News

Microsoft Cloud App Security Getting Conditional Access Protections

• By Kurt Mackie
• 09/29/2017

Microsoft Cloud App Security will get a new capability that adds conditional access protections to software-as-a-service (SaaS) applications, with a preview expected to arrive sometime next month.

Cloud App Security is Microsoft's implementation of Adallom technology acquired about two years ago. Microsoft first began offering the Cloud App Security service last year, when it was described as a way to discover the use of SaaS apps in organizations. The service provides an assessment of the security risks of using various SaaS apps via a ranking system. It's billed as a means of thwarting so-called "shadow IT" scenarios, where end users evade policies and security protections set up by IT departments.

Conditional Access for SaaS Apps
In October, Microsoft plans to issue a public preview of a new Cloud App Security feature. This feature will permit organizations to set conditional access policies for SaaS apps.

"As showcased at Ignite keynote sessions, we're extending these conditional access capabilities to monitor user sessions and control content access and downloads directly inside SaaS apps through a unique integration between Microsoft Cloud App Security and Azure AD conditional access," Microsoft explained this week regarding the feature coming in preview next month for the Cloud App Security service.

Under the "conditional access" concept, policies set by IT pros determine when access to networks or resources is granted or blocked. For instance, there can be conditional access policies set for devices such that they are required to have the latest updates installed in order for network access to be granted. The new preview coming in October, though, will offer a way to set conditional access policies specifically for cloud-based SaaS applications. It carries out these conditional access policies using a new "proxy" in the Cloud App Security service.

According to Microsoft's example, with the coming conditional access preview, "you can allow access to browser-based cloud apps from unmanaged devices or an unfamiliar location while blocking the download of sensitive documents from within the application."

Azure Information Protection Feature
The Cloud App Security service also can block access to documents and e-mails through integration with Azure Information Protection. It's able to take action based on the security classification "labels" that get applied to documents and e-mails using the Azure Information Protection service. A new capability, described in Microsoft's announcement, is that this sort of action can happen automatically for SaaS apps.

"Cloud App Security will scan and classify sensitive files in the cloud apps and automatically apply AIP labels for protection," Microsoft's announcement explained.

This new protection will permit Excel, PowerPoint or Word files to "open in Office apps on all platforms without requiring a plug-in or any additional settings," the announcement added. This capability will be available sometime in Oct. 2017, according to the announcement.

Improved Discovery
The discovery capabilities of the Cloud App Discovery service also have been enhanced. The service can now find "more than 15,000 cloud apps," Microsoft's announcement claimed. It will issue an alert when a new app is being used.

The discovery feature of the service also shows more in-depth information, such as "inbound and outbound traffic," plus the "top users for discovered apps." The improved discovery process works without agents and is currently available to "all Azure AD Premium P1 and EMS E3 customers."

The three enhancements coming to the Cloud App Security service are summarized in this slide from a Microsoft Ignite session:

The Ignite session, "Microsoft Cloud App Security Deep Dive," is currently available on demand here.