In this post, we'll look at what Microsoft Cloud App Security is, how it works, what you can do with it, its various licensing levels , and how it works with other Microsoft security products.

Is your business relying on big, badass firewalls to protect your users from risks on the internet? Are you feeling confident that they're properly protected in this cloudy world we live in? And most importantly, now that many of your colleagues are working from home and therefore not protected by the firewall, do you feel confident in the level of protection they do have?

If you haven't got one already, a Cloud App Security Broker might just be what the doctor ordered—a cloud-based firewall for today's world of cloud storage and SaaS services. Microsoft provides a good one in the form of Microsoft Cloud App Security.

It's all about connecting ^

There are several ways in which MCAS can be connected to provide the security and controls you need. If you have on-premises firewalls or proxies, they can upload their logs to MCAS; most brands are supported. If you're using modern, cloud-based proxies such as Zscaler, iboss, or Corrata, they can be hooked up; there's also a custom log parser along with connectors for Docker (Linux/Windows) and Docker in Azure.

There's direct API integration with AWS, Azure, Box, Dropbox, GCP, G Suite, Microsoft 365, Okta, Salesforce, ServiceNow, Webex, and Workday. There are subtle differences in what each API offers, but generally, you can detect and respond to malware, unusual file deletion/sharing, and unusual administrative activities in these systems using MCAS policies.

Finally, there's strong (and easy to configure) integration with Microsoft Defender ATP (MDATP), a full-fledged Endpoint Detection and Response (EDR) tool. This is not your daddy's "basic" Windows Defender. MDATP is available for Windows, including Windows Server, Mac OS, Linux, and Android (preview). It uses machine learning (ML) models both locally and in the cloud to detect and automatically remediate threats in real time. When you integrate MDATP with MCAS, it essentially acts as the agent for MCAS.

You get full policy control no matter how or where the device is connecting to the internet, including from home. Want to ensure that if a user uploads a document with sensitive data to Dropbox while working from home, the document is automatically labeled by Microsoft Information Protection and encrypted? This is the kind of control you get when MCAS and MDATP work together. The data flows both ways—you'll be able to discover what cloud services your users are using (see below) and apply policies to their activities.

Furthermore, MCAS can integrate with Azure Advanced Threat Protection (AATP), a cloud service that monitors your on-premises Active Directory (AD) domain controllers for telltale signs of intruders moving laterally in your network. As a matter of fact, if you have AATP, its own portal is being deprecated in favor of using MCAS as the interface to investigate intrusions on your network.

If you're using AAD Identity Protection, MCAS can use its signals of User and Sign-In risk scores (low, medium, and high) to apply policies (a low-risk user signing in from a familiar location on a known device can access service X, but the same user signing in from an unusual location on a new device only gets read-only access to service X).

MCAS also plays nicely with M365 Data Loss Prevention (DLP), or you can integrate a third-party DLP service.

In addition, MCAS builds on the Conditional Access (CA) policies you have configured in AAD that control access based on who the user is that's trying to access a resource, what groups they're a member of, the device they're using (managed/unmanaged), and what application or data they're accessing. Based on these conditions, access can be granted, denied, or granted after an MFA prompt. These apps have full support in MCAS policies, but any web app can be protected using CA in MCAS. Both CA and MCAS can help move your business toward a zero-trust approach to security.

To round it off, MCAS uses the logs from Azure Security Center, a tool in Azure that lets you apply policies and controls for PaaS and IaaS services.

Discovery ^

One of the first things you'll use MCAS for is discovering which SaaS services are actually being used in your business. It'll use ML to analyze all the traffic logs you provide, surfacing the data in dashboards that let you dig in and investigate exactly how much Shadow IT is going on. MCAS has a catalog of over 16,000 cloud services with a rating (1 to 10, with 10 offering very good security and transparency) for each of them, based on their technical security features, hosting location, compliance with various regulations, country they're hosted in, etc.

You can alter the weighting of each category ("we don't work with Europe, so GDPR compliance is irrelevant to us"). Once discovered, you can sanction apps and build policies around their usage, or unsanction them, effectively banning them.

Cloud app catalog

Cloud app catalog

The discovery feature alone could be worth a lot to a business. It would take many, many days for a poor IT admin to do this investigation manually based on a week's worth of firewall logs.

Cloud Discovery Dashboard

Cloud Discovery Dashboard

Control ^

Once you've deployed MCAS (since it's a cloud service, it's more about connecting different services and configuring the environment than actually deploying it) and discovered what services are under your purview, you can start investigating activity and set up alerts. Once you have more of an idea of what's going on, you should start implementing policies to control access, activities, anomalies, file uploads/downloads, and sessions.

Creating a policy

Creating a policy

You can also build policies to manage the risk of OAuth apps, a recent security issue where an attacker creates a malicious app, hosted in Azure/Microsoft 365 (or in Salesforce/G Suite) and tricks users into installing it and granting the requested permissions. The attacker can now use the access tokens and refresh tokens provided by the app to impersonate the user and use this to penetrate further into your organization.

OAuth permission screen courtesy of Microsoft

OAuth permission screen courtesy of Microsoft

Flavors ^

MCAS comes in three different versions: Office 365 Cloud App Security, Azure Active Directory Cloud App Discovery, and the full Cloud App Discovery.

The Office 365 version is part of Office 365 E5 licensing. It offers manual log uploading, along with threat detection, conditional access integration, and information protection for Microsoft 365 workloads only.

The Azure AD version gives you both manual and automatic log uploads but doesn't give you information protection or threat detection. The full Cloud App Discovery provides all the features and comes with Microsoft 365 E5. This document provides a good overview of the different versions of MCAS.

Conclusion ^

MCAS is developed at cloud speed with frequent updates. According to Gartner, deploying a CASB is one of the top 10 security projects, and MCAS has a large market share.

Subscribe to 4sysops newsletter!

If you're still relying only on traditional antivirus agents and a firewall to protect your workforce, it's time to look at a more modern approach. MCAS has some very strong features—a free trial can be deployed here.


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account