Authored with Anisha Gupta, Product Manager, Microsoft Cloud App Security
Digital transformation has been accelerated by remote work. The result is that many of our toughest security challenges have risen to the surface. Our traditional perimeter-based network and security models can’t adapt as quickly to this massive, fast shift. Many organizations are struggling to support permanent hybrid work models. For them, establishing secure access outside the corporate network is critical and remains elusive. As employees’ transition to these work models, they’re unintentionally bringing new risks and threats—for example, when accessing corporate resources from personal and unmanaged devices. It’s a challenging landscape that security teams are expected to manage.
In 2020, the Microsoft Threat Intelligence Center reported a 230% increase in password spray attacks alone, and observed over 5 billion attacker-driven sign-ins. As our cloud services evolve, threats also evolve. It’s clear that a new approach to security is required. Thankfully, security admins can leverage secure access in Microsoft Cloud App Security to remediate against this increasing threat landscape.
Your cloud access security broker (CASB) should provide secure, easy and adaptive access to your organization’s apps depending on factors like location, device and user behavior. Adaptive access affirms the security measures your organization has put into place. This brief two-minute video demonstrates the flexibility of secure access in Microsoft Cloud App Security:
will summarize Conditional Access App Control and celebrate an exciting new capability which provides continuous adaptive access.
Background: Conditional Access App Control in Microsoft Cloud App Security
Microsoft Cloud App Security enables admins to enforce real-time monitoring and controls on actions performed within a session. These controls can be configured through either a single checkbox integration with Azure AD Conditional Access or a quick set-up wizard with 3rd party identity providers. Based on access conditions, like the identity source, the device being used, or the risk level of the user, the user actions can be explicitly allowed or blocked.
Adaptive Access: step-up authentication
Today, we’re excited to introduce a powerful new administrative control: a policy action for in-session step-up authentication. The announcement of this feature shifts the paradigm from only enforcing security checks at the entrance to a session, to the adaptive enforcement of those same conditions in the session. In partnering with Azure AD, Microsoft Cloud App Security has enabled admins to configure Conditional Access authentication context and apply it to in-session activities. In-session actions, like the download of sensitive information, can now be required to pass through an additional security check, such as an MFA challenge or device compliance check, before a user can access data.
This feature re-evaluates Azure AD Conditional Access policies in real-time when a sensitive action is performed, to mitigate the risk of changing conditions and risk. In this screenshot, we can see how the new feature is expressed as a secondary security check, required as the user attempts to download a PDF from a 3rd party app on an unmanaged device:
After the security check is complete, the user receives an on-screen result of the check:
What to do next
We invite you to take these scenarios and adapt them to your organizational needs. This grants visibility into your cloud environment for all your apps. For onboarded and sanctioned apps, the Cloud App Security team recommends that admins apply access and session controls. Leveraging advanced scenarios like access and session controls, Azure AD User Risk or in-session step-up authentication, in accordance with your organization’s environment security goals, is the next step toward a secure posture management of sessions. For unsanctioned apps, the recommended first step is to block the application at the endpoint with a policy, or utilize the Microsoft Cloud App Security Endpoint CASB tools. In either scenario, the two layers of cloud and identity determine the best way to deploy secure adaptive access in your environment.
Organizations can easily, flexibly block any app from access by the end user. Users can effectively use their time, unencumbered by security and compliance concerns because they are already being protected by adaptive access scenarios. An integrated set of solutions from Microsoft work in concert across your security stack.
For further training or information, view Anisha’s twenty-minute discussion on secure access in Microsoft Cloud App Security:
We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailing CASFeedback@microsoft.com and mention Secure Access.
For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:
To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security.
Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity.