We are excited to announce the public preview of app governance: a security and policy management capability that customers can use to monitor and govern app behaviors and quickly identify, alert, and protect from risky behaviors with data, users, and apps. App governance is designed for OAuth-enabled apps that access Microsoft 365 data via Microsoft Graph APIs.
App governance provides you with:
Deep visibility & insights: Get deeper visibility into apps that access Microsoft 365 data and actionable insights on how the app is configured and behaving in the environment.
Policy-driven governance: Proactively define and enforce appropriate app behavior with data, users, and other apps, in accordance with your organization’s security and compliance posture for data access.
Comprehensive detection and remediation: Detect anomalous app behavior with machine-learning models, address issues with automated and manual remediation actions
App governance is cloud-based and native to the Microsoft 365 platform, so there’s no need to deploy additional infrastructure or services. This provides a simplified onboarding and management experience that can be quickly deployed in customer environments.
App governance is an add-on capability to Microsoft Cloud App Security. Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) used to discover and assess cloud apps, identify risky user behavior, enforce policies to control activity, and detect and remediate threats.
Increasing Risks from Apps
Microsoft’s security and threat research teams have broadly observed an uptick of security incidents involving apps, both in terms of frequency and impact. These incidents span a wide range, including malicious apps engaging in, as well as good but vulnerable apps being exploited by bad actors.
This situation is exasperated by a lack of good app/API hygiene, inadequate governance capabilities, and a lack of oversight on app permissions. Many apps are over-permissioned – meaning the scope of permission is beyond what is required by the app to accomplish its intended use- and highly-permissioned – meaning the type and level of access include sensitive information and high-value users that are not required.
Apps are emerging as one of the most dangerous threat vectors due to their low bar to entry and administrators have a heightened need for visibility and insights on the usage and activity of all apps installed in their organization.
Currently, customers deploy two broad solution types to control and protect from 3rd party and Line of Business (LOB) cloud apps:
App Access: these are solutions (like Azure Active Directory) that register your apps, manage access rights and permissions for your apps and define which users can access which app.
App Usage: these are solutions (like Microsoft Cloud App Security) that discover and assess cloud apps, identify risky user behavior in apps, enforce policies to control activity, and detect and remediate threats.
Customers have expressed a need to verify that each app is behaving as intended with data, users, and the apps it has been granted access to. If an app behaves in a manner that is not approved, customers need a solution to quickly detect issues and remediate them. Inappropriate app behaviors can range from security incidents that are categorically identified as bad and need to be addressed immediately to activities that fall within a tolerance level that requires additional review to assess malicious intent. This requires a deep understanding of the App Behavior within the environment – app governance provides this new capability and builds upon the existing app access and app usage solutions.
Deep visibility and insights
App governance provides a deep and intuitive dashboard experience that is familiar to administrators. The tenant summary view provides:
A high-level summary of the third-party and Line of Business apps in your Microsoft 365 tenant.
Alerts based on the violation of any pre-configured policy and/or detection of any anomalous app behavior.
Quick insights into apps that do not use one or more permissions they have been granted (Over-permissioned).
Apps that have powerful permissions that allow data access or a key setting in the tenant (High privileged).
Apps that do not have a verified publisher (Unverified).
This approach helps administrators focus on the most important aspects impacting the overall health and security of their app environment and quickly address outstanding issues. (See Figure 1: Dashboard View Providing at-a-Glance Insights into Deployed App Risks)
Figure 1: Dashboard view provides at-a-glance insights into deployed apps and app risks
App governance supports comprehensive app review and investigations capabilities with deep details of the app including full app metadata information, users of the app and if they are high-value users in key roles such as CEO/CFO/others, the amount and type of data accessed by the app over time, granted app permissions and level of app access, information on whether the publisher is verified and/or Microsoft Certified and, the latest remediation action taken on the app.
This depth of insight is critical to verify that deployed apps are behaving as intended with the data and users it has been granted access to upon onboarding and to validate that apps are operating in accordance with compliance requirements. (See Figure 2 : Data Usage View Highlights Key App Behavior Trends)
Figure 2: Data usage view highlights key app behavior trends
This approach can also help simplify the app onboarding approval process by verifying that apps’ behaviors meet expectations before being broadly deployed. This can also provide a rapid review for apps that are updated by the app publisher to ensure that the capabilities provided by the updated app remain consistent with expectations.
Organizations can define proactive policies and establish acceptable app behaviors in their environment. App governance provides three template categories and 5 different starter templates covering typical high-risk app behavior patterns including high-volume data access and apps newly added with high-privileged permissions. Policy templates provide a simplified starting point to create powerful and flexible app governance that can be configured to meet an organization’s individual app governance enforcement requirements. (Figure 3: Using Policy Templates for Rapid Policy Deployment)
Figure 3: Using policy templates for rapid policy deployment
In addition, app governance provides sixteen app behavior activity indicators (predicates) that can be used to create custom app governance policies to address specific compliance requirements and/or to enforce low-level risk mitigation controls or even define actions to preempt threats to sensitive apps when a condition occurs that could lead to the exploitation of an app.
Policies can be configured to run in Audit (test), Active or Inactive mode and can have automated remediation action to disable the app while in Active mode.
Comprehensive Detection and Remediation
App governance offers comprehensive detection of anomalous app behavior that includes machine learning models and policy matching. When an anomalous app behavior pattern is detected, an alert is sent to notify the administrators with all the relevant details that they need to take remediation actions quickly and confidently.
App governance offers a range of automated and manual remediation actions for common and emerging advanced persistent threat scenarios including:
Adversaries taking over apps that are in good standing with high privileges (usually line of business apps developed by citizen developers).
The app governance threat research team and data scientists use a wide variety of data streams and signals, analysis of the known attack vectors and techniques (MITRE ATT&CK and others), machine learning models and triangulated data insights from a wide variety of sources to build detections of anomalous app behaviors. Microsoft is constantly developing and adding new detection capabilities and improving the efficiency of the existing models built on top of intelligence platforms
App governance provides fine-grain remediation integrated with Azure Active Directory, offering configurable actions (automated/manual) to protect from risky or inappropriate app activity and to improve the security posture of the app environment.
To provide customers with a comprehensive way to handle alerts and incident response across different security and compliance products from Microsoft, all app governance alerts are integrated into Microsoft Defender.
App governance is an add-on feature for Microsoft Cloud App Security and is initially available as a public preview to existing Microsoft Cloud App Security customers in certain regions of North America and Europe with other regions being added gradually the next few months.