Here's the slide deck from my session titled "Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps" which was presented on the Modern Workplace Conference Paris 2022 Virtual event.
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
1.
2. Modern Workplace
Conference Paris 2022
online
#MWCP22 Coming soon!
Share. Discover.
Explore.
Partager. Découvrir.
Explorer.
Modern Workplace
Conference Paris 2022
online
#MWCP22 24,25,26 Jan 2022
3. Suivez-nous tout au long de l’année !
Follow us all year round!
https://aos.community
https://twitter.com/mwcparis
#MWCP22
https://modern-workplace.pro
https://twitter.com/aOSComm
https://www.linkedin.com/company/
ams-community
https://www.linkedin.com/company/
mwcp
https://www.facebook.com/
modernworkplaceconferenceparis
https://www.facebook.com/
aOSCommunity (FR)
https://www.facebook.com/
aosComm (EN)
7. • User chooses apps (unsanctioned, shadow IT)
• User can access resources from anywhere
• Data is shared by user and cloud apps
• IT has limited visibility and protection
• Only sanctioned apps are installed
• Resources accessed via managed devices/networks
• IT had layers of defense protecting internal apps
• IT has a known security perimeter
Life with cloud
Life before cloud
On-premises
Storage, corp data Users
How the cloud changed the enterprise?
9. Enterprise-class technology
Secure identities to
reach zero trust
Identity & access
management
Security
management
Strengthen your security
posture with insights
and guidance
Threat
protection
Help stop damaging
attacks with integrated and
automated security
Locate and classify
information anywhere
it lives
Information
protection
Infrastructure security
10.
11. Microsoft Defender for Cloud Apps
Discover and
assess risks
Control access
in real time
Detect
threats
Protect your
information
Identify cloud apps on your
network, gain visibility into shadow
IT, and get risk assessments and
ongoing analytics.
Manage and limit cloud app
access based on conditions and
session context, including user
identity, device, and location.
Identify high-risk usage and
detect unusual behavior using
Microsoft threat intelligence
and research.
Get granular control over data
and use built-in or custom
policies for data sharing and
data loss prevention.
Threat detection: Microsoft Intelligent Security Graph, Office ATP
Information Protection: Office 365 & Azure Information Protection
Identity: Azure AD and Conditional Access
To your cloud apps
Extend Microsoft security
+ more
13. TOP CASB USE CASES
Office 365
Salesforce Azure
Box
AWS
Dropbox
Facebook
Twitter
YouTube
14. Case study
A company named Contoso is using Microsoft 365 for collaborating within themselves and other
organizations . All their employees are currently on WFH due to COVID.
Challenges
• Users are downloading sensitive information to their personal PC
• Users are downloading company confidential files to their personal PC
• Users are uploading PII information to SPO
• Customer’s PII data is being copied and shared with a competitor
• Legal regulations state that Contract Employees/Contingent employees shouldn’t have access
to Office 365 from their personal PC
• Contoso would also like to control sharing of sensitive information from 3rd party apps such as
Box
• Block risky sign-ins
15. 1. All the users in Contoso have a Microsoft 365 license and an Azure AD P1 license assigned to them .
2. They all have an Intune compliant/ Hybrid Azure AD joined PC given to them
3. Contoso is currently using cloud apps such as Office 365 , Box & Workplace by Facebook
4. Contoso has rolled out AIP & DLP for all its users and they also have Azure AD conditional access policies
configured
Contoso’s Current setup
18. Require MFA
Allow access
Deny access
Force password reset
******
Monitor and control access to cloud apps
Defender for
Cloud Apps
Limit access
Policy
Proxy
19. CONDITIONAL ACCESS APP CONTROL
Microsoft Azure
Active Directory
Analyze Session Risk
Check device
compliance with Intune
Check
location
Check user
behavior
Check user
organization
Enforce Relevant Policies with Conditional Access App Control
Protect downloads
from unmanaged
devices with AIP
Monitor and alert on
actions when user
activity is suspicious
Enforce read-only mode
in applications for
partner (B2B) users
Require MFA and define
session timeouts for
unfamiliar locations
BOX.US.CAS.MS
Defender for Cloud Apps integrates with:
• Azure Active Directory
• Azure Information Protection
• Microsoft Intune
to help protect any app in your
organization.
MICROSOFT DEFENDER FOR CLOUD APPS
20. Access policy and Session policy
Access policies enable real-time
monitoring and control over
access to cloud apps based on
user, location, device, and app
Session policies enable real-time session-
level monitoring, affording you granular
visibility into cloud apps and the ability to
take different actions depending on the
policy set for a user session
CONDITIONAL ACCESS APP CONTROL
Prerequisites
Azure AD Premium P1 license, or the license required by your identity provider (IdP) solution
The relevant apps should be deployed with Conditional Access App Control
Make sure you have configured your IdP solution to work with Defender for Cloud Apps
App URL: myapp.com
Replaced URL : myapp.com.mcas.ms
21. Conditional Access App Control – Architecture
User
SSO
Azure AD
(IdP)
SAML Auth Request
Is there an Azure
AD Conditional
Access policy
matching this
request?
No
Yes
Yes
No
Yes
No
Data flow
Azure
Information
Protection
Is content inspection
enabled for this session
policy? OR is the
Protect on Download
action selected?
Yes User attempts file download
Block file
download
and monitor
Protect file
download
and monitor
Monitor
No
Is there a CAS
Session Policy
matching this
request?
Is there a
CAS Access
Policy that
blocks this
request?
ACCESS DENIED
.US.CAS.MS
22. Challenge 1: Users are downloading sensitive information to
their personal PC
23. Challenge 2: Users are downloading company confidential
files to their personal PC
29. Users are downloading
sensitive information
to their personal PC
Users are downloading
company confidential
files to their personal
PC
Users are uploading PII
information to SPO
Customer’s PII data is
being copied and
shared with a
competitor
Legal regulations state that
Contract
Employees/Contingent
employees shouldn’t have
access to Office 365 from
their personal PC
Contoso would also like
to control sharing of
sensitive information
from 3rd party apps such
as Box
Microsoft Defender for Cloud Apps (Conditional Access App Control )
Block risky sign-ins
30. LICENSING OPTIONS
Microsoft CAS
CASB for any cloud app
EMS E5
Office 365 CAS
CASB for Office 365
Office 365 E5
CAS Discovery
Discovery of Shadow IT
AAD P1 (EMS E3)
While hopefully none of these stats are particularly surprising, I always like to start the conversation with some insights that we have about the cloud use in organizations
Our data shows that in the average organization, more than 1000 cloud services are regularly used by end user and that more than half of those are unmanaged and go unmonitored by IT
*28%: https://dt-x.io/dtx/en/node/newsitem-ai-reveals-2018-s-biggest-cyber-threats:-part-one-the-rise-of-non-traditional-it
**https://www.dsm.net/it-solutions-blog/cloud-security-statistics-every-cio-should-know
Our investments here are guided by the four strategies for success with infrastructure based on Azure security to secure your data in the cloud. Let’s talk about Infrastructure Security first as this is woven throughout all of our 4 key areas and foundational to security.
11
Microsoft has a CASB and here is why it’s unique
Add 3rd party logos to emphasize our commitment there
Add a datapoint to drive a perception on the recognition
CASBs are used to address these security issues
Here are some of the top CASB use cases
Discovering the application
Assess if the application meets company compliance
Govern the applications by controlling access to the applications
17
Conditional Access App Control uses a reverse proxy architecture and integrates with your IdP. When integrating with Azure AD Conditional Access, you can configure apps to work with Conditional Access App Control with just a few clicks, allowing you to easily and selectively enforce access and session controls on your organization's apps based on any condition in Conditional Access. The conditions define who (user or group of users) and what (which cloud apps) and where (which locations and networks) a Conditional Access policy is applied to. After you've determined the conditions, you can route users to Defender for Cloud Apps where you can protect data with Conditional Access App Control by applying access and session controls.