This blog will be part of a series of leveraging Microsoft security technologies in the enterprise.
Over the past decade or more, we have seen a tremendous shift in business infrastructure away from the traditional on premise systems and services towards cloud-based X-As-A Service (XaaS). The “X” seems to grow daily as more systems and services become virtually available. Instead of having all of our hardware and software safely located inside the walls of our bricks & mortar offices, we now have only basic connectivity devices. With the ubiquitousness of Wi-Fi and mobile devices and the anywhere workplace, that which we have physical control over is lessening by the minute.
In some instances, entire offices are composed of little more than end-user devices and just enough equipment to connect them to the internet. The systems and data that make up the lifeblood of the business now reside “in the cloud” and are available everywhere with an Internet connection.
It’s kind of like having your heart located in another room (sometimes you don’t know which room) and only remaining connected by one or two arteries and a few nerves. These connections are likely shared, exposed to some risk from external parties, and beyond your control. That connection to your vital services must be protected, and this is what a Cloud Access Security Broker (CASB) like Microsoft Cloud App Security (MCAS) does for you.
What Is It? CASB, usually pronounced “KAZ-BEE” in a style reminiscent of the 1982 hit by The Clash. “Rock the Casbah”, is a technology that arrived not long after the rise of Cloud Computing showing yet again that security is usually a thought behind the functionality we desire. “Can we do this?” “Yes, we can, and here’s how we do it.” “Cool. So, how do we secure it?” Blank stares follow.
A CASB essentially sits between you and your chosen cloud, either public or private, and are either on-premises, cloud-based (SaaS), or hybrid enforcement points. Their role is to interject your security policies on-the-fly as the resources are accessed to make sure that nothing nefarious happens (there is that word again). Rather than being a one-trick pony, a CASB can enforce a broad number of security policies which can include single sign-on (SSO), authorisation, encryption, logging and alerting, malware detection and prevention, device profiling, and even mapping credentials to resources. There are many other uses, but let’s not get ahead of ourselves here!
Another term you may hear when dealing with CASB is “Tokenization” which is basically switching something sensitive, such as your data, for something that is not – the token. This token maps to the data through a tokenization system kind of like how you would check your coat at a fancy restaurant and the clerk gives you a number. The token itself is practically useless to try to understand what data it is mapped to; only the tokenization system knows. The tokenization system should be protected with the best practices and level applied to the rest of the data – you don’t want it to become the weak link! When the tokenization system gets the right token, it can “detokenize” the data for access…kind of like going to the post office with a delivery notice to get your online purchases.
According to Gartner, by 2020 up to 60% of large enterprises will use a CASB solution to govern cloud services whereas around 2017- 2018 less than 10% did. If you’re not talking about CASB now, you probably will be very soon. And more than just the large enterprises may benefit. Smaller businesses, without the exorbitant security budgets, can benefit from the flexible options out in the market right now. The Microsoft Cloud App Security offering is a perfect example.
On the topic of Gartner, In October 2019, Microsoft was named a leader in the Cloud Access Security Broker Magic Quadrant. Most interestingly to me, the fact they sit the highest on the axis for “Ability To Execute” means a lot because being able to do what you say you’re going to do, and being the best at it can make the difference between “good” and “just good enough”. If you use a Microsoft-centric ecosystem based on Azure and Office365, and still have some on premise systems (or even mostly on premise), MCAS could very well be the best fit for you.
Where Do I Start?
The obvious question is to ask yourself if you need CASB, but first ask yourself if you have any cloud services now or will soon. Odds are you do, and you will. With the rise of massive cloud services providers like Microsoft and the like, as well as the endless number of private clouds available, CASB should be on your radar and closing in to the centre fast. Rare is the organisation that is completely in-house these days to exercise nearly full control. Even using a colocation datacentre allows a fair degree of control, just like in-house, but moving to the cloud presents unique challenges.
Many organisations I have spoken with over the past decade have adopted a cloud-first strategy and endeavour to have any new systems as cloud-based while migrating existing systems to the cloud at the same time. CASB, as you can understand, is a critical safeguard of this mass exodus of locally-controlled systems and data.
Let’s just say that you have all your systems in-house and something bad happens. You can quickly run to the server room and pull a cable out of a router or firewall. Maybe the Internet or Email goes down for a bit while you get it sorted out, but you’re in control. Now, let’s imagine you are fully-cloud based and you’re breached. Someone nefarious has access to your cloud. You run to the same server room and pull the cable. Only now the bad guys still have access and you don’t. You’ve effectively turned yourself into an island and the guy getting voted off the island at Tribal Council and getting their torch extinguished is the one holding the blue copper cable (or fibre). Thanks, Survivor!
If you answered yes to anything cloud in relation to your business, you need CASB as part of your Cyber Security Strategy. In terms of vendors you should start with, you have a few options but if you are like many and are invested heavily in Microsoft, I’d suggest looking at Microsoft Cloud App Security (MCAS).
How Do I Get MCAS?
If you’re worried about having to buy a whole lot of licenses you don’t want or need, the good news is that you don’t have to get an Office 365 license just to use MCAS, but you will need an MCAS license just the same. If you have any of the other higher-level licenses all the way up to Microsoft 365 E5, you may already have it at your fingertips to use, but depending on the license, you may or may not have access to everything MCAS does as some options only include a subset of MCAS features.
For example, while the Microsoft 365 E5 has all the bells and whistles the exceptional Microsoft security suite has to offer, it may be outside of your budget. Office 365 E5 has MCAS, but is limited to only Office 365 apps without the ability to include third-party apps. There are many options and combinations to consider and it gets confusing, I know, so please reach out to me or my great team for advice.
Now that I have it, what can I do with it?
Since you’ve determined you need a CASB and have determined that MCAS is going to be the best fit for your organisation, you’re probably wondering what exactly this thing can do for you? The short answer is “a lot”. The long answer could form a whole series of blogs, so I’ll try to sum up some of the basics here in terms of the NIST Cybersecurity Framework to Identify, Protect, Detect, Respond, and Recover.
Identify: MCAS can discover the cloud apps and services (including third-party, non-Microsoft) your organisation uses and Discover OAuth (Open Authentication to provide delegated access) apps that have access. (For example, Google, Facebook, and Twitter are OAuth providers). MCAS can assess the risk and compliance of the cloud apps you use. This can also audit the configuration of your IaaS environments.
Protect:
MCAS can protect your data when it’s downloaded to unmanaged devices and enforce DLP and compliance policies for sensitive data stored in your cloud apps. Additionally, MCAS can enforce adaptive session controls to manage user actions in real-time which is critical in protecting data without only finding out after it’s too late. Govern discovered cloud apps and explore suitable alternatives that may be more secure and better aligned to your organisation. MCAS can ensure safe collaboration and data sharing practices in the cloud, which is where the modern workplace lives.
Detect:
MCAS can detect when data is being exfiltrated from your corporate apps, detect threats from users inside your organization, detect threats from privileged accounts, and detect and remediate malware in your cloud apps. Leverage MCAS to gain visibility into corporate data stored in the cloud which, in this day and age, is virtually everything you possess. Enable continuous monitoring so you may detect new and potentially risky cloud apps automatically. Actively monitor user activities to protect against threats in your As-A-Service environments.
Respond:
MCAS can identify compromised user accounts, and Identify / revoke access to risky OAuth apps. The solution will also record audit trails for user activities, including within hybrid environments. A key element of forensics is the MCAS ability to capture user activities within custom clouds and on premise applications.
Recover: A solid data protection and disaster recovery /business continuity plan is essential here and addresses one of the ASD/ACSC Essential Eight, “Daily Backups”.
How do I make It Work?
Now that you understand there are a wealth of ways to use MCAS, it comes down to implementing the solution. While using third-party CASB solutions can be intimidating, the Microsoft solution offers a familiar environment within your existing ecosystem. There are a few ways to implement the MCAS CASB, but it essentially sits between you and your Microsoft cloud (Azure and Office 365) or other third-party cloud services.
Its role is two-fold, but the roles are not mutually inclusive. You can perform security or management or, as I recommend, both. Security, in general, is the prevention of risk relating to your cloud computing. Management could be considered as mitigation of risk. There is probably little point to implementing security without some means of managing it. If we focus too much on the “Before” of a breach, we flounder badly when it comes to the “During” and “After” of same. Also, the more you know about what is happening and has happened, the better positioned you will be from here on out.
Whether security or management or both, there are many key functionalities to consider. Four of the more common ones include Visibility, Data Security, Threat Protection, and Compliance. Visibility is important because it allows you to keep an eye on both sanctioned and unsanctioned activities. Sanctioned? Your use of cloud services such as Office 365 or Salesforce. What is unsanctioned? Think Shadow IT. If you’re using cloud, you can bet others are using (and abusing) it too beyond your knowledge and control.
Shadow IT, you say? Let’s think about that one for a second. We all understand (and sometimes accept) that rules are necessary, hence the reason why we say which cloud applications we’re allowed to use, and which ones we’re prohibited from using. Licensing, cost, security, compatibility, and support are many of the reasons.
The problem is that users don’t always see it this way and when they want to do, see, or use something, and they think they’re being “unreasonably” prevented from doing do, they can get very creative at finding a work-around to get what they want. Subscribing to “free” services, paying for applications on their own (then trying to expense it!) and all kinds of back channels without thinking about it. MCAS can really step in and help out here, so if you don’t have many other reasons for a CASB, managing Shadow IT should be top of your list.
Data security is the obvious one. Cloud computing presents a unique challenge. While the data is yours, the systems that store and process it are probably not, even in the Microsoft ecosystem. Threat protection permits you to control devices, users, and even application versions and can watch carefully for anomalies through user behaviour and other types of analytics. Programs have their own nuances, even malware.
I’d be remiss if I didn’t mention the legal implications of managing private and confidential data in a cloud environment. Compliance is become a far greater concern, especially where more and more regulations on who can do what, which what, and how. Think about the European Union (EU) General Data Protection Regulation (GDPR) or Notifiable Data Breaches (NDB) Scheme here in Australia. As the rest of the world adopts and enforces their own data protection and privacy legislation, MCAS becomes more and more valuable.
The penalties associated with GDPR and the NDB Scheme are not insignificant. With GDPR, the fines are up to 4% of the annual global turnover or 20M EUR – whichever is greater. Ouch. With the NDB Scheme, the penalties are $1.8M AUD for organisations and $360K AUD for individuals. Again, nothing to sneeze at. At least here in Australia we get 30 days to undertake an investigation and report a notifiable breach. For GDPR, we only get 72 hours from becoming aware. Tick tock!
Your MCAS CASB for security resides in line with your data path and can consist of an agentless deployment or agent-based deployment. An agent-based CASB deployment requires proxy agents on each endpoint, including in the cloud itself and on the endpoints in your enterprise. These can be difficult to deploy and are best suited where the assets are corporate-owned and managed. Think, for example of installing endpoint protection clients. Agentless, on the other hand, can cover all devices whether company owned or not and is much quicker to deploy. Many of us operate in a BYOD capacity with our mobile devices and just as many would object to having a third-party exercise control over them.
Agentless deployments only concern themselves with corporate data, ignoring personal data unless otherwise configured. Agent-based CASB, however, will concern itself with both corporate and personal data. You must ask the right questions as to which solutions suits your enterprise best, but odds are an agentless solution may be your preferred choice; just don’t ignore an agent-based deployment until you know for sure. Even consider Hybrid if that suits you better.
CASB for management is a more of an after-the-fact environment and can use APIs to inspect data in the cloud for events but can yield a wealth of information to allow you to stay on top of things. You could, for example, feed data from proxy, gateway, or firewall logs into CASB for analysis on cloud-based activity such as access, application usage, and so on.
An API-only CASB can offer management-only via APIs from some of the major cloud-based services available and can give you value through some degree of visibility. Personally, I’m more inclined to use a multi-mode CASB for both security and management. Newer offerings even include a degree of zero-day protection against known and unknown threats and may effectively knock down the threat before it ever reaches you or you ever become aware. You know, those things that go “bump” in the night?
The Bogeyman notwithstanding, you need to have a good understanding of your cloud computing environment and needs to know what solution works best for you. You may lean towards a multi-mode, agentless CASB deployment or you may find an agent-based solution suits your environment better. Ask the questions, get the answers, and make an informed decision.
Thankfully, the Microsoft MCAS solution is relatively straightforward to manage once it’s up and running the way you want it to and the wealth of information and control you will gain pays for itself in terms of productivity and efficiency in next to no time.
Pitfalls?
The most obvious pitfall is having a cloud-first strategy that lacks adequate security controls. The data is leaving your premises, and it can be a long way with a lot of stops in the middle before it gets back to your controlled space. Like any road trip with many stops, your data must be secured. The creatures that inhabit those spooky roadside rest areas exist in a virtual sense as well. That end-to-end control must be maintained.
You should also carefully consider the type of deployment you are using because if you choose one over the other without considering your data, applications, users, and workspaces, you may find you’re leaving gaps. Imagine, for example, an agent-based CASB deployment but you cannot take your computer on the road, so productivity could take a hit while you are away. Many scenarios; be sure you choose the one that suits your workforce style the best.
Leveraging MCAS within your Microsoft ecosystem can mitigate many of these pitfalls because it integrates so well with the rest of the platform and other important services like Data Loss Prevention (DLP) that cover more attack vectors. Just be sure to ultimately base your CASB implementation on use cases over technical architecture. Function before fashion!
Ghosts in The Machine?
Like any other environment, you must secure the endpoints. Let’s say you have CASB fully deployed, but a lax security policy allows a malicious entity to gain access to the cloud using a “trusted” system. Yes, there are ways to mitigate this very possibility, but it illustrates that no single strategy can stand alone. CASB, in and of itself, is not a silver bullet but is much more effective when combined with several strategies.
Interestingly enough, the combination of Microsoft’s MCAS and Windows Defender Advanced Threat Protection (ATP) can really help bolster your end-to-end defences. This can be leveraged in the Microsoft 365 E5 Security, and Microsoft 365 E5. For mobility-focused aspects, consider MCAS + Enterprise Mobility Security (EMS) E3.
The other ghost, shall we call is “Casper” because it’s a friendly one, is the underutilised investments in your environment where you already have the tools and services you need. Be sure to take full advantage of your entire investment, especially if it includes the ability to use MCAS!
Anything Missing?
Be sure that whichever CASB solution you select aligns with both your internal infrastructure and your selected cloud services. When it comes to Microsoft, the MCAS solution is the obvious choice and best fit. For the most part, the available solutions play nice with each other, but it never hurts to be sure. When having the conversation with your CASB service providers and experts, be sure to disclose these. Odds are they’ll ask first but be prepared to cover all bases.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock