News

Microsoft Goes Live with Cloud App Security Service

• By Kurt Mackie
• 04/07/2016

Microsoft is now selling its Cloud App Security service.

This service, generally available as of Wednesday, is specifically focused on tracking the use of software-as-as-service (SaaS) applications in organizations. The idea is that organizations don't know what services are being accessed by end users.

Use of those services could add to an organization's security risks, so Microsoft's Cloud App Security service provides a SaaS-app discovery service, as well as a ranking system, to address the potential security hazards.

The service uses an organization's traffic logs to find out what SaaS apps are being used. It taps proxies and firewalls for the discovery process. It pulls information using the APIs of the SaaS apps. Microsoft then ranks the risks of using these SaaS apps via a scoring system based on "regulatory certifications, industry standards and best practices," per Microsoft's TechNet description of the Cloud App Security service.

Microsoft claims there's data privacy during the inspection process. "Data is downloaded for purposes of inspection, but data privacy is enforced," the TechNet articles states.

Organizations can act on the information obtained by the service, but the actions tend to vary per SaaS app. For instance, the ability to quarantine files is possible with Office 365 and Box, but not with the Service Now, Salesforce.com and AWS services, per a table in this TechNet article.

The service is based on Microsoft's purchase of Adallom, a company that made security solutions for tracking services and data sharing using cloud infrastructure. Microsoft bought Adallom for about $250 million in September.

"Cloud App Security is the Adallom technology," a Microsoft spokesperson clarified via e-mail. "It was renamed Cloud App Security after the acquisition."

Microsoft and its partners currently sell the Cloud App Security service on a subscription basis. It's priced at $5 per user per month and available in U.S. and Canadian markets. An organization needs to meet Azure Rights Management Service (RMS) requirements to use it. Only Azure Active Directory or Office 365 global administrators can set it up, per the spokesperson:

Organizations need a Microsoft Azure subscription that supports Microsoft Cloud App Security. For more information see Cloud subscriptions that support Azure RMS. Then, to set up Cloud App Security, you must be a Global Administrator in Azure Active Directory or Office 365. You can find more info here.

The Cloud App Security service isn't the same thing as Microsoft's Azure Active Directory Cloud App Discovery service, although both services use the Azure cloud infrastructure.

"They're different," the spokesperson indicated. "Cloud App Security provides visibility into employee login events and data usage, as well as governance policies and proactive protection. Cloud App Security does this for popular SaaS applications as well as for custom applications and IaaS environments."

In contrast, the Azure Active Directory Cloud App Discovery service is "a feature of Azure Active Directory (AD) Premium," according to the spokesperson. It requires the use of agents that run in an organization's computing environment.