Posey's Tips & Tricks
Battling Shadow IT with Office 365
Microsoft's Productivity App Discovery tool will let you monitor firewall logs for suspicious cloud app activity.
One of the major challenges that IT pros face is that of shadow IT. For those who might not be familiar with the term, it refers to a user circumventing the IT department in order to do something that the IT department would not ordinarily allow.
There are many different forms of shadow IT. The case could be made, for instance, that the installation of unauthorized software onto a user's desktop is a form of shadow IT. More often, however, shadow IT exists when a user or department begins using a public cloud service without the IT department's permission. This might be a SaaS application, or it could be an infrastructure cloud such as Azure. In either case, the user circumvents security policies and controls and places the organization's data at risk by using the data in the cloud.
One reason why shadow IT has become such a huge problem is because historically, it has been almost impossible for the IT department to detect. Cloud services by their very nature are disjoint from other services that the organization may be using, thereby making it tough for IT to detect unauthorized usage. Recently, however, Microsoft has added a tool to Office 365 with the potential to help in the war against shadow IT.
The tool is called Productivity App Discovery, and it can be found in the Office 365 Security and Compliance Center. Before I explain how to use this new tool, you are probably wondering how it is possible for Office 365 to detect unauthorized cloud app usage. After all, it isn't like Office 365 has any sort of relationship to random cloud apps.
The Productivity App Discovery tool works by analyzing your firewall logs. By providing the tool with a firewall log file, the tool is able to determine which cloud apps are in use in the organization -- well, sort of. In order for the Productivity App Discovery Tool to be able to detect cloud app usage, it needs access to specific information that points to app usage. The information that the tool analyzes includes:
- The date of the transaction
- The source IP address
- The source user
- The destination IP address
- The destination URL
- The total amount of data
- The amount of data uploaded or downloaded
- The action taken by the firewall (allowed or blocked)
Suppose that the Productivity App Discovery Tool analyzed the log files and found that a particular user had just uploaded a gigabyte of data to a particular cloud app. That would be a pretty good indication that the user is using the app. The Productivity App Discovery Tool cannot tell you whether the app is authorized for use -- it can only tell you which cloud apps are being used, and by whom.
Obviously such capabilities could be tremendously helpful to administrators who want to crack down on shadow IT. The problem is that Microsoft only supports the use of logs from a limited number of firewalls, although most of the more popular firewalls are supported.
The bigger problem is that not every firewall logs every piece of information that the Productivity App Discovery Tool looks for. For example, Cisco ASA firewalls do not log user names. As such, reports stemming from the analysis of a Cisco ASA firewall log might tell you which cloud apps are being used, but it will be up to you to figure out who is using those apps.
The Productivity App Discovery Tool is simple to use. As previously mentioned, it is accessible through the Office 365 Security and Compliance Center. You can access the Security and Compliance Center by clicking on the Security and Compliance tile, as shown in Figure 1. It is worth noting that although there is a Security and Compliance link within the Admin Center, clicking this link does not display the correct options.
Once the Security and Compliance Center loads, click on the Search and Investigation option, and then click on Cloud App Discovery. If you do not see this particular option, then you may not have access to it yet. It takes Microsoft some time to make new features available to all of its customers, so if you don't have access to the feature yet, keep checking back.
The next step in the process is to choose the Create New Report option from the Discover menu. Upon doing so, you will need to type a name and a description for the report that you want to create. You will also have to specify your data source, and then provide the log file that you want to analyze. When you are done, just click Create to generate the report.
As you can see, the Cloud App Discovery tool is really easy to use. Microsoft has provided more information about the tool, including a list of supported firewalls, here.
Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.