Getting\u00a0started<\/h2>\n
Your Zero Trust journey for apps starts with understanding the app ecosystem your employees are using, locking down shadow IT, and managing user activities, data, and threats in the business-critical applications that your workforce leverages to be productive.<\/p>\n
Discover and control the use of Shadow IT<\/h2>\n
The total number\u00a0of apps accessed by employees in the average enterprise exceeds 1,500. That\u00a0equates to\u00a0more than 80\u00a0GB\u00a0of data uploaded monthly to\u00a0various\u00a0apps,\u00a0less than\u00a015%\u00a0of which\u00a0are managed by their IT department. And as\u00a0remote work becomes a reality\u00a0for most,\u00a0it\u2019s\u00a0no longer enough to apply access policies\u00a0to only\u00a0your\u00a0network appliance.<\/p>\n
To get started\u00a0discovering and assessing cloud apps,\u00a0set\u00a0up\u00a0Cloud Discovery\u00a0in Microsoft Cloud App Security<\/a>,\u00a0and\u00a0analyze\u00a0your traffic logs against\u00a0a rich\u00a0cloud app catalog of over 16,000 cloud apps.\u00a0Apps are\u00a0ranked and scored\u00a0based on more than 90 risk factors to help assess\u00a0the risk Shadow IT poses\u00a0to\u00a0your organization.<\/p>\n Once this risk is\u00a0understood,\u00a0each individual application can\u00a0be evaluated, manually or via policy,\u00a0to\u00a0determine what action to take<\/a>. The following decision tree shows potential actions that can be taken, based on whether the applications\u2019 risk is deemed acceptable. Sanctioned applications can then be onboarded with your identity provider to enable centralized management and more granular control, while unsanctioned applications can be blocked by your network appliance or at the machine-level with one-click\u00a0by\u00a0leveraging Microsoft Defender ATP<\/a>.<\/p>\n Once applications are discovered, one of the next steps for sanctioned apps is to connect them via API to gain deep visibility into those applications \u2013 after all, these are the apps where your most sensitive data resides. Microsoft Cloud App Security uses enterprise-grade cloud app APIs to provide instant visibility and governance for each cloud app being used.<\/p>\n Connect\u00a0your business critical cloud applications<\/a>, ranging from Office 365 to Salesforce, Box, AWS, GCP, and more, to Microsoft Cloud App Security to gain deep visibility into the actions, files, and accounts that your users touch day-in and day-out. Leverage these enterprise-grade API connections to enable the admin to perform governance actions, such as quarantining files or suspending users, as well as mitigate against any flagged risk.<\/p>\n For an organization\u00a0that is\u00a0constantly growing and evolving, the power of automation cannot be\u00a0overstated. Once your\u00a0apps are connected to\u00a0Microsoft Cloud App Security, you can\u00a0leverage versatile policies<\/a> to detect risky behavior and violations, and automate actions to remediate those violations.<\/p>\n Microsoft Cloud App Security provides built-in policies for both risky activities and sensitive files, as well as the ability to create custom policies as needed, based on your own environment. For example, if a user forgets to label sensitive data appropriately before uploading it to the cloud, you can automate the application of the correct label by leveraging Microsoft Cloud App Security to scan the file, whether that app is hosted in a Microsoft or non-Microsoft cloud. In addition, more likely than not, guests or partner users are collaborating with you in your sensitive applications. You can set automatic actions to expire a shared link or removing external users while informing the file owner.<\/p>\n Connecting your apps enables you to automate data and access governance, but it also enables detecting and remediating against cyberthreats and rogue apps. Attackers closely monitor where sensitive information is most likely to end up and develop dedicated and unique attack tools, techniques, and procedures, such as illicit OAuth consent grants and cloud ransomware.<\/p>\n Microsoft Cloud App Security provides\u00a0rich\u00a0behavioral analytics and anomaly detections<\/a>\u00a0to help organizations securely adopt the cloud by providing malware protection, OAuth app protection, and comprehensive incident investigation and remediation.\u00a0Because these\u00a0are already enabled, you do not need to configure them. However, we recommend\u00a0logging\u00a0into your Cloud App Security\u00a0portal\u00a0to fine-tune them based on your environment (Click on\u00a0Control<\/strong>, then\u00a0Policies<\/strong>\u00a0and select\u00a0Anomaly detection policy<\/strong>).<\/p>\n Cloud App Security\u2019s user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities are enabled out-of-the-box so that you can immediately detect threats and run advanced threat detection across your cloud environment. Because they’re automatically enabled, new anomaly detection policies provide immediate results by providing immediate detections, targeting numerous security use cases such as impossible travel, suspicious inbox rules and ransomware across your users and the machines and devices connected to your network. In addition, the policies expose more data from the Cloud App Security detection engine and can be refined to help you speed up the investigation process and contain ongoing threats.<\/p>\n You\u2019ve\u00a0now assessed your cloud environment, unsanctioned dangerous and risky applications, and added automation to protect your sensitive corporate resources in your business-critical applications. Getting advanced\u00a0means\u00a0extending those security controls by\u00a0deploying adaptive access controls\u00a0that match the risk of each individual session and assessing and patching the security posture of your multi-cloud environments.<\/p>\n In today’s modern and dynamic workplace, it\u2019s not enough to know what’s happening in your cloud environment after the fact. Stopping breaches and leaks in real-time before employees intentionally or inadvertently put data and organizations at risk is key. Simultaneously, it\u2019s business-critical to enable users to securely use their own devices productively.<\/p>\n Enable real-time monitoring and control\u00a0over access<\/a>\u00a0to any of your apps with\u00a0Microsoft Cloud App Security\u00a0access and session policies, including cloud and on-prem apps\u00a0and resources\u00a0hosted by the\u00a0Azure AD App Proxy.<\/a>\u00a0For example, you can create policies to protect\u00a0the\u00a0download of sensitive content when using any unmanaged device. Alternatively, files can be scanned on upload to detect potential malware and block them from entering sensitive cloud environments.<\/p>\n Beyond SaaS applications, organizations are heavily investing in IaaS and PaaS services. Microsoft Cloud App Security goes beyond SaaS security to enable organizations to assess and strengthen their security posture and Zero Trust capabilities for major clouds, such as Azure, Amazon Web Services, and Google Cloud Platform. These assessments focus on detailing the security configuration and compliance status across each cloud platform. In turn, you can limit the risk of a security breach, by keeping the cloud platforms compliant with your organizational configuration policy and regulatory compliance, following the CIS benchmark, or the vendor\u2019s best practices for a secure configuration.<\/p>\n Microsoft Cloud App Security’s cloud platform security provides tenant-level visibility into all your Azure subscriptions, AWS accounts, and GCP projects. Getting an overview of the security configuration posture of your multi-cloud platform from a single location enables a comprehensive risk-based investigation across all your resources. The security configuration dashboard can then be used to drive remediation actions and minimize risk across all your cloud environments. View the security configuration\u00a0assessments<\/a>\u00a0for\u00a0Azure<\/a>,\u00a0AWS<\/a>, and\u00a0GCP<\/a>\u00a0<\/u>recommendations in Cloud App Security to investigate and remediate against any gaps.<\/p>\n We hope\u00a0this blog\u00a0helps you deploy and successfully incorporate apps into your Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the\u202fMicrosoft Security blog<\/a> to keep up with our expert coverage on security matters. For more information on Microsoft Security Solutions \u202fvisit our website<\/a><\/u>. Also, follow us at\u202f@MSFTSecurity<\/a>\u202ffor the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":" Leverage Microsoft Cloud App Security to secure your digital transformation, by protecting all your apps and resources with the principles of Zero Trust.<\/p>\n","protected":false},"author":96,"featured_media":91790,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3662],"topic":[3667,3689],"products":[3690,3702,3703],"threat-intelligence":[],"tags":[],"coauthors":[2187],"class_list":["post-91786","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-cloud-security","topic-zero-trust","products-microsoft-defender","products-microsoft-entra","products-microsoft-entra-id"],"yoast_head":"\n![\"An](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/08\/Zero-1.png\")
<\/p>\nMonitor user activities and data<\/h2>\n
Automate data protection and governance<\/h2>\n
Protect against cyber threats and rogue apps<\/h2>\n
Configuring Advanced Controls<\/h2>\n
Deploy adaptive access and session controls for all apps<\/h2>\n
![\"An](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/08\/Zero-2.png\")
<\/p>\nAssess the security posture of your cloud environments<\/h2>\n
More Zero Trust deployment guides to come<\/h2>\n