Secure applications with Zero Trust
Background
To get the full benefit of cloud apps and services, organizations must find the right balance of providing access while maintaining control to protect critical data accessed via applications and APIs.
The Zero Trust model helps organizations ensure that apps, and the data they contain, are protected by:
- Applying controls and technologies to discover Shadow IT.
- Ensuring appropriate in-app permissions.
- Limiting access based on real-time analytics.
- Monitoring for abnormal behavior.
- Controlling user actions.
- Validating secure configuration options.
Applications Zero Trust deployment objectives
Before most organizations start the Zero Trust journey, their on-premises apps are accessed through physical networks or VPN, and some critical cloud apps are accessible to users.
|
When implementing a Zero Trust approach to managing and monitoring applications, we recommend you focus first on these initial deployment objectives: |
|
|
|
I. Gain visibility into the activities and data in your applications by connecting them via APIs. II. Discover and control the use of shadow IT. III. Protect sensitive information and activities automatically by implementing policies. |
|
After these are completed, focus on these additional deployment objectives: |
|
|
|
IV. Deploy adaptive access and session controls for all apps. V. Strengthen protection against cyber threats and rogue apps. |
Application Zero Trust deployment guide
This guide will walk you through the steps required to secure applications and APIs following the principles of a Zero Trust security framework. Our approach is aligned with these three Zero Trust principles:
Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Use least privilege access. Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive polices and data protection to protect both data and productivity.
Assume breach. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses.
|
|
Initial deployment objectives |
I. Gain visibility into the activities and data in your applications by connecting them via APIs
The majority of user activities in an organization originate on cloud applications and associated resources. Most major cloud apps provide an API for consuming tenant information and receiving corresponding governance actions. Use these integrations to monitor and alert when threats and anomalies occur in your environment.
Follow these steps:
Adopt Microsoft Defender for Cloud Apps, which works with services to optimize visibility, governance actions, and usage.
Review what apps can be connected with the Defender for Cloud Apps API integration, and connect the apps you need. Use the deeper visibility gained to investigate activities, files, and accounts for the apps in your cloud environment.
II. Discover and control the use of shadow IT
On average, 1,000 separate apps are being used in your organization. 80 percent of employees use non-sanctioned apps that no one has reviewed and that may not be compliant with your security and compliance policies. And, because your employees are able to access your resources and apps from outside your corporate network, it's no longer enough to have rules and policies on your firewalls.
Focus on identifying app usage patterns, assessing risk levels and business readiness of apps, preventing data leaks to noncompliant apps, and limiting access to regulated data.
Follow these steps:
Set up Cloud Discovery, which analyzes your traffic logs against the Microsoft Defender for Cloud Apps catalog of over 16,000 cloud apps. The apps are ranked and scored, based on more than 90 risk factors.
Discover and identify shadow IT to find out what apps are being used, following one of three options:
Integrate with Microsoft Defender for Endpoint to immediately start collecting data on cloud traffic across your Windows 10 devices, on and off your network.
Deploy the Defender for Cloud Apps log collector on your firewalls and other proxies to collect data from your endpoints and send it to Defender for Cloud Apps for analysis.
Integrate Defender for Cloud Apps with your proxy.
Identify the risk level of specific apps:
In the Defender for Cloud Apps portal, under Discover, click Discovered apps. Filter the list of apps discovered in your organization by the risk factors you are concerned about.
Drill down into the app to understand more about its compliance by clicking the app name and then clicking the Info tab to see details about the app's security risk factors.
Evaluate compliance and analyze usage:
In the Defender for Cloud Apps portal, under Discover, click Discovered apps. Filter the list of apps discovered in your organization by the compliance risk factors you are concerned about. For example, use the suggested query to filter out noncompliant apps.
Drill down into the app to understand more about its compliance by clicking the app name and then clicking the Info tab to see details about the app's compliance risk factors.
In the Defender for Cloud Apps portal, under Discover, click Discovered apps and then drill down by clicking on the specific app you want to investigate. The Use tab lets you know how many active users are using the app and how much traffic it's generating. If you want to see who, specifically, is using the app, you can drill down further by clicking Total active users.
Dive deeper into discovered apps. View subdomains and resources to learn about specific activities, data access, and resource usage in your cloud services.
-
Create new custom app tags in order to classify each app according to its business status or justification. These tags can then be used for specific monitoring purposes.
App tags can be managed under Cloud Discovery settings App tags. These tags can then be used later for filtering in the Cloud Discovery pages and creating policies using them.
Manage discovered apps using Microsoft Entra Gallery. For apps that already appear in the Microsoft Entra Gallery, apply single sign-on and manage the app with Microsoft Entra ID. To do so, on the row where the relevant app appears, choose the three dots at the end of the row, and then choose Manage app with Microsoft Entra ID.
III. Protect sensitive information and activities automatically by implementing policies
Defender for Cloud Apps enables you to define the way you want users to behave in the cloud. This can be done by creating policies. There are many types: Access, activity, anomaly detection, app discovery, file policy, cloud discovery anomaly detection, and session policies.
Policies allow you to detect risky behavior, violations, or suspicious data points and activities in your cloud environment. They help you monitor trends, see security threats, and generate customized report and alerts.
Follow these steps:
Use out-of-the box policies that have already been tested for many activities and files. Apply governance actions such as revoking permissions and suspending users, quarantining files, and applying sensitivity labels.
Build new policies that Microsoft Defender for Cloud Apps suggests for you.
Configure policies to monitor shadow IT apps and provide control:
Create an app discovery policy that lets you know when there is a spike in downloads or traffic from an app you're concerned about. Enable Anomalous behavior in discovered users' policy, Cloud storage app compliance check, and New risky app.
Keep updating policies, and using the Cloud Discovery dashboard, check what (new) apps your users are using, as well as their usage and behavior patterns.
Control what's sanctioned and block undesirable apps using this option:
- Connect apps via API for continuous monitoring.
Protect apps using Conditional Access App Control and Microsoft Defender for Cloud Apps.
|
|
Additional deployment objectives |
IV. Deploy adaptive access and session controls for all apps
Once you've accomplished your initial three objectives, you can focus on additional objectives such as ensuring that all apps are using least-privileged access with continuous verification. Dynamically adapting and restricting access as session risk changes will enable you to stop breaches and leaks in real time, before employees put your data and your organization at risk.
Take this step:
- Enable real-time monitoring and control over access to any web app, based on user, location, device, and app. For example, you can create policies to protect downloads of sensitive content with sensitivity labels when using any unmanaged device. Alternatively, files can be scanned on upload to detect potential malware and block them from entering sensitive cloud environment.
V. Strengthen protection against cyber threats and rogue apps
Bad actors have developed dedicated and unique attack tools, techniques, and procedures (TTPs) that target the cloud to breach defenses and access sensitive and business-critical information. They use tactics such as illicit OAuth consent grants, cloud ransomware, and compromising credentials for cloud identity.
Organizations can respond to such threats with tools available in Defender for Cloud Apps, such as user and entity behavioral analytics (UEBA) and anomaly detection, malware protection, OAuth app protection, incident investigation, and remediation. Defender for Cloud Apps targets numerous security anomalies out of the box, such as impossible travel, suspicious inbox rules, and ransomware.
The different detections are developed with security operations teams in mind and aim to focus the alerts on true indicators of compromise, while unlocking threat intelligence-driven investigation and remediation.
Follow these steps:
Take advantage of the Defender for Cloud Apps UEBA and machine learning (ML) capabilities that are automatically enabled out-of-the-box to immediately detect threats and run advanced threat detection across your cloud environment.
Tune and scope anomaly detection policies.
VI. Assess the security posture of your cloud environments
Beyond SaaS applications, organizations are heavily invested in IaaS and PaaS services. Defender for Cloud Apps enables your organization to assess and strengthen your security posture and capabilities for these services by getting visibility into the security configuration and compliance status across your public cloud platforms. This enables a risk-based investigation of the entire platform configuration status.
Follow these steps:
Use Defender for Cloud Apps to monitor resources, subscriptions, recommendations, and corresponding severities across your cloud environments.
Limit the risk of a security breach by keeping cloud platforms, such as Microsoft Azure, AWS and GCP, compliant with your organizational configuration policy and regulatory compliance, following CIS benchmark, or the vendor's best practices for the security configuration.
Using Defender for Cloud Apps, the security configuration dashboard can be used to drive remediation actions to minimize the risk.
Products covered in this guide
Microsoft Azure
Microsoft 365
Microsoft Defender for Cloud Apps
Microsoft Endpoint Manager (includes Microsoft Intune and Configuration Manager)
Conclusion
Regardless of where the cloud resource or application resides, Zero Trust principles help ensure that your cloud environments and data are protected. For further information on these processes or help with these implementations, please contact your Customer Success team.
The Zero Trust deployment guide series
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for