Microsoft Cloud App Security’s Conditional Access App Control is now GA!June 28, 2018
Conditional Access App Control allows you to control and limit access to your cloud apps and the files and data that you store within them, and we’re excited to announce that it’s now generally available. It utilizes a reverse proxy architecture and is uniquely integrated with Azure AD Conditional Access, to provide you with powerful real-time visibility and controls.
In the modern workplace, it is essential to enable your users to work from any location and any device and grant them access to cloud applications and increasing collaboration needs require your data to be shared externally. At the same time, you need to safeguard your organization’s data and resources.
It is essential to provide a flexible environment that allows you to determine how your organization’s data can be accessed, balancing protection and productivity. Microsoft Cloud App Security delivers these capabilities in a holistic and integrated experience with Conditional Access App Control, which integrates directly with Azure AD conditional access policies.
This feature empowers you to granularly define what risk means in your organization, and then gain control and visibility of any user sessions that match that definition. For example, if a Business-to-business (B2B) collaboration user was granted access to some of your data and tries to access company-confidential resources from an unmanaged device as a result, you can block or encrypt the download of those resources in real-time, to prevent confidential information from leaking outside of your organization. These controls can be applied to any SAML application configured with single sign-on in your organization.
Empowering the admin
Conditional Access App Control utilizes a reverse proxy deployment to redirect the user session to a Cloud App Security server upon authentication. Our unique integration with Azure AD conditional access empowers the admin to proactively configure which sessions should be routed to our servers, ensuring that only the subset of traffic you scoped will be proxied. You can define these rules based on conditions such as users/groups, device management, location information, and sign-in risk, among others. Once the session reaches our servers, granular Session and Access policies determine what the user will experience.
if // specify the conditions for which the resulting action should occur
In building these policies, the admin can further scope controls to apply only to specific files or activities. For example, a filter can be applied to only enforce monitoring/controls on files with Azure Information Protection classification labels, certain file extensions, or those matching custom strings in the title or body of the document. Or, policies can be scoped to only apply to certain activities, such as file uploads or file sharing.
then // specify the resulting action that should occur
Finally, the admin can select what controls to apply when a policy match occurs, such as monitor, block, or protect (encrypt) downloads, or monitor and block one of many granular in-app activities. All log-in events, downloads, and scoped activities will instantly appear in the Cloud App Security activity log for you to review. Finally, any matching sessions can be configured to send an alert directly to the administrator by phone or email.
Video 1 – Creating a Session Policy in MCAS
Now that the intended policies are configured, let’s take a look at what the end-user experience will be, when navigating to a protected app from a risky session, by exploring four key use cases.
Scenario 1: Block/protect downloads from unmanaged devices
Risk: Unmanaged devices often have security gaps, such as lack of a PIN/passcode, malicious apps on the device, connections to public Wi-Fi, etc., and could potentially expose sensitive company information as a result.
Solution: Block download of highly sensitive files in real-time when accessing sanctioned company apps from an unmanaged device.
Scenario 2: Read-only mode for B2B users
Risk: While B2B users need access to some data in your applications, limiting their actions is essential, since you do not have control of their organizations’ security.
Solution: Create a read-only mode for B2B users in your organization by blocking various in-app activities
Scenario 3: Monitor use of sanctioned applications
Risk: An application is sanctioned in your organization but presents unknown risks, which can be identified via monitoring.
Solution: Monitor log-ins, file downloads, and various in-app activities in MCAS, without restricting the actions users can take
Scenario 4: Block access from unmanaged devices via client certificates
Risk: The data stored in applications can be highly sensitive and should not be accessed from any BYOD machines.
Solution: Create a policy to block access to any app with sensitive information from any device without a valid client certificate.
All these controls are available today, and we are working to continuously enrich the capabilities of Conditional Access App Control with more features and use-cases.
More info and feedback
Detailed information is available on our technical documentation site. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.