What is a Cloud Access Security Broker (CASB)?
A Cloud Access Security Broker (CASB) emerges as a pivotal player in ensuring the security of cloud-based applications and services. CASBs act as a gatekeeper, mediating between users and cloud service providers to enforce security policies and maintain the integrity of data. One of the primary roles of a CASB is to enforce security policies. As we migrate to cloud services, traditional on-premises security measures become less effective. CASBs step in to fill this gap by providing security at the cloud level. They ensure that organizational policies regarding data access, sharing, and storage are uniformly applied across all cloud services. These security solutions offer unparalleled visibility into cloud application usage, allowing you to monitor and control the flow of sensitive information. This visibility is crucial for compliance with various regulatory standards such as GDPR, HIPAA, and SOX. CASBs can identify and classify sensitive data stored in the cloud, monitor its movement, and enforce compliance policies. CASBs play a vital role in managing who has access to cloud applications and data. They integrate with existing identity management systems to provide secure authentication and Single Sign-On (SSO) capabilities. This ensures that only authorized users can access sensitive cloud resources. In this context, Microsoft Defender for Cloud Apps, a leading CASB solution, plays a pivotal role in securing cloud environments. It offers comprehensive protection across several dimensions of cloud security. With its advanced capabilities in data protection, threat detection, and seamless integration with various cloud services, it represents a robust solution for managing and securing cloud applications. Defender for Cloud Apps extends its functionality to monitor a wide range of cloud applications, thereby ensuring that organizations have the tools they need to secure their cloud footprint effectively. With the exponential growth in cloud adoption, the importance of CASBs cannot be overstated. They are not just tools for security; they are essential components of a modern cloud strategy. CASBs bridge the gap between the dynamic nature of cloud services and the need for robust security and compliance. They enable us to harness the power of the cloud while ensuring that data and applications remain secure and compliant with internal and external regulations. With that said, let’s dive deeper into Microsoft Defender for Cloud Apps and learn more about its potential.Deploy Microsoft Defender for Cloud Apps
While the new name makes perfect sense, I know I’ll have to deal with numerous questions about the difference between it and Microsoft Defender for Cloud, the new name for Azure Security Center and Azure Defender. Defender for Cloud is all about protecting workloads in Azure (and AWS & GCP, hence the name change from Azure Defender to Defender for Cloud), whereas Defender for Cloud Apps is all about spotting shadow IT, managing SaaS service access by your end-users, and applying policy. Let’s start with how it works – MDCA needs access to data on what apps your users are browsing on the internet. You can continuously upload logs from your on-premises firewalls and proxy servers, integrate directly with a set of cloud services with API connections, and use Microsoft Defender for Endpoint as an agent for MDCA. The number of cloud services that can be integrated into MDCA is increasing; at the time of writing, they are:- Atlassian (Preview)
- AWS
- Azure
- Box
- Dropbox
- Egnyte
- GCP
- GitHub Enterprise Cloud
- Google Workspace
- NetDocuments
- Office 365
- Okta
- OneLogin
- Salesforce
- ServiceNow
- Slack
- Smartsheet
- Webex
- Workday
- Zendesk
Shadow IT Discovery
OK, once you have data flowing into Defender for Cloud Apps through any of the methods above, you’ll start getting Cloud Discovery reports. This will tell you what service categories are most used, which apps are most used by your users, and if there’s the usage of high/medium and low-risk apps. Commonly known as shadow IT, this is the usage of apps that the business isn’t aware of, including the potential storage of sensitive data in these locations. It’s vital that this is discovered and managed, and Defender for Cloud Apps helps you a lot with this task.Defender for Cloud Apps Cloud Discovery dashboard
Based on this data, you can start digging into the riskiest apps with high usage and identify why they’re being used and what the risks are. There’s a built-in catalog of 30,036 apps (and growing; the last time I looked, it was just over 27,000). Each app/cloud service in the catalog has an overall score from 1-10, based on four categories: General, Security, Compliance and Legal.Defender for Cloud Apps catalog listing
The point of the catalog is to give you instant visibility into the security stance (perhaps of a service you’ve just found out is used by the entire finance department) and regulatory compliance of an app without having to spend hours digging through their website or requesting more information from them. For instance, if your organization requires suppliers to adhere to a specific compliance regulation, you can filter the catalog to identify any application in use that doesn’t. The next step is to sanction or unsanction an app. The latter will block access if you’re using Defender for Endpoint, Zscaler, or iboss, and there are options to download a script to add the block to on-premises firewalls. But even if you’re not outright blocking the use of these apps, it does allow you to track down the users and suggest an alternative app with a better security track record. Another way that I find this discovery useful is by letting me find popular apps that I can publish through Azure Active Directory for users to add governance around their usage.Using Defender for Cloud Apps
You can use several types of policies to detect risky behavior and suspicious activity and, in some cases, automatically remediate the issue. Activity policies use the APIs of integrated applications and let you build custom alerts for multiple failed sign-ins and large amounts of file downloads or logins from unusual countries or regions. Anomaly detection uses User and Entity Behavioral Analytics (UEBA) and Machine Learning, and for most detections, it takes seven days to establish a baseline so it can identify what’s unusual. Signals used in these policies include risky IP addresses, inactive accounts, locations, devices, user agents, etc. Malware detection across Box, Dropbox, Google Workspace, and Office 365 (when used with Defender for Office 365) is one of these policies.Defender for Cloud Apps activity policy to catch ransomware
OAuth app policies keep an eye on apps that are granted permissions in Azure AD, either by end-users (if you allow this) or by administrators. We covered the risks and mitigations in-depth in an article. File policies bring a built-in DLP engine to inspect content across 100+ file types and allow you to take automated action when the content matches your criteria. You can create policies for publicly shared files, files shared with a specific domain or with a specific set of unauthorized users, and even for specific high-risk file extensions. Access policies are a very cool concept, essentially combining the best of Azure AD Conditional Access policies with the app control of MDAC. You deploy the apps using Conditional Access App Control, and this lets you not only block access to applications based on the user’s device, for instance, but it also allows you to use session policies to control what a user can do in the app. You can monitor all activity, block all downloads, block specific activities, require step-up authentication for sensitive tasks, protect files on download or upload, block malware, and educate users on protecting sensitive files.Defender for Cloud Apps cloud discovery anomaly detection policy
Finally, App discovery policies alert you to new cloud services that are being used (to continue the fight against Shadow IT), and cloud discovery anomaly detection policies alert you to unusual activity in cloud apps. Unlike many other security applications, what I like about Defender for Cloud Apps is that it creates many default policies for you “out of the box,” so you’re getting good protection even before you create your own policies. Alerts from these policies can be sent as emails or text messages, or you can use a Power Automate playbook to notify the right people. You can also automatically disable a user account, require the user to sign in again, or confirm them as compromised to automatically contain a potential attack. As you can see, you can provide granular control over what your users can and can’t do in cloud applications, and if they’re working from home (on Windows 10/11 devices), they’re still under your purview. Note that it’s not only end-user SaaS services that are protected with Defender for Cloud Apps: AWS, GCP, and Azure admin access and usage can also be monitored and controlled. The integration with the rest of the Microsoft 365 Defender stack is also strong; here’s an example of a Data Loss Prevention policy being used to control sensitive data in third-party apps.![Microsoft 365 Data Loss Prevention Policy integration](https://www.hornetsecurity.com/wp-content/uploads/sites/10/2022/03/Microsoft-365-Data-Loss-Prevention-Policy-integration.png)
Microsoft 365 Data Loss Prevention Policy integration