanctioned applications to complete a task. Collaboration tools are probably the most common example of Shadow IT. Products like DropBox, personal OneDrive accounts and Slack are regularly used by employees to share data inside and outside of your organisation. In most cases, these applications haven’t been sanctioned for use, by the business. This means that there’s no security or encryption in place for data residing in these locations. Data can quickly move from corporate to personal devices and it’s then out of your control.

MCAS is used to create a library of sanctioned applications and block all others.

Protect Information within Connected Apps

Using this capability, we can extend the protection available in 365, into our third-party cloud applications. As an example, by connecting our Salesforce tenant with MCAS, we can see the data that resides there. Getting that visibility means we can protect the data using sensitivity labels and classifications. Without MCAS, we’ve no control over the data. It can be downloaded to any device, providing the user can log in to the service. With MCAS, we can make decisions, such as preventing download of the data when on an untrusted device, or automatically marking it as confidential and adding watermarks. This allows all the capabilities we have within 365 to be extended to the connected application.

Detect anomalous user behaviour

Once MCAS is deployed and integrated with applications such as Microsoft Defender, on-premise Firewalls or web proxies, it has access to a wealth of information about users and their activities. This level of detail means it can establish ‘normal’ behaviour, on a per user basis. As such, when those behaviour patterns change, MCAS can automatically react accordingly. If a user suddenly attempts to log on from a location they have never been in before, MCAS can alert you to that fact. It can even go one step further and block access to that user, forcing a password reset. MCAS can also detect mass downloads by a single user; sharing with large numbers of external recipients; sign ins to malicious applications and many other activities.

 

 

 

How does it work?

With a focus on information protection, MCAS can communicate with your cloud applications, using connectors. These connectors allow MCAS to get full visibility of user and file activity, within an application. We then use a combination of Conditional Access and MCAS based policies, to protect the data.

You must first add the app to the Azure tenant and enable single sign on with Azure AD. For further information, explore our full information protection blog series. This will allow you to configure the app to automatically redirect users to the 365/Azure tenant for authentication, instead of using local credentials for the application. This configuration means that no one can log on to the app without first going through your 365 tenant and passing the relevant access policies. Some examples of these can include MFA, trusted locations and managed devices. It also means that you can now secure this application using MCAS.

With the above complete, you can use MCAS, to edit the connected application and apply policies. To extend our information protection policies to our cloud apps, you can create a real-time content inspection policy.

This policy will be triggered when someone tries to download a file from the connected app. Using the previously created sensitivity labels, you can tell MCAS to scan the content when someone tries to download it and determine if it is sensitive. It will use the existing sensitive information types to make this decision. If a match is found, you can either block the download or allow with automatic application of the sensitivity label, that matches the sensitive information type detected.

Examples of created policies could include blocking the download of .pdf files or applying a ‘confidential’ label to .docx files that contain credit card information, on an application such as Salesforce. In these instances, the user would experience the following process:

  • Where document download is blocked, a message will appear, on opening, to say the session is being monitored. This means the app is connected to MCAS. When an attempt is made to download the file, the user is informed that the operation is denied due to policy.
  • Where sensitivity labels are required, a user will be allowed to download the file. However, when opened in Microsoft Word, the confidential label will have been automatically applied. It cannot be removed and enforces a watermark, prohibiting sharing with external recipients.

This demonstrates the way in which labels and sensitive information types, configured in 365, are now being applied to, previously unprotected, third-party cloud apps.

Why do I need it?

Software as a Service (SaaS) apps have rapidly become the norm for businesses of all sizes. They allow for fast onboarding, can be scaled easily through per user subscriptions and remove the burden of managing complex infrastructure, on premise.

Unfortunately, SaaS apps don’t give you the same level of security and data protection as a 365 subscription. CRM systems can store a significant amount of information about your customers. Whilst we can enforce MFA to secure access to such applications, you can’t audit or prevent behaviours within them. This means none of the data is protected and we can’t prevent accidental or unlawful sharing.

MCAS can resolve this problem by applying Microsoft 365 Information Protect to these third-party applications. You’ll get visibility of the activity within each application, as well as automated threat detection and prevention It also provides a consistent information protection experience, regardless of where your data is stored.

How do I get it?

Microsoft Cloud App Security can be licensed as a standalone product or as part of several different licensing plans. These include Microsoft E5, Microsoft E5 Security, Microsoft E5 Compliance and Office 365 E5. The version available in Office 365 E5 is limited to protecting 365 applications and cannot be extended to third-party cloud apps, using connectors.

If you already have Microsoft 365 E3 or Enterprise and Mobility Suite E3, the recommended approach would be to purchase Cloud App Security standalone license. This will give you access to the full compliment of MCAS features without moving up to an E5 license.

If you would like clarification on your plan, the security features available or how best to implement them then reach out to one of our team, who will be happy to discuss the options.

How can LIMA help?

LIMA have developed a security assessment with modules dedicated to the exposure and awareness of shadow IT within your organisation. This is typically the first step in realising the value of MCAS. Once you get visibility into the sheer number of unsanctioned cloud apps being used in your organisation, coupled with the high-risk score of some of these apps, you’ll want to learn more about what MCAS can do for you. The app discovery and classification capabilities alone can significantly reduce the amount of manual work required in classification and reclassification of applications.

Through our Microsoft 365 Security Assessment service, we can capture your existing security posture, highlighting areas of potential weakness. From here we can map Microsoft 365 security capabilities, such as Cloud App Security, to your security objectives and requirements. We then provide a prioritised and actionable Microsoft 365 security roadmap.

Speak to your Account Manager or email enquiries@lima.co.uk, to find out more about how LIMA can help secure your mobile workforce, with our Microsoft 365 Assessment Services.

Contact us Back to News & Events

Our awards & accreditations.

For the past 20 years, we’ve been solving business challenges by designing and delivering intelligent IT solutions with a passion for technical excellence and customer satisfaction.

We’d love to hear from you.

If you have a question you'd like to ask, we’d love to answer it.
Fill in the contact form below and we’ll get back to you as soon as possible.

Head Office
6 Digital Park
Pacific Way
Salford Quays
Manchester
M50 1DR
0345 345 1110
We’d love to hear from you.

If you have a question you'd like to ask, we’d love to answer it.

Contact Us

Manchester
6 Digital Park
Pacific Way
Salford Quays
Manchester
M50 1DR

0345 345 1110