Remember only a few months back when workers were safely inside the four walls, surrounded by firewalls, proxies, and IPS’s? Work from home has hastened the irrelevance of the network edge as a means to protect computers and data.
Now that the people have left the premises, how can a CISO provide similar protections?
A major piece of the solution is a Cloud App Security Broker. A CASB is a cloud service which observes behavior on PCs and/or traditional networking gear, and influences traffic flow decisions based on the organization’s security policies.
The Cloud App Security Landscape
CASBs solve problems such as:
- Detecting and blocking personally identifiable information from being saved to an unsanctioned cloud storage service
- Identifying the SaaS apps that are being used, providing security/compliance information about them, and allowing CISOs to permit/block access to them
- Tracking the risk of all logins, emails sent, files up and downloaded, and sites visited
Gartner’s Magic Quadrant for CASBs mixes startups and behemoths that have made acquisitions.
Managing Traffic for Remote Workers
Work from home has complicated the efficacy of some CASBs. They traditionally take feeds from security devices such as firewalls and security appliances. When the users are off premises, their traffic doesn’t route through those devices.
To continue to track traffic from remote workers in the CASB, there are two option:
1) Force traffic through a VPN tunnel so it backflows through the traditional edge security gear. The premises equipment can then feed the CASB to control inline decision making.
2) Activate an agent in each PC to communicate with the CASB directly, no matter their location.
Microsoft’s Platform Solution
Microsoft Cloud App Security (MCAS, see top of Leader’s Quadrant above) can work with either option.
For #1, MCAS has prebuilt connectors to the likes of Checkpoint, Palo Alto, and Cisco (see https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery for the list).
To support 2020’s necessity of option #2, MCAS can take input from Microsoft Defender Advanced Threat Protection running on user devices. MDATP is an existing part of the Windows 10 OS. Once a user is licensed, the Windows OS begins sending data to MCAS, no matter its location.
Added Benefits when Using the Entire Platform
When fed with other Microsoft security sensors, MCAS can:
- Sense and alert on nefarious logins to an organization’s Azure AD tenant. In 90% of Enabling’s MCAS engagements, we have found accounts that are unknowingly already compromised.
- Orchestrate automatic responses to serious risks, such as halting the access of a compromised account.
- Identify at risk accounts and devices based on where they’ve logged in from, what apps they’ve used, and what data they’ve downloaded. Such intel is bubbled up into an at-risk user list for a SOC to prioritize, as shown below.
Cloud App Security is included with licensees of the Enterprise Mobility and Security E5 suite, or the Microsoft 365 E5 suite.
When used with Defender ATP on remote machines, Microsoft Cloud App Security delivers insight and protection for endpoints, wherever they are (which could be anywhere these days).