Authored with Anisha Gupta, Product Manager,Microsoft Cloud App Security
Digital transformation has been accelerated by remote work. The result is that many of ourtoughestsecurity challenges have risento the surface. Our traditional perimeter-based network and security models can’t adaptas quickly to this massive, fast shift. Many organizations are struggling to support permanent hybrid work models. For them, establishing secure access outside the corporate network is critical and remains elusive.As employees’ transition to these work models, they’re unintentionally bringingnew risks and threats—for example, when accessing corporate resources from personal and unmanaged devices. It’s a challenging landscape that security teams are expected to manage.
In 2020, the Microsoft Threat Intelligence Center reported a 230% increase in password spray attacks alone, and observed over 5 billion attacker-driven sign-ins. As our cloud services evolve, threats also evolve. It’s clear that a new approach to security is required.Thankfully, security admins can leverage secure access in Microsoft Cloud App Securityto remediate against this increasing threat landscape.
Your cloud access security broker (CASB) should provide secure, easy and adaptive access to your organization’s apps depending on factors like location, device and user behavior. Adaptive access affirms the security measures your organization has put into place. This brief two-minute video demonstrates the flexibility of secure access in Microsoft Cloud App Security:
In this blog post, wewillsummarize Conditional Access App Control and celebrate an exciting new capability which provides continuous adaptive access.
Background:Conditional Access App Control in Microsoft Cloud App Security
Microsoft Cloud App Security enables admins to enforce real-time monitoring and controls on actions performed within a session. These controls can be configured through either a singlecheckbox integration with Azure AD Conditional Accessor a quick set-up wizard with 3rd party identity providers.Based on access conditions, like the identity source, the device being used, or the risk level of the user, the user actions can be explicitly allowed or blocked.
Adaptive Access:step-up authentication
Today, we’re excited to introduce a powerful new administrative control: a policy action for in-session step-up authentication. The announcement of this feature shifts the paradigm from only enforcing security checks at the entrance to a session, to the adaptive enforcement of those same conditions in the session. In partnering with Azure AD, Microsoft Cloud App Security has enabled admins to configure Conditional Access authentication context and apply it to in-session activities. In-session actions, like the download of sensitive information, can now be required to pass through an additional security check, such as an MFA challenge or device compliance check, before a user can access data.
This feature re-evaluates Azure AD Conditional Access policies in real-time when a sensitive action is performed, to mitigate the risk of changing conditions and risk. In this screenshot, we can see how the new feature is expressed as a secondary security check,requiredas theuserattempts to download a PDF from a 3rd party appon an unmanaged device:
After the security check is complete, the user receivesan on-screen result of the check:
What to do next
We invite you to take these scenarios and adapt them to your organizational needs. This grants visibilityinto your cloud environment for all your apps.For onboarded andsanctioned apps, the Cloud App Security team recommendsthat admins apply access and session controls. Leveragingadvanced scenarios like access and session controls, Azure AD User Risk or in-session step-up authentication,in accordance with your organization’s environment security goals, is the next step toward a secure posture management of sessions.For unsanctioned apps, the recommended first step is to block the application at the endpoint with a policy, or utilize the Microsoft Cloud App Security Endpoint CASB tools.In either scenario, the two layers of cloud and identitydetermine the best way to deploy secure adaptive access in your environment.
Organizations can easily, flexibly block any app from access by the end user.Users can effectively use their time,unencumbered by security and compliance concerns because they are already being protected by adaptive access scenarios. An integrated set of solutionsfrom Microsoft work in concert across your security stack.
For further training or information, view Anisha’s twenty-minute discussion on secure access in Microsoft Cloud App Security:
We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailingCASFeedback@microsoft.comand mention Secure Access.
For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below: