KuppingerCole Report
Executive View
By Mike Small

Microsoft Cloud App Security

Many organizations are using cloud services, but the use of these services is often poorly governed. Cloud Access Security Brokers (CASBs) provide functionality to discover the use of the cloud, to control which cloud services can be accessed and to protect the data held in these services. This report provides an up-to-date review of Microsoft Cloud App Security which strongly matches KuppingerCole's recommended functionality for CASBs.

1 Introduction

Most organizations now depend upon cloud services to deliver business-critical applications and this has increased in response to the coronavirus pand ...

Login Free 30-day Select Access Get full Access

2 Product Description

Microsoft Cloud App Security is based on the Adallom Cloud Access Security Broker which was acquired in 2015. This is fully integrated with other Micr ...

Information protection capabilities provide granular control over data and use through built-in or custom policies for data sharing and data loss prev ...

Login Free 30-day Select Access Get full Access

2.1 Key Capabilities

At KuppingerCole, we look for the certain key capabilities in CASB solutions. The solution should support a zero-trust governance-based approach to cloud access security. Figure 2 illustrates how these capabilities fit together. The following paragraphs describe how Microsoft Cloud App Security provides these capabilities.

Cloud Use Discovery -- provides visibility into which cloud services are being used by which people and the data that is being held in these services. This should include the use of unsanctioned services -- i.e., ones for which have not been formally sanctioned by the organization for corporate use. People should be identified in a way that is unambiguous -- for example by their corporate ID.

Microsoft Cloud App Security uses the customer's traffic logs to dynamically discover and analyse the cloud apps that the organization is using. This can be in the form of a snapshot based on a manual upload of log files from firewalls or proxies for analysis. Continuous monitoring and reporting are possible using Cloud App Security log collectors to periodically forward these logs for analysis.

Risk based -- the solution should support a risk-based approach to cloud service use. The risks associated with the use of a cloud service depend upon how it is being used as well as its reputation. While the organization and its employees should know the sensitivity of the data they are using, they may not be aware of the reputation of the many publicly available services. The solution should provide information on these risks associated together with the capability for the organization to use this information to control organizational access.

The customer can use Microsoft Cloud App Security to sanction or unsanction apps in their organization by using the Cloud app catalogue. This covers over 16,000 cloud apps that have been ranked and scored based on industry standards by Microsoft's team of analysts. Scoring is based on over 80 risk factors that might affect the customer's environment. This catalogue can then be used by the customer to rate the risk for their cloud apps and to customize the scores and weights of various parameters to fit the organization\'s needs. Based on these scores, Cloud App Security provides a risk assessment of the apps.

Policy based controls -- that allow the organization to control which people can access both sanctioned and unsanctioned cloud services as well as which data can be uploaded. Access to unsanctioned services should be based on the risks associated with the service and the organizational risk appetite. A policy-based approach is essential to ensure consistency and to minimize the management burden.

With Microsoft Cloud App Security, the customer can use policies to control users\' behaviour in the cloud. These policies can detect risky behaviour, violations, or suspicious data points and activities in the cloud environment. Policies can also integrate remediation processes to mitigate risks. Policies can be used to determine the types of information collected as well as the remediation actions to be taken.

Control Point - the solution should provide mechanisms to enforce controls. This may be through an on premises or cloud-based network proxy / gateway, the exploitation of cloud service native controls or through end point agents. Network proxy-based controls provide near real time response while API based controls often provide increased granularity but after some delay. The use of agents can provide device level controls but increase the management overheads.

Microsoft Cloud App Security Conditional Access App Control uses reverse proxy architecture to provide the tools needed for real-time visibility and control over access to and activities performed within the customer's cloud environment. Conditional Access App Control makes it possible to block downloads, protect data stored and downloaded using encryption, detect activity from unmanaged devices and control access from non-corporate networks.

Microsoft Cloud App Security connectors use the APIs from cloud app providers to integrate the Cloud App Security cloud with other cloud apps. App connectors extend control and protection. They also provide access to information directly from cloud apps, for Cloud App Security analysis.

Cloud Data Protection- the solution should enable the organization to implement security controls over organizational data hosted in the cloud services. This includes protection of data against unauthorized access as well as from cyber risks such as ransomware. It should provide mechanisms to detect types of sensitive data and protect identified data using methods such as encryption, tokenization or pseudonymization for example.

Microsoft Cloud App Security enables the native use of the Microsoft Data Classification Service to classify and protect the files in the customer's cloud apps. This provides a unified information protection experience across Office 365, Azure Information Protection, and Microsoft Cloud App Security. The classification service also covers other third-party cloud apps protected by Microsoft Cloud App Security.

Microsoft Cloud App Security can also integrate with existing DLP solutions to extend these controls to the cloud while preserving a consistent and unified policy across on-premises and cloud activities. The platform provides interfaces including REST API and ICAP, that enable integration with content classification systems such as Symantec Data Loss Prevention (formerly Vontu Data Loss Prevention) or Forcepoint DLP.

Wide coverage - the solution should be capable enforcing granular controls over access to a wide range of common cloud services.

Cloud App Security provides end-to-end protection for connected apps using Cloud-to-Cloud integration, API connectors, and real-time access and session controls leveraging Microsoft Conditional App Access Controls. The breadth of support for each app relies on the richness of its APIs. Connected apps include: AWS, Azure, Box, Dropbox, GitHub Enterprise Cloud, GCP, Google Workspace, Office 365, Okta, Salesforce, ServiceNow, Webex and Workday.

Compliance - The solution should provide the capability to enforce and demonstrate that the use of cloud services complies with laws and regulations. It should provide out-of-the box support for demonstrating compliance with a variety of common laws, regulations, and standards including ISO/IEC 27001, PCI-DSS, Privacy Laws etc.

Microsoft Cloud App Security meets many international and industry-specific compliance standards. Microsoft offers EU Standard Contractual Clauses, guarantees for transfers of personal data. Its services are certified to ISO/IEC 27001, ISO/IEC 27018, PCI DSS and have SOC 2 attestations.

Microsoft Cloud App Security enables the customer to assess the compliance of their cloud apps. This makes it possible to assess if their cloud apps meet relevant compliance requirements including regulatory compliance and industry standards.

Visibility and Reporting - The solution should provide out-of-the box support for demonstrating compliance with a variety of common laws, regulations, and standards.

Microsoft Cloud App Security enables the customer to detect and report on the aspects of discovered apps. These aspects include apps that meet or fail to meet specified security and compliance criteria. This allows the customer to identify apps that are risky and ensure that permitted apps meet the organizational compliance obligations.

Security Posture Management - The solution should provide the capability to identify and remediate vulnerabilities in the configuration of cloud services. The primary focus of CASBs has previously been on SaaS clouds however, the use and management of IaaS is now becoming more important. Areas that should be covered include administrator privileges, excessive access rights to assets and other risky service configurations.

Microsoft Cloud App Security provides the capabilities to secure the customer's use of Azure, AWS, and GCP cloud platforms as well as SaaS. It enables the customer to discover multi-cloud resources, usage, and Shadow IT, to monitor activities and alerts to detect suspicious behaviour and assess and remediate cloud platform misconfigurations as well as compliance status. It can automate protection and policy enforcement for cloud resources in real time.

3 Strengths and Challenges

Microsoft Cloud App Security is a comprehensive solution that is backed by the expertise of the Microsoft development as well as the wealth of threat ...

Login Free 30-day Select Access Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.