A Journey to Holistic Cloud Protection with the Microsoft 365 Security Stack Part 4 - Apps

For our third stop on the journey to holistic cloud protection with the Microsoft 365 security stack we will be discussing Application security.  For anyone new joining us on this journey please ensure you check out Part I: Overview,  Part II: Identity Security and Part III: Device Security to get caught up prior to reading Part IV: Application Security which will be discussed during this article.

As technology advances at light speed so does the transition from corporate provided devices to using your personal device as your work device.  Managing the use of corporate accounts through applications on personal devices has become a significant security concern.  Along the same lines we have individuals using their work accounts to authenticate with potentially non-approved cloud apps that then gain access through acceptance of permissions to corporate data.  During this article we will focus on increasing the security posture around application security from unmanaged personal devices and discovering what cloud apps are being provided access to corporate data.

Microsoft Endpoint Manager:

What are the approved protected apps used for corporate access to cloud resources?

How do you separate corporate data from personal data?

How do you apply security baselines to a device you don’t own or manage?

The above are frequently asked questions that organizations must consider when seeking to increase their overall security posture while also maintaining a productive and accessible work environment.  These concerns can be remedied by using a combination of Microsoft Endpoint Manger application protection polices and integration with Azure AD conditional access.  As a result of using both you can provide a standardized method of access to corporate data, ensure data protection, and ultimately allow individuals to use their personal devices rather than have a second corporate device.

Issue #1: - Unmanaged device where corporate data mingles with personal data – Allowing individuals to use a personal device can drastically reduce cost by removing device purchasing, maintenance and potential replacement.  At the same time you don’t want corporate data being backed up to personal cloud storage, downloaded locally or intermingled with personal data.

Solution: App Protection policies for iOS and Android allow us to containerize corporate data from personal along with providing a baseline of security settings against the applications rather than the device.  This allows us to manage the corporate data by targeting the corporate account created in the protected app on unmanaged personal devices and also on managed devices equally.  Available protected apps span through most Microsoft apps along with many third party apps like Adobe Reader, Zoom for Intune, Box EMM, and Nine Work for Intune.  You can even incorporate with your custom built apps using the publicly available Intune SDK.

• Data Protection
  • Block Android back up or iOS iTunes backup of the corporate account
  • Restrict cut, copy and paste to a non-protected app account
  • Restrict web content transfer unless through a managed browser (Microsoft Edge)
• Access Requirements
  • Require a PIN when access the protected app with corporate account
  • Enforce strength of the PIN used to access the protected app with corporate account
  • Define minutes of inactivity before recheck is required
• Conditional Launch
  • Define the maximum PIN attempts before PIN reset required or corporate data wipe
  • Define minimum app version before warning to update app
  • Define minimum app version before access to app is blocked or corporate data wipe

Issue #2: - An employee is let go… I need to wipe corporate data… the device is offline… - With mobile devices you have the option to send a wipe command to factory wipe the device (managed) or selective wipe (managed/unmanaged) to remove corporate data if the device is online to receive the wipe request.  The question then arises, what happens if the device is placed into airplane mode in an attempt to keep the data as long as possible?

Solution: App Protection policies for iOS and Android have a unique conditional launch setting called, Offline Grace Period.  This setting only triggers when the application is unable to connect back to Endpoint manager to verify connectivity.  This setting ultimately ensures that access to the corporate data will be removed and/or wiped from the device if it unable to connect for a specific time frame.

1. Offline grace period (mins) - When the time frame in minutes ends you can block access to the app which forces them out of it, even while actively using it, and requires the individual to re-enter the PIN or authenticate.  This ultimately forces them to reconnect to the internet to do so.
2. Offline grace period (days) - When the time frame in days ends you can perform a selective wipe of all corporate accounts from the protected apps defined in the policy.

Issue #3: - There are too many email apps connecting with no standardization… - With a mix of individuals using a native email apps, third party email apps or the Outlook app… there really isn’t a standard in most organizations.  Each type of email app has its own security concerns like authentication (basic vs modern), data separation (corporate vs personal), or how to ensure data is removed remotely.

Solution: By integrating your app protection policies with Azure AD Conditional Access you can enforce all connections to Exchange Online to go through an approved app which is the Outlook app.  Once this is enabled you can then apply the app protection policies to protect and govern the use of corporate data on the mobile devices.  This integration allows for standardization of email access using modern authentication along with applying a baseline of security settings against the Outlook app.

Microsoft Cloud App Security (MCAS):

Visibility and understanding around what cloud apps are being connected to, including those that are unknown or under no jurisdiction commonly known as Shadow IT, poses a significant security concern for many organizations.  Not knowing what you don’t know is no longer an excuse.  Using Microsoft Cloud App Security can address many security concerns including those specific to discovery of cloud apps being used within your corporate environment, determine which are sanctioned or banned and ultimately be alerted on specific scenarios involving cloud app activity.

Issue #1: - Which cloud apps are safe? Which are risky?  There are too many to research… - With an astronomical number of cloud apps available that are continuous changing, it is very difficult to be a security/governance expert at them all.  When was the last time one of the apps was breached?  Which ones are compliant for your industries regulations?  Which ones don't have basic security requirements that you deem as mandatory for doing business with?

Solution: Using the Cloud App Catalog, you are able to review over 16,000 cloud apps to determine whither they should be sanctioned or banned for corporate use.  Below you can see the information categories provided along with a small subset of verified information:

• General:
  • Founded date,  disaster recovery plan, and link to terms of use plus privacy policy
• Security:
  • Last breach, penetration testing, data audit trail, allows MFA, and encryption protocol
• Compliance:
  • ISO 27001/27002/27017/27018, SOC 2/3, FINRA, HIPAA, FedRAMP and HITRUST CSF
• Legal:
  • GDPR, DMCA, Data retention policy and Data ownership

Issue #2: - How to manage OAuth app permissions being accepted by individuals? - Remember the last time you downloaded a new app on your mobile device, and it asked for your permission to access your contacts and camera?  By default individuals in your organization can connect their Office 365 account to third party apps and accept the permission request so the app can be granted permission to read/act in your Office 365 environment.  This means some app might be able to read emails of the individual, read their Office 365 user profile or even make changes in all of the SharePoint Online sites.  Pretty scary stuff right?!?!?

Solution:  First off, we need to stop the bleeding and block individuals from accepting OAuth app permissions on behalf of the organization.  This can be done by going into the Office 365 Admin Center, selecting Settings and finding Integrated Apps.  This feature needs to be unchecked which will prevent individuals in the future from accepting the app permissions on behalf of the organization and require an administrator to approve the app.  For all the damage already done up to this point, you can access the OAuth Apps section in Microsoft Cloud App Security to review which apps have been approved, what permissions were granted and ban the app if you want to block access using the corporate account going forward.

Issue #3: - Need alerts for OAuth apps when specific scenarios occur - A new storage cloud app is released, and parts of the organization began using it without any concern for security or data protection…  A productivity cloud app includes an additional concerning permission requirement in the latest release… A new cloud app releases, but with a misleading name or description…

Solution: Utilizing OAuth app policies we can address these security concerns along with many others when it comes to discoverability of OAuth app connections, usage by the organization and allow for revoking/banning of the OAuth app permission if specific concerning scenarios arise.

1. Alerting or revoking if an OAuth app permission is discovered that heightened permission level requirement or requires a specific permission you deem as unsafe.
2. Alerting when a new or existing OAuth app permission is granted by a specific number of individuals.
3. Alert based on telemetry from Microsoft Threat Intelligence related to OAuth app anomaly detection where there may be a misleading OAuth app name, publisher’s name or app consent where malicious attempts like a phishing campaign might exist.

As we get ready to look towards our next adventure in our journey to holistic cloud protection with the Microsoft 365 security stack… I want to reflect on the importance of application security.  Our security posture is only as good as what we can see and what we know.  Microsoft Cloud App Security provides extensive visibility into the unknown and provides actionable governance that can be applied when unsafe scenarios arise.  As more personal devices intertwine with corporate data we must also ensure that data separation exist and provide a baseline of security against devices that we are not able to manage from a device management standpoint.

Thank you so much for joining me during this stop while we discussed application security.  Our next stop in this journey will be discussing Data Security and how to increase our security posture when creating, storing and sharing corporate data using the Microsoft 365 security stack.