MCAS or Microsoft Cloud App Security is sometimes underrated and may be not considered when implementing cloud security. In my opinion, its a game changing product from Microsoft and a critical component of the Cloud Security stack. With its ability to uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your organization can more safely move to the cloud as well as maintain control of critical data. Microsoft Cloud App Security help you discover, protect and respond to threats.
This blog is an attempt to bring all the information about MCAS under one roof. This article will discuss a phase wise approach to implement MCAS and also provide key recommendations. So, here’s my first recommendation, implement MCAS and enjoy the plethora of benefits it brings to your organization.
Why should I use Cloud App Security?
Moving into the cloud and being mobile means that the data and users live beyond the corporate perimeter leaving on-premise security technologies behind. Its easy to access corporate cloud applications from unmanaged devices (BYOD) and it only takes a username and password to download corporate data to any device.
There are also several unsanctioned cloud apps (Dropbox, Facebook) used by users on managed devices, and those are the places where corporate IT does not want their data to reside.
Ease of access to cloud apps applies to a malicious user who doesn’t need to go through several firewalls and security solutions (as in an on-premise infrastructure scenario) and only requires the username and password to gain access.
This is where Microsoft Cloud App Security can help to mitigate all the above-mentioned risks and provide you with deep insights and control over your data on cloud.
Integrations with other enterprise solutions are important for an effective and sustainable management of the CASB solution and the organization’s processes and workflows. Microsoft Cloud App Security integrates with Microsoft native solutions as shown below as well other market leading solutions.
Requires M365 E5 or EMS E5 licensing.However, Microsoft provides an option to purchase Microsoft 365 E5 SECURITY as an ADD-ON (WITHOUT E5 COSTS) whichis only available for Microsoft 365 E3 subscriptions, giving you all the security tools from Microsoft 365 E5 without the complete jump in cost.
M365 E3 costs $32 per user/month and upgrading from E3 to E5 would cost an extra $25 per user per month, however this security add-on only costs $12 per user per month. Hence, the total cost for the M365 E3 + E5 Security Add-on will only cost $44.00, which is comparatively lesser than M365 E5 (which is $57 per user/month).
The Network and Firewall requirements for MCAS are detailed in the below link which I strongly recommend you to go through:
This section will discuss the high level steps involved to implement MCAS in 5 phases.
Phase 1: Discover and identify shadow IT
The first step is to identify the organization’s security posture by running Cloud Discovery in your organization to see what’s actually happening in the network. The most recommended way is to integrate Microsoft cloud App Security with Microsoft Defender ATP. This native integration begins the collection of data on cloud traffic across your Windows 10 devices, which are either on or off your network.
MCAS – Discovery Architecture
Ingest firewall and proxy logs into MCAS manually or deploy the Cloud App Security Log Collector on your firewalls and other proxies to collect the data from your endpoints. Cloud App Security provides support for forwarding logs from your SIEM server to the Log Collector assuming the logs are being forwarded in their original format. However, it is highly recommended that you integrate the log collector directly with your firewall and/or proxy.
MCAS can also natively integrate with Zscalers, iBoss and Corata and collect logs.
User the Cloud Discovery dashboard to get a complete picture of what apps are being used in the organization, mark them as sanctioned or unsanctioned, filter them by category, to find out non-sanctioned apps that are being used for legitimate work-related purposes.
MCAS – Application tagging
Identify the risk levels of your apps by using Cloud App Security’s risk catalog which includes over 16,000 apps, assessed using over 80 risk factors. Filter the list of apps discovered in the organization by the risk factors that are concerning (Ex. use advanced filters to find all apps with a risk score lower than 8).
Marking an app with low score as Unsanctioned
Phase 2: Evaluate and analyse:
Evaluate whether the applications being used are certified as compliant within the organization’s standards, such as HIPAA, SOC 2, or even GDPR. Cloud App Security portal includes suggested queries to filter the list of apps discovered in the organization by the compliance or risk factors (Ex. filter out non-compliant apps).
Analyze & investigate how and who are using the non-compliant applications and block the usage if required.
Use the cloud app catalog to identify alternative apps that achieve similar business functionality as the detected risky apps, but do comply with your organization’s policy. You can do this by using the advanced filters to find apps in the same category that meet with your different security controls.
Phase 3: Manage Apps
Create new custom app tags in order to classify each app according to its business status or justification. Such tags can then be used for specific monitoring purposes. So for example, identify high traffic that is going to apps that are tagged as risky cloud storage apps.
Cloud App Security also leverages its native integration with Azure AD to enable you to manage the discovered apps in Azure AD Gallery. For apps that already appear in the Azure AD Gallery, you can apply single sign-on and manage the app with Azure AD. To do so, on the row where the relevant app appears, choose the three dots at the end of the row, and then choose Manage app with Azure AD.
Create policies that will monitor apps, alert when new apps are discovered and provide control where needed.
Phase 4: Advanced Discovery Reporting
Integrate cloud discovery logs into the local SIEM or Azure Sentinel for further investigation and analysis.
Export to Power BI or integrate with other sources like Splunk to create custom reports or dashboards.
Phase 5: Control
Connect apps via API for continuous monitoring (ex. Connect o365 via API)
Protect apps using Conditional Access App Control.
Microsoft Cloud App Security Conditional Access App Control uses reverse proxy architecture to give you the tools you need to have real-time visibility and control over access to and activities performed within your cloud environment. With Conditional Access App Control, you can protect your organization:
Avoid data leaks by blocking downloads before they happen
Set rules that force data stored in and downloaded from the cloud to be protected with encryption
Gain visibility into unprotected endpoints so you can monitor what’s being done on unmanaged devices
Control access from non-corporate networks or risky IP addresses
MCAS protecting download on unmanaged device
MCAS integrates with Azure Active Directory Identity Protection (Identity Protection) and Azure Advanced Threat Protection (Azure ATP) to provide user entity behavioral analytics (UEBA) across a hybrid environment – both cloud app and on-premises. Once integrated, MCAS will display identity alerts, suspicious activities for all users across your cloud and on-premises environments.
Integration with Azure Information Protection gives you the capability to automatically apply classification labels and optionally add encryption protection. With integration turned on, you can apply labels as a governance action, view & investigate files by classification, and create granular policies to make sure classified files are being handled properly in the Cloud App Security portal.
Automate processes and workflows by integrating with Microsoft Power Automate to provide custom alert automation and orchestration playbooks (ex. Create an incident in ServiceNow when an alert generates)
More information on Automation with Flow: https://techcommunity.microsoft.com/t5/microsoft-security-and/automating-security-workflows-with-microsoft-s-casb-and-ms-flow/ba-p/308575
MCAS – Alert Recommendations:
Here are some recommendations to deal with common alertsAlert TypeTriggerRecommendationsCompromised AccountSystemSuspend the accountInactive AccountSystemSuspend user & terminate licenseNew locationSystem (Once per country)Investigate the user activity
Managing Roles (RBAC)
Consider assigning the below mentioned roles to utilize Cloud App Security.
Global administrator and security administrator – full access with full permission in Cloud App Security.
Compliance administrator – read-only permission and can manage alerts, create and modify file policies
Security operator / Security Reader – read-only permissions and can manage alerts.
I hope this article gives you an overview of how to implement Microsoft Cloud App Security. MCAS is definitely a “must” for organizations who want to keep their data secure in the cloud especially when they deal with a lot of personal information (PI) data.