Plan for Cloud App Security

- Planning for Cloud App Security. Your organization must have a license to use Cloud App Security. Each user must be licensed for Cloud App Security to use or benefit from it. The setup account must also be a global or a security administrator in Azure active directory or Office 365. It's important to understand that a user who is assigned an admin role will have the same permission across all the cloud apps that your organization has subscribed to. To run the Cloud App Security portal, you need to use a supported browser. The current versions are Internet Explorer 11, Microsoft edge, Google Chrome, Mozilla Firefox or Apple Safari. Microsoft Cloud App Security is a user-based subscription service. Each license is per user per month. Microsoft Cloud App Security can be licensed as a standalone product or as part of different licensed bundles. The licensed bundles that include Cloud App Security are Microsoft Cloud App Security plus Enterprise Mobility and Security E3. Enterprise Mobility and Security E5, the Microsoft 365 E5 Security and E5 licenses and then of course the Office 365 E5, Education A5 and then of course the Azure AD Premium Plans 1 and 2. Now, when you're planning to utilize Cloud App Security, there are a series of protection features that you need to determine whether to use and to understand. The first one is discovered and assess cloud apps. This is integrating Cloud App Security with Microsoft Defender Advanced Threat Protection or Defender ATP. Which will give you the ability to use Cloud Discovery beyond the corporate network or secure gateways. With the combined user and machine information, you can identify risky users or machines. You can also see what apps they are using and investigate further in the Defender ATP Portal. Next is the ability to apply Cloud Governance Policies. After you've reviewed the list of discovered apps in the organization, you can secure your environment against unwanted app use. You can apply the sanction tag to apps that are approved and the unsanctioned tag to apps that are not. You can then monitor unsanctioned apps using discovery filters or export a script to block unsanctioned apps from using your on premises security appliances. You can also limit exposure of shared data and enforce collaboration policies. This is done by connecting Office 365 to Cloud App Security, which will give you immediate visibility into your user's activities, files they are accessing and then it provides governance actions for Office 365, SharePoint, One Drive, Teams, Power BI, Exchange and then Dynamics. And then we can also discover, classify, label and protect regulated or sensitive data stored in the cloud. That is integration with Azure Information Protection that gives you the capability to automatically apply classification labels and optionally add encryption on the content. We also have the ability to enforce Data Loss Prevention or DLP and Compliance Policies for the data stored in the cloud. You can create a file policy that detects when a user tries to share a file with the confidential classification label with someone external to your organization and then configure its governance actions. You can also block a protected download of sensitive data to unmanaged or risky devices. So using Conditional Access App Controls, you can set permissions and controls on your SaaS or Software as a Service applications. You can create session policies to monitor your high risk, low trust sessions, also creating session policies to block and protect downloads by users trying to access sensitive data from those devices. You can also then secure collaboration with external users by enforcing real time session controls. You can create a session policy to monitor the sessions between your internal and external users. This not only gives you the ability to monitor the session between the users and notify them that their sessions are being monitored but it also enables you to limit specific activities. We can also then detect cloud threats, compromised accounts, malicious insiders as well as ransomware. Utilizing Anomaly Detection Policies, as well as Entity Behavioral Analytics and Machine Learning, you can immediately run Advanced Threat Protection across all of your cloud environment. We can also then use the Audit Trail for activities, if we have to perform forensic investigations. Alerts are triggered when user and admin or sign activities don't comply with your policies and you can then investigate those further by utilizing the Audit Trail. We can also then secure infrastructure as a service services and custom applications. So by connecting each of these cloud storage apps to Cloud App Security, you can improve your threat detection capabilities by monitoring administrative and sign activities for these services you can detect and be notified about possible brute force attack, malicious use of privilege, a user account and other threats in the environment. Now, in order to utilize Cloud App Security, you first need to determine the security access that you wish to assign two individuals. The first is the global administrator and security administrator. These roles have full access with full permission in Cloud App Security. They can administer, add policies, add settings, upload logs and perform governance actions. The next is a compliance administrator who has read-only permission and can manage alerts, can also create and modify file policies as well as completing some of the governance actions and then viewing the reports. A compliance data administrator has read-only permissions, can create and modify file policies as well as completing some of the actions and view discovery reports. Then of course, we have security operator. This has read-only permissions and can manage alerts. The security reader has read-only permissions but can also manage alerts. And the security reader is restricted from most of the administrator actions and pages. And then of course we have a global reader, which is the same as a global administrator except it's read-only access for anything and cannot make any changes. You can add additional admins in Cloud App Security without adding users to Azure active directory administrative roles. You can click within Cloud App Security using the gear icon and then click manage admin access, and then enter the full email address of the user within Azure active directory to assign the required admin role.