Microsoft Readies New Feature in Cloud App Security Product

A preview of the updated Cloud App Security solution from Microsoft is expected this month, featuring a new capability that adds conditional access protections to Software-as-a-Service (SaaS) applications.

Cloud App Security, which reached general availability last year, is Microsoft's implementation of technology it acquired from Adallom about two years ago. Microsoft describes Cloud App Security as a way to discover the use of SaaS apps in organizations. The service provides an assessment of the security risks of using various SaaS apps via a ranking system. It's billed as a means of thwarting so-called "shadow IT" scenarios, where end users evade policies and security protections set up by IT departments.

Sometime in October, Microsoft plans to issue a public preview of a new Cloud App Security feature that will permit organizations to set conditional access policies for SaaS apps.

"As showcased at Ignite keynote sessions, we're extending these conditional access capabilities to monitor user sessions and control content access and downloads directly inside SaaS apps through a unique integration between Microsoft Cloud App Security and Azure AD conditional access," Microsoft explained last week regarding the feature coming in preview for the Cloud App Security service.

Under the "conditional access" concept, policies set by IT pros determine when access to networks or resources is granted or blocked. For instance, there can be conditional access policies set for devices such that they are required to have the latest updates installed in order for network access to be granted. The new preview coming in October, though, will offer a way to set conditional access policies specifically for cloud-based SaaS applications. It carries out these conditional access policies using a new "proxy" in the Cloud App Security service.

According to Microsoft's example, with the coming conditional access preview, "you can allow access to browser-based cloud apps from unmanaged devices or an unfamiliar location while blocking the download of sensitive documents from within the application."

Azure Information Protection Feature
The Cloud App Security service also can block access to documents and e-mails through integration with Azure Information Protection. It's able to take action based on the security classification "labels" that get applied to documents and e-mails using the Azure Information Protection service. A new capability, described in Microsoft's announcement, is that this sort of action can happen automatically for SaaS apps.

"Cloud App Security will scan and classify sensitive files in the cloud apps and automatically apply AIP labels for protection," Microsoft's announcement explained.

This new protection will permit Excel, PowerPoint or Word files to "open in Office apps on all platforms without requiring a plug-in or any additional settings," the announcement added. This capability will be available sometime in Oct. 2017, according to the announcement.

Improved Discovery
The discovery capabilities of the Cloud App Discovery service also have been enhanced. The service can now find "more than 15,000 cloud apps," Microsoft's announcement claimed. It will issue an alert when a new app is being used.

The discovery feature of the service also shows more in-depth information, such as "inbound and outbound traffic," plus the "top users for discovered apps." The improved discovery process works without agents and is currently available to "all Azure AD Premium P1 and EMS E3 customers."

The three enhancements coming to the Cloud App Security service are summarized in this slide from a Microsoft Ignite session:

[Click on image for larger view.] Coming Cloud App Security enhancements. (Source: Ignite 2017 session.)

The Ignite session, "Microsoft Cloud App Security Deep Dive," is currently available on demand here.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.