Microsoft Cloud App Security (MCAS), Redmond’s cloud app security broker (CASB) offering, is a powerful tool for investigating and pro-actively controlling your SaaS estate. It includes tools such as reverse proxying to control sessions and sits inside the Microsoft Threat Protection stack alongside Defender ATP, Office 365 ATP, and Azure ATP. MCAS started life as Adallom prior to Microsoft’s acquisition of that company in 2015. It’s included in Microsoft 365 E5 and numerous other licensing subsets, including EMS E5, E5 Security (an add-on for Microsoft 365 E3), Information Protection & Governance, or standalone. In all cases, you’d need to make sure it includes or you also get a license for Azure AD Premium for the reverse proxy benefits, delivered via Conditional Access App Control.
Of course, every penny’s a prisoner, and you don’t want to pay any more than you do already. What else is available in lesser subscriptions?
If you have Azure AD Premium P1, you get Microsoft Cloud App Security Discovery (CAD). This is a limited subset of MCAS that lets you manually or automatically upload logs to review cloud usage by your users. As the name suggests, with CAD you get the discovery toolkit of MCAS, but nothing else.
If you have Office 365 E5, your plan includes Office 365 Cloud App Security (OCAS) (not Microsoft Cloud App Security). This was previously called Office 365 Advanced Security Management and renamed at Ignite 2017 to better represent the relationship with its big brother MCAS.
OCAS lacks some of the advanced features of MCAS such as third party support, anomaly detection, policy settings, and AIP integration, but does have some compelling capabilities for securing your Microsoft 365 estate. I’ve listed these below and note they are all limited to Office 365 or Azure. Again, third-party integration requires full MCAS.
- Conditional Access App Control
- Lets you impose rules on web-based access to Office 365 services. For example, block the download or cut/copy/paste/print of sensitive information.
- Need to have Azure AD Premium P1 too
- A detailed activity log
- Review details of things such as identity events (attempted logins, password resets, etc), and SharePoint list + file events (downloaded, edited, deleted, etc)
- SIEM connections for your Office 365 alerts
- Centralise reporting in a service such as Sentinel
- Azure security configurations
- Recommendation reports for improving your Azure posture, such as audit settings, access to storage accounts, NSG port access, etc.
- Automated alerts with remediation
- From the activity log filter, you can create activity policies based on the results of that filter. For example, you filter to view the activities you are interested in. You can then create an activity policy to alert if these activities occur by certain user criteria, file, IP, device type. You can also use this for potential malware detection.
- Additionally, you can apply governance actions for when activities match. For example, if a user performances an impersonated activity on an unmanaged device, suspend them. Or if a user starts uploading files with file types associated with ransomware, confirm them as compromised.
If you manually upload logs to an OCAS snapshot report, you can also gain some insight into your third (and first) party cloud usage. This is part of CAS’s discovery feature set you get in CAD, discussed earlier. Logs come from sources such as your firewall appliance or W3C logs. What can you do is quite limited though. You’ll find information about traffic (up and down), associated users, and IP addresses.
The session controls you get via Conditional Access App Control are also not as complete as they with MCAS, even for Office 365 applications. With MCAS, for example, you get complete access to Microsoft’s sensitive info types engine which recognises types of information such as passport numbers or even Azure Storage Keys. With OCAS, you get a much-reduced selection and it’s largely USA-centric PII. So not UK passport numbers, for example.
What does a session policy look like to the end-user in OCAS? On login, their domain will redirect to a subdomain of cas.ms and, optionally, they’ll be warned their activity is monitored.
When the user performs an action OCAS is configured to control against, they will get a message about it. In this simple example, I have a rule against copying email addresses. OCAS, unlikely some of the out-of-the-box SharePoint access controls, therefore, gives you more fine-grained controls over what users can do on things such as unmanaged devices. While SPO can let you block access entirely or just block downloads, OCAS takes it a step further, based on the type of information.
As an administrator, I can now browse the activity log and see these attempted actions. It logs permitted actions as well as blocked ones; useful for reactive investigations. I can also, using tools such as the hyperlinks and filters, spin out what I find to find related events and chain investigations together.
To conclude, if you have Office 365 E5 and don’t want to strech to a package that includes the full MCAS suite, there is a lot you can do with OCAS, but you’ll probably be frustrated with the limitations eventually. If you have Azure AD Premium P1 – say, as part of Microsoft 365 E3 – you will have CAD, which will be good for showing you what shadow IT is going on, but that’s about it.
