Do you know what end users do with a company's data? Do they use Dropbox to share documents with clients? Discuss...
trade secrets via Slack? Plan secret projects on Trello? The Cloud App Discovery feature in Office 365 reveals certain shadow IT practices admins need to know to secure the enterprise.
End users often enlist cloud services to perform their jobs, but the practice of introducing unsanctioned apps invites risk. It circumvents security practices, which potentially opens the company to an unexpected compliance issue or a cyberattack. Cloud App Discovery uncovers shadow IT without the need to implement agent-based software on users' computers and mobile devices.
Here's how to identify and monitor use of unauthorized cloud services within the organization -- and what to do about it.
Find hidden app usage with Cloud App Discovery
Office 365's E3 subscription includes Cloud App Discovery, a component of Cloud App Security. This service interprets log files from web proxy servers, firewalls and network devices, such as wireless access points and switches, to create a visual picture of the shadow IT services used in the organization.
The Office 365 version of Cloud App Discovery indicates services that have similar functions to Office 365 apps, especially productivity services. Therefore, the discovered apps section does not include nonproductivity applications. We'll show how to uncover those later in this article.
Create reports of productivity apps
Cloud App Discovery uses logs taken from a network device that sits between end users and the internet. The Cloud App Discovery service supports common log file formats, such as those generated by Cisco access points, open source web proxy servers or third-party cloud services, such as Symantec Websense.
The admin then accesses the Cloud App Discovery feature from the Security & Compliance Center. Download a log file from the network device in a format that Cloud App Discovery supports, navigate to the main console and choose Discover > Create new snapshot report.
Search for and specify the log format from the list, then upload the log file. Office 365 takes up to 24 hours to process and display the results.
Navigate to Discover > Manage snapshot reports to see the uploaded file. Office 365 shows processed reports as Ready.
The report shows the productivity apps in use from the Office 365 platform and from other cloud services. Select an app to open an Excel spreadsheet for more details, such as how many users accessed the service, how many times users accessed it and the amount of traffic uploaded to and downloaded from the service.
Automate the log upload process
Organizations that subscribe to Enterprise Mobility and Security (EMS) E3 can extend Cloud App Discovery's functionality in several powerful ways.
The continuous reports feature automates log uploads through a customized VM with a syslog server and an HTTPS uploader.
To configure continuous reports, use the Discover > Upload logs automatically option in Cloud App Security. The admin adds a data source, which replaces the uploaded log file. The admin then defines a log collector and links it to the data source, which generates the information to deploy the Hyper-V or VMware VM.
After the VM deploys, configure one or more network devices to send data to the log collector in the format that matches the defined data source. Figure 5 shows an example of a Cisco Meraki device set up to send URL data in syslog format to the log collector's VM IP address.
After about 24 hours, results from logged data will appear in the Cloud App Discovery section. The admin accesses both real-time and historic information related to app usage.
See the threat level of shadow IT services
Aside from productivity services -- such as webmail, cloud storage and content sharing -- Cloud App Discovery also provides visibility into other areas. The EMS-based version of the tool detects internet of things devices, cloud service use from providers such as Amazon Web Services and visits to websites.
Cloud App Discovery ranks the discovered services based on risk score from one to 10. A lower score indicates a more suspicious application. The Cloud Discovery service determines the rank through assessment of security policies, such as where the data resides, who has access, who has control and whether organizations can prevent unauthorized access.
Apps designed for enterprise use, such as Google's G Suite, get good scores. Services that provide less organizational control, such as WhatsApp, receive poor grades.
WhatsApp is considered a risky service because no one has administrative control. For example, a financial advisor who communicates with a client over WhatsApp could breach regulations because the business cannot record the conversation for future discovery.
View the detailed report on each service, and decide whether to approve the cloud service.
Figure 7 lists the services with usage statistics and threat level:
Take action against shadow IT
Administrators should take action when armed with data from Cloud App Discovery. If workers use Trello, Slack and Box, then admins should deploy the corresponding Office 365 services -- Planner, Teams and OneDrive for Business, respectively.
However, IT should still take action even if the business can't make these Office 365 apps immediately available. In that case, let end users know that the company plans to roll out Microsoft services to replace shadow IT apps. Explain the benefits of the move, such as service integration across the Office 365 suite.
The EMS-integrated capabilities give admins a way to configure security alerts when workers use these unsanctioned apps. Part of the continuous reports feature partially controls the use of apps. For example, an admin creates a rule that identifies when a user downloads a lot of data from Office 365 and then uploads a lot of data to Dropbox. When the rule detects this activity, the admin gets an alert and notifies the security team to block that user's access to Office 365.
Slack or Microsoft Teams: Which one makes more sense?
Shadow IT dangers present best opportunity to use cloud access security brokers
Regulate shadow IT to reduce risk