3. About me ..
@vrykodee
David De Vos
Solutions Architect / Security Evangelist
Synergics
David.DeVos@synergics.be
4. Microsoft Enterprise Mobility + Security
Apps
Risk
MICROSOFT INTUNE
Make sure your devices are
compliant and secure, while
protecting data at the
application level
AZURE ACTIVE
DIRECTORY
Ensure only authorized
users are granted access
to personal data using
risk-based conditional
access
MICROSOFT CLOUD
APP SECURITY
Gain deep visibility, strong
controls and enhanced
threat protection for data
stored in cloud apps
AZURE INFORMATION
PROTECTION
Classify, label, protect and
audit data for persistent
security throughout the
complete data lifecycle
MICROSOFT ADVANCED
THREAT ANALYTICS
Detect breaches before they
cause damage by identifying
abnormal behavior, known
malicious attacks and security
issues
!
Device
!
Access
granted
to data
CONDITIONAL
ACCESS
Classify
LabelAudit
Protect
!
!
Location
5. Authentication & collaboration
RMS connector
Authorization
requests via
federation
(optional)
Data protection for organizations
at different stages of cloud
adoption
Ensures security because
sensitive data is never
sent to the RMS server
Integration with on-premises
assets with minimal effort
Hold your key on premises
AAD Connect
ADFS
HYOK
Service supplied Key BYOK
Azure Information Protection
Architecture
7. Azure Information Protection
SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin can set policies,
templates, and rules.
Classifications, labels and encryption can be
applied automatically based on file source,
context, and content
EMS extends Office 365 manual protection of files
with automatic protection to ensure policy
compliance
Encryption stays with the
file wherever it goes,
internally and externally
Files can be tracked by sender and access
revoked if needed
Classification and labeling
Classify data based on sensitivity and add
labels—manually or automatically
Protection
Encrypt sensitive data & define usage rights,
add visual markings when needed
Monitoring
Detailed tracking and reporting to
maintain control over shared data
8. PERSONAL
HIGHLY
CONFIDENTIAL
CONFIDENTIAL
GENERAL
PUBLIC
You can override a classification and optionally
be required to provide a justification.
Manual reclassification
Policies can be set by IT Admins for automatically
applying classification and protection to data.
Automatic classification
Users can choose to apply a sensitivity label to the
email or file they are working on with a single click.
User-specified classification
Types of classification
Based on the content you’re working on, you
can be prompted with suggested classification.
Recommended classification
10. VIEW EDIT COPY PASTE
Email
attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Granular Information Protection
Personal apps
Corporate apps
11. User based protection
Manual (right-click) and protection for non-Office files
Label and protect any file through
the windows shell-explorer
Select either one file, multiple files
or a folder and apply a label
12. AIP PowerShell and Scanner
Bulk classification for data at rest using PowerShell
Scan and classify your on-premises file shares using PowerShell
Query for file labels and protection attributes
Scan folders in report-only mode
Set a label and/or protection for documents stored locally or on file shares
13. Azure Information Protection Scanner
Information protection for hybrid scenario
Crawl files stored on file servers and CIFS based storage
Crawl the content of SharePoint Server on prem
Use AIP policies configured to determine classification
Run in “report” or “Label and protect” mode
Native Unified Anywhere
17. O365 Message Encryption
Anyone, on any Device in any Email client
Inside your
organization
Between your
business partners
With any of your
customers
20. Monitoring
Analyze the flow of personal and sensitive
data and detect risky behaviors.
Distribution visibility
Track who is accessing documents and
from where.
Access logging
Prevent data leakage or misuse by changing
or revoking document access remotely.
Access revocation
24. Best Practices For Getting Started
Deploy Azure Information Protection client. During summer it becomes part of Office suites.
Start by creating only one or two labels only! Add more labels when they are necessary. It’s easy
to create additional labels during evaluation period. Avoid deleting or changing label policies.
Use the tool tips and recommendation in Office instead and make sure there is a clear description.
Don’t started automation too early, but validate thoroughly with key personas.
Make sure to allow automatic label overrides for users. Monitor the frequency and monitor
motivations to gather feedback on label automations.
Track the protected documents for an unauthorized attempts to open the documents.
Last but not least, educate your users on the impact of labels and the importance
28. Architecture and how it works Discovery
• Use traffic logs to discover and
analyze which cloud apps are in
use
• Manually or automatically upload
log files for analysis from your
firewalls
and proxies
(Un)Sanctioning
• Sanction or block apps in your
organization using the cloud app
catalog
App connectors
• Leverage APIs provided by various
cloud app providers
• Connect an app and extend
protection by authorizing access to
the app.
Cloud App Security queries the
app
for activity logs and scans data,
accounts, and cloud content
App connectors
Cloud discoveryProtected
Cloud apps
Cloud
traffic
Cloud traffic logs
Firewalls
Proxies
Your organization from any location
API
Cloud App Security
29. Microsoft Cloud App Security
Discovery
Discover all cloud usage in
your organization
Information
protection
Monitor and control your data
in the cloud
Threat
detection
Detect usage anomalies and
security incidents
In-session
control
Control and limit user access
based on session context
DISCOVER INVESTIGATE CONTROL PROTECT
30. Discovery
Anomalous usage alerts
New apps and trending apps
alerts
Alert on risky
cloud usage
Discover cloud apps in use across
your networks
Investigate users and source IP
cloud usage
Un-sanction, sanction and protect
apps
Shadow IT
discovery
Cloud app
risk assessment
Risk scoring for 13,000+ cloud apps
~60 security and compliance risk
factors
CASB integration with:
Your network appliances
31. Information protection for cloud apps
Identify policy violations
Investigate incidents and
related activities
Quarantine and permissions
removal
Get alerts and
investigate
Visibility to sharing level and
classification labels
Quantify exposure and risk
Detect and manage 3rd apps
access
Gain cloud data
visibility
Enforce DLP policies
& control sharing
Govern data in the cloud with
granular DLP policies: automated or
based on classification labels
Leverage Microsoft and 3rd party
DLP engines for classification
CASB integration with:
Azure Information Protection, Office 365 Information Protection, 3rd party DLP (private preview)
32. Threat detection
Leverage Microsoft
Intelligent Security Graph
Unique insights, informed by
trillions of signals across
Microsoft
Threat
Intelligence
Identify anomalies in your cloud
environment which may be
indicative of a breach
Leverage behavioral analytics
(each user’s interaction with SaaS
apps) to assess risk in each
transaction
Behavioral
analytics
Advanced
investigation
Advanced incident investigation
tools
Pivot on users, file, activities and
locations
Customize detections based on
your findings
Integrates with
Microsoft Intelligent Security Graph, 3rd party SIEM
33. Conditional Access: Proxy
Control access to cloud apps
based on user, location, device
and app
Identify managed devices via VPN
(location based), Domain joined
devices, Intune compliant devices
or client certificates
Supports any SAML-based app,
any OS
Context-aware
session policies
Investigate &
enforce app and
data restrictions
Enforce browser-based “view only”
mode for low-trust sessions
Limit access to sensitive data
Classify, label and protect on
download
Visibility into unmanaged device
activity
Integrates with
Azure Active Directory
Unique integration
with Azure AD
Integral component of Azure AD
Conditional Access
Simple deployment directly from
your Azure AD portal
Leverages existing device
management mechanisms, no
additional deployment required
34. Cloud App Security in-session control
Control access to cloud apps
based on user, location, device
and app
Supports any SSO, any SAML-
based app, any OS
Context-aware
session policies
Limit sessions of
unmanaged devices
Enforce browser-based “view only”
mode for risky sessions
Limit access to sensitive data
Integrates with:
Azure Active Directory
Also works with:
3rd party IDaaS solutions
35. Require MFA
Allow access
Deny access
Force password reset******
Monitor and control access to cloud apps
Cloud apps
CLOUD APP
SECURITY
Limit access
Policy
Proxy
36. Require MFA
Allow access
Deny access
Force password reset******
Monitor and control access to cloud apps
Cloud apps
CLOUD APP
SECURITY
Limit access
Policy
Proxy
37. Cloud App Security
Proxy
Conditional Access – Protect on Upload
USER
Role: Marketing Mgr
Group: Marketing Users
Client: Mobile
Config: Corp Proxy
Location: London, UK
Last Sign-in: 5 hrs ago
Platform: Windows
Health:Fully patched
Config:Managed
Last seen: London, UK
DEVICE
SESSION
RISK
APP
Classification
Engine
38. Cloud App Security
Proxy
Conditional Access – Block on download
USER
Role: Marketing Mgr
Group: Marketing
Client: Mobile
Config: Open
Location: UNKNOWN
Last Sign-in: 8 hrs ago
Platform: Windows
Health:Fully patched
Config:Managed
Last seen: London, UK
DEVICE
SESSION
RISK
APP
Unfamiliar
IP address.
Block on
download
40. O365 Cloud App Security vs. Microsoft Cloud App Security
Microsoft Cloud App Security Office 365 Cloud App Security
Cloud
Discovery
Discovered apps 15,000 + cloud apps 750+ cloud apps with similar functionality to Office 365
Deployment for discovery analysis Manual and automatic log upload Manual log upload
Log anonymization for user privacy Yes Yes
Access to full Cloud App Catalog Yes
Cloud app risk assessment Yes
Cloud usage analytics per app, user, IP address Yes
Ongoing analytics & reporting Yes
Anomaly detection for discovered apps Yes
Information
Protection
Data Loss Prevention (DLP) support Cross-SaaS DLP and data sharing control Uses existing Office DLP (available in Office E3 and above)
App permissions and ability to revoke access Yes Yes
Policy setting and enforcement Yes
Integration with Azure Information Protection Yes
Integration with third party DLP solutions Yes
Threat
Detection
Anomaly detection and behavioral analytics For Cross-SaaS apps including Office 365 For Office 365 apps
Manual and automatic alert remediation Yes Yes
SIEM connector Yes. Alerts and activity logs for cross-SaaS apps. Yes. Office 365 alerts only.
Integration to Microsoft Intelligent Security Graph Yes Yes
Activity policies Yes Yes
https://docs.microsoft.com/en-us/cloud-app-security/