Microsoft Cloud App Security

Top 20
use cases
for CASBs
Contents

03 / 04 / 05 /
Introduction A uniquely integrated CASB Architectural considerations

06 / 09 / 12 /
Discover Shadow IT Protect your information Detect and protect
in your organization in the cloud against cyberthreats

15 / 17 / 18 /
Assess and protect your Getting started Resources
IaaS environment

2
Introduction

Moving to the cloud requires a new Cloud Access Security Brokers (CASBs) are cloud-based security solutions that
approach to security. As you enable provide a new layer of security to enable oversight and control of activities and
information across public and custom cloud SaaS apps and IaaS services. CASBs
employees to work from virtually
are broken down into four key capability areas including Shadow IT Discovery,
anywhere and from any device of their Information Protection, Threat Protection and Compliance, and provide a central
choice, your organizational access control plane for governance and policy enforcement across all of your cloud apps
perimeters and boundaries change. Your and services.
new security controls need to adapt to
this dynamic environment and be able to In this guide we share the top 20 use cases for CASBs that we recommend as a
baseline for a successful implementation to improve your cloud security.
quickly respond to the constantly evolving
threat landscape.
The use cases can be leveraged as a starting point during a proof of concept,
or as you’re getting ready to deploy your CASB solution and want to prioritize
your deployment.

3
A uniquely integrated Cloud Access Security Broker

Microsoft Cloud App Security (MCAS) is a Our unique approach ensures that we deliver a powerful security solution that
multimode Cloud Access Security Broker. enables a higher level of security and compliance for heterogeneous cloud
environments— across all your cloud apps and services.
It provides rich visibility, control over
data travel, and sophisticated analytics to
One example is how Microsoft Cloud App Security delivers the only native Identity
identify and combat cyberthreats across and Access Management (IAM) + CASB solution in the market, by integrating with
all your cloud services. Azure Active Directory (AAD) conditional access. This enables selective routing via
our reverse proxy infrastructure, and thereby minimizes end user impact, while
MCAS is designed with security professionals ensuring the highest level of control under risky conditions. AAD conditional access
in mind. It is built as a state-of-the-art concept allows you to specify when traffic is routed via the reverse proxy using conditions
of native integrations to provide a simple such as device state, user, cloud app, location, and network, allowing for an
deployment experience, centralized management, unprecedented balance of cloud security and end user productivity.
and innovative automation capabilities—while
still allowing you to integrate non-Microsoft
solutions from your existing environment such as
a SIEM or Secure Web Gateway.
Endpoint Detection & Response Security Workflow automation

Identity & Access Management Security incident & event management

Data Loss Prevention Cloud Security Posture Management

Unified Endpoint Management Incident Response

4
Architectural considerations

When implementing the various CASB use Integrations with other enterprise solutions are important for an effective and
cases that are outlined in this document, sustainable management of the CASB solution and the organization’s processes
and workflows. Microsoft Cloud App Security supports all of the implementation
organizations need to ensure a seamless
scenarios listed above and integrates with Microsoft native solutions, as well other
integration with their existing architecture market leading solutions in the previously listed categories.
and software solutions.

A Cloud Access Security Broker should support

multiple deployment modes to ensure full
coverage of the key use cases within a single
management experience, including:
• Log ingestion from Firewalls, Secure Web
Gateways and SIEMs

• Cloud-to-cloud APIs-based connectors

• Reverse Proxy integration with the

primary (IAM) provider

Deployment options for cloud app discovery and blocking

A user’s Wi-Fi connection will dictate point of access to the cloud, but the log data will be
sent to Microsoft Cloud App Security.

5
Addressing Shadow IT in your organization

1. Discover all cloud apps and services

used in your organization 2. Assess the risk and compliance
of your cloud apps
Our numbers show that Shadow IT makes up more than 60% of It’s important for your IT teams to confirm whether all apps that
cloud services in large organizations, introducing unknown and are currently being used across the organization meet internal
unmanaged risks into the environment. security policies and relevant industry or compliance requirements.

A CASB enables you to identify which cloud apps and Microsoft’s CASB can help you assess the risk and compliance of any
services are being used across your organization. Whether discovered cloud app or service against more than 70 risk factors,
these cloud services are being accessed on or beyond the including general security — for example whether the app captures
corporate network, managed or unmanaged by IT—all data is an admin audit trail — regulatory compliance such as ISO 27018
captured. The discovery report includes all relevant information and legal factors including GDPR. These allow your IT team to
based on users, IP addresses and machines. make informed decisions about which apps should be supported
in the organization, and which require additional governance
Deployment mode: Log collection or need to be blocked entirely.
Native integrations: Microsoft Defender Advanced
Threat Protection, Azure Sentinel Deployment mode: Log collection
Other integrations: SIEM, Firewall, Secure Web Gateway Native integrations: Microsoft Defender Advanced
Threat Protection, Azure Sentinel
Technical implementation Other integrations: SIEM, Firewall, Secure Web Gateway

Technical implementation

6
Addressing Shadow IT in your organization

3. Govern discovered cloud apps and

explore enterprise-ready alternatives 4. Enable continuous monitoring to
automatically detect new and risky
cloud apps
Making informed decisions is key when putting governance actions
for cloud apps in place. With end users always on the lookout for apps to improve
their productivity, it’s key to stay on top of new services in
Once you have analyzed the risk and compliance of your
your organization.
cloud apps, you can use the CASB to start managing them by
classifying them into relevant app groups, which commonly With a CASB, you can setup a policy to detect changes in the
include Sanctioned, Unsanctioned or Restricted app tags. Once usage pattern of cloud apps, and be alerted when new, risky or
categorized, further governance actions can include onboarding high-volume apps are discovered in your environment.
an app to Azure Active Directory, dedicated monitoring of an
app over time, or blocking its use by end users. When the usage of a specific app spikes, you may want to
re-evaluate its risk score to ensure corporate data is being
In case you discover risky or duplicate apps, the cloud app catalog — handled safely. At the same time, this continuous monitoring
which includes more than 16,000 cloud apps— can be leveraged enables you to be alerted when new, risky apps are
to find enterprise-ready alternatives. detected and immediately take action to limit the impact on
your organization.
Deployment mode: Log collection
Native integrations: Microsoft Defender Advanced Deployment mode: Log collection
Threat Protection, Azure Sentinel Native integrations: Microsoft Defender Advanced
Other integrations: SIEM, Firewall, Secure Web Gateway Threat Protection, Azure Sentinel
Other integrations: SIEM, Firewall, Secure Web Gateway
Technical implementation
Technical implementation

7
Addressing Shadow IT in your organization

5. Detect when data is being exfiltrated

from your corporate apps 6. Discover OAuth apps that have access
to your environment
Sensitive, corporate data is the most valuable asset in many With OAuth apps users grant cloud apps access to their
organizations. Therefore, it’s key to ensure that your data is corporate user accounts without sharing credentials. While
protected and cannot be exfiltrated from your organization for originally created for consumer-facing services such as
improper use. Facebook, enterprise adoption of OAuth apps is increasing,
giving them programmatic access to a user’s corporate data and
Microsoft’s CASB has out-of-the-box policies that will alert you permission levels.
on suspicious usage within unsanctioned apps when activities
are performed that indicate a potential attempt to exfiltrate With Microsoft’s CASB you can analyze 3rd party OAuth apps that
information from your organization. have been authorized to use the credentials of your corporate
logins to Office 365, G-Suite or Salesforce, to access other cloud
In addition you can configure custom policies to get alerted on services that may not be sanctioned by IT.
events that are important to your organization.
Analyze their access levels and related activities to ensure they
Deployment mode: Log collection are compliant with your internal guidelines.
Native integrations: Microsoft Defender Advanced
Threat Protection, Azure Sentinel Deployment mode: API-Connector
Other integrations: SIEM, Firewall, Secure Web Gateway
Technical implementation
Technical implementation

8
Protect your information in the cloud

7. Gain visibility into corporate data

stored in the cloud 8. Enforce DLP and compliance policies
for sensitive data stored in your
cloud apps
No matter where in your cloud journey you are, many of your
end users likely started leveraging cloud services a long time
Cloud services such as Office 365 or Slack are key productivity
ago and have stored corporate data in various cloud applications.
solutions in many organizations today. Consequently, sensitive
A CASB provides you with full visibility over all data stored corporate data is uploaded and shared across them.
in sanctioned and connected cloud apps. It gives you deep insights
For existing data, a CASB solution can help you identify files that
about each file, allowing you to identify whether it contains
contain sensitive information and it provides several remediation
any sensitive information, the owner and storage location, as
options including removing external sharing permissions, encrypting
well as the access level of the file. Access levels distinguish
the file, placing it in admin quarantine or deleting it if necessary.
between private, internal, externally shared and publicly shared
files, allowing you to quickly identify potentially overexposed files Additionally, you can enforce DLP policies that scan every file as
putting sensitive information at risk. soon as it’s uploaded to a cloud app, to alert on policy violations
and automatically apply data labels and relevant restrictions to
Deployment mode: API-Connector
protect your information. These policies can be created using
Native integrations: Azure Information Protection
advanced techniques such as data identities, regular expressions,
OCR and exact data matching.
Technical implementation
Deployment mode: API-Connector, Reverse Proxy
Native integrations: Azure Information Protection,
Azure Active Directory, Microsoft Intune,
Microsoft Defender Advanced Threat Protection
Other integrations: Non-Microsoft DLP solution

Technical implementation

9
Protect your information in the cloud

9. Ensure safe collaboration and data

sharing practices in the cloud 10. Protect your data when it’s
downloaded to unmanaged devices
Increasing collaboration needs and the simplicity of external Today employees can work from anywhere. Whether it’s an
sharing require companies to enforce controls that protect the internal user accessing corporate apps from a hotel PC, or their
sharing of sensitive information, as users collaborate internally, personal device at home, many devices are no longer managed
as well as externally, using various cloud services. by your IT. In addition, external users such as agencies or partners
you’re collaborating with, are also allowed to access corporate
With Microsoft Cloud App Security, you can enforce a wide set of resources, using unmanaged devices.
collaboration policies relevant to the sensitivity of a file. Automatic
actions include setting an expiration date on a shared link or Microsoft Cloud App Security identifies the relevant device state
removing external collaborators, while informing the file owner. upon user login and can be configured with granular controls
to either prevent the download of sensitive files altogether, or
In addition, you can configure controls that are applied to user always apply a protection label when a file is downloaded
actions in real-time. For example, if a user is trying to send from an unmanaged device.
sensitive information like a password via instant message (IM) in
apps such as Microsoft Teams or Workplace by Facebook, you This ensures the continued productivity of all users, while ensuring
can enforce policies that will instantly block the message from your data is safe wherever it travels.
being sent.
Deployment mode: Reverse Proxy
Deployment mode: API-Connector, Reverse Proxy Native integrations: Azure Information Protection,
Native integrations: Azure Information Protection, Azure Active Directory, Microsoft Intune,
Azure Active Directory, Microsoft Intune, Microsoft Defender Advanced Threat Protection
Microsoft Defender Advanced Threat Protection Other integrations: Non-Microsoft DLP solution
Other integrations: Non-Microsoft DLP solution Non-Microsoft Mobile Device Management

Technical implementation Technical implementation

10
Protect your information in the cloud

11. Enforce adaptive session controls to

manage user actions in real-time
In a cloud-first world, identity has become the new perimeter—
protecting access to all your corporate resources at the front door.

Microsoft Cloud App Security leverages Azure Active Directory

conditional access policies to determine a user’s session risk
upon login. Based on the risk level associated with a user
session, you can enforce adaptive in-session controls, that
determine which actions a user can carry out, and which may
be limited or blocked entirely. This seamless identity-based
experience ensures the upkeep of productivity, while preventing
potentially risky user actions in real-time. The adaptive
controls include the prevention of data exfiltration by blocking
actions such as download, copy, cut or print, as well as
the prevention of malicious data infiltration to your cloud
apps by preventing malicious uploads or pasting text.

Deployment mode: Reverse Proxy

Native integrations: Azure Information Protection,
Azure Active Directory, Microsoft Intune,
Microsoft Defender Advanced Threat Protection
Other integrations: Non-Microsoft DLP solution,
Non-Microsoft Mobile Device Management

Technical implementation

11
Detect and protect against cyberthreats

12. Record an audit trail for all user

activities across hybrid environments 13. Identify compromised
user accounts
Whether a user identity is compromised, or an employee is Identity attacks have increased by more than 300% over the
deliberately carrying out risky actions across your environment past year, making them a key source of compromise and the
of cloud apps, it’s key to understand that adversaries act number one threat vector for organizations.
regardless of whether an app or information is located
on-premises or in the cloud. Therefore, it’s key for your IT to A CASB learns the behavior of users and other entities in
be able to trace and investigate the actions of any end user an organization and builds a behavioral profile around them.
or privileged account laterally and across hybrid environments. If an account is compromised and executes activities that differ
from the baseline user profile, abnormal behavior detections
A CASB enables you to capture a detailed audit trail of all are raised.
user and admin activities across your managed cloud and
on-prem services for forensic investigations. This allows Using built-in and custom anomaly detections, your IT will be
your IT to retrace all actions in case a breach or risky alerted on activities such as impossible travel, as well as activities
event is identified. Tracked events include activities such from infrequent countries or the implementation of inbox
as sign-ins, downloads or uploads, and lateral movements, to forwarding rules, where emails are automatically forwarded
provide full coverage for hybrid environments. to external email addresses. These alerts allow you to act quickly
and quarantine a user account to prevent damage to
Deployment mode: API-Connector, Reverse Proxy your organization.
Native integrations: Azure Active Directory,
Azure Advanced Threat Protection Deployment mode: API, Reverse Proxy
Native integrations: Azure Active Directory,
Technical implementation Azure Advanced Threat Protection,

Technical implementation

12
Detect and protect against cyberthreats

14. Detect threats from users inside

your organization 15. Detect threats from
privileged accounts
Whether an employee is looking to leave your organization Attackers use mechanisms such as phishing, password spray,
with valuable information, or external partners with access and breach replay to compromise user accounts, and their
to your environment are trying to exfiltrate relevant, sensitive ultimate goal is often to gain control over a privileged account,
data for competitive gain—there are many scenarios in which making these the most at-risk accounts and most important
users with legitimate access to your cloud resources become a to monitor.
threat to your organization.
A CASB will alert you to various activities indicating that a
A CASB can help you detect anomalous behavior from privileged account may have been compromised. Relevant
individual users. It will alert you to events such as mass alerts include mass impersonation by a single user, login from
downloads by an internal user, or unusual, repeated activities a new country with an admin account, or unusual activity from an
from your external user group, indicating insider threats and MSSP admin.
allowing you to act quickly and suspend the relevant user
accounts to prevent data exfiltration. The unified, identity-based Security Operations experience
provides a true hybrid identity threat protection. And to ensure
Deployment mode: API-Connector, Reverse Proxy alerts are investigated in a timely manner, Microsoft Cloud App
Native integrations: Azure Advanced Threat Protection, Security provides an investigation priority—a list of accounts
Azure Active Directory recommended for immediate review, that considers factors
like the access level of a user.
Technical implementation
Deployment mode: API-Connector, Reverse Proxy
Native integrations: Azure Advanced Threat Protection,
Azure Active Directory

Technical implementation

13
Detect and protect against cyberthreats

16. Identify and revoke access to risky

OAuth apps 17. Detect and remediate malware
in your cloud apps
In recent years OAuth apps have become a popular attack As the sophistication of cyber threats continues to evolve,
vector for adversaries. Hacker groups such as Fancy Bear have malware is becoming one of the fastest growing security concerns
leveraged OAuth apps to trick end users into authorizing the use for organizations, with the majority of reported breaches now
of their corporate credentials, for example by duplicating the involving some type of malware.
UI of a seemingly trustworthy platform.
A CASB allows you to closely monitor your cloud storage
A CASB enables you to closely monitor which OAuth apps are applications and identify potentially malicious files in your
being authorized against your corporate environments and either environment. Pre-existing files are scanned using multiple
manually review them or create policies that automatically layers of detection engines to assess whether a file is malicious
revoke access if certain, risky criteria are met. Key threat and associated with known malware. Microsoft Cloud App
indicators are the combination of an app that has requested Security runs suspicious files through a sandboxing engine
a high level of permissions, while having a low community use to detect malicious behavior and enables you to react quickly
status, indicating that it’s not commonly found in other to zero-day malware in cloud storage solutions. You can
organizations and therefore more unlikely to be trustworthy. also leverage session controls to prevent the upload and
infiltration of known malware in real-time across all of your apps.
Deployment mode: API Connector
Deployment mode: API-Connector
Technical implementation Native integrations: Office 365 Advanced Threat Protection

Technical implementation

14
Assess and protect your IaaS environment

18. Audit the configuration of your

IaaS environments 19. Monitor user activities to protect against
threats in your IaaS environments
The increase of automation and user self-service across IaaS The impact of a user able to alter your IaaS environment can be
services requires continuous auditing to ensure that these cloud significant and directly impact your ability to run your business,
instances have been configured correctly. Due to the large amount as key corporate resources like the servers running your public
of data, a single mistake can expose thousands of data records website, or a service you’re providing to customers can
and go undetected for extended periods of time. be compromised.

A CASB’s Cloud Security Posture Management capabilities enable Microsoft Cloud App Security captures and analyzes activity
you to conduct a security configuration assessment across your within the IaaS platform, including custom applications.
IaaS environments. It enables you identify key data leak sources These activities are analyzed with a highly sophisticated UEBA
such as publicly exposed AWS S3 buckets and provides specific engine to detect anomalous usage associated with compromised
recommendations to improve your overall security configuration. accounts, insiders, and privileged users. It will alert you to events
Common suggestions include enabling multi-factor authentication such as an unusual deletion of virtual machines, indicating
(MFA) to accounts with owner permissions on your IaaS subscription, an attempt to manipulate your environment in near real-time
applying disk encryption, or alerting you to a lack of endpoint to ensure that you quickly remediate any impacts.
protection on your virtual machines.
Deployment mode: API Connector, Reverse Proxy
Deployment mode: API Connector Native integrations: Azure Security Center,
Native integrations: Azure Security Center Azure Advanced Threat Protection

Technical implementation Technical implementation

15
Assess and protect your IaaS environment

20. Capture user activities within custom

cloud and on-premise apps
Organizations often have a magnitude of custom applications
serving business-critical functions. IaaS platforms have brought
an even greater level of accessibility and flexibility to the adoption
and development of custom applications, sometimes at the expense
of security and compliance standards.

A CASB can help you monitor and act on various activities across
these apps in your organization in real-time, to ensure that
you have awareness and control of the location, and actions
taken on sensitive resources. Furthermore, by leveraging
integrations with Azure Active Directory, Microsoft Cloud
App Security enables you to achieve this deep visibility and parity
across your cloud apps, custom apps, and on-premise apps.

Deployment mode: API-Connector, Reverse Proxy

Optional integrations: Azure Active Directory conditional access,
Azure Active Directory App Proxy

Technical implementation

16
Getting started with your proof of
concept and prioritizing your deployment

We understand that many organizations We’ve created a prioritized list of the use cases in the document that will allow you
need to prioritize their deployment when to improve your overall cloud security posture within a few hours and with very
little configuration, due to a seamless UI-based deployment experience and many
implementing a Cloud Access Security Broker.
out-of-the-box capabilities of Microsoft Cloud App Security.

1. Record an audit trail for all user 5. Audit the configuration

activities across hybrid environments of your IaaS environments

3. Identify and revoke access 7. Gain visibility into corporate

to risky OAuth apps data stored in the cloud

2. Detect threats from users 6. Discover all cloud apps and services
inside your organization used in your organization

4. Detect and remediate malware

in your cloud apps

17
Resources
Visit our website
aka.ms/mcas

Learn more about Microsoft Cloud App Security

aka.ms/mcasguide

Stay up to date and subscribe to our blog!

aka.ms/mcasblog

Join the conversation on Tech Community!

aka.ms/mcascommunity

Get started with a free trial

aka.ms/mcastrial

Use our PoC guide to kick off your CASB project

aka.ms/mcaspoc

Technical documentation
aka.ms/mcastech

Learn more about Microsoft Security solutions

microsoft.com/en-us/enterprise-mobility-security

© 2019 Microsoft Corporation. All rights reserved. This material is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESSED OR IMPLIED. 18