Defending Your Cloud: Microsoft’s Security Ecosystem

As organizations continue to invest in good security, and meet cyber insurance requirements, IT departments must enforce application and data security in all areas of the network. A Cloud Access Security Broker, or CASB handles this enforcement best with four main pillars:

Insight – a CASB can identify all cloud services accessed by users and applications and determine risk levels for each one.
For example: The grant writers are using and storing files in Google Docs in the Google Workspace instead of Microsoft Word documents in Sharepoint like the rest of the company. Risks include:

• Potentially mixing personal and company business in dangerous ways.
• Inconsistent security controls leading to more weaknesses and better odds for hackers.
• Potential extra training for staff.

Data Protection – a CASB applies technical controls like encryption to prevent the loss of organizational data at rest and in transit.
For example: The same staff members are not only sharing those Google Docs with coworkers, but also are forwarding sensitive messages and sharing files and folders to external organizations. Risks include:

• Data breaches that can result in fines and threats to company reputations.
• Breaking federal laws and state regulations.
• Surrendering control of sensitive data and who sees it.

A CASB can label files by their sensitivity level and control access based on certain user or device conditions.

Threat Protection – a CASB can analyze lots of network traffic to identify anomalies, bad actors, and negligence that puts data and people at risk.
For example: Users complain of crippling network slowness most mid-to-late afternoon workdays. Risks include:

• Lost productivity
• Employees using unauthorized means to complete tasks (e.g. working from a personal computer or finishing tasks remotely)
• This could be a ransomware and data exfiltration attack, where the bad actors start by stealing all the data causing the network to slow down.

CASB systems can adapt in real-time to prevent unauthorized access, mitigate malware, and alert security personnel as unusual events occur.

Regulatory Compliance – a CASB can apply policies that support compliance frameworks like HIPAA for health care, PCI DSS for credit card payments, operating system updates, and more. Compliance dashboards and reports can help organizations monitor ongoing compliance and ensure easier audits.

Microsoft Defender for Cloud
One of the tools we recommend is Microsoft Defender for Cloud to meet CASB functionality to cloud environments and beyond. This cloud-based security framework can also protect servers located in other locations like Amazon Web Services (AWS), Google Cloud, and on-premises data centers. Massive investments by Microsoft in artificial intelligence and machine learning continuously improve detection and response capabilities over time.

Defender for Cloud provides users a benchmark called the Secure Score–the higher the score, the lower your risk level. The system analyzes secure initiatives in place, recommends security improvements, and applies point scores to each. Each completed recommendation raises the base Secure Score, which provides:

• A real-time snapshot of organizational compliance
• A resource for IT planning, both in preparing for cyber liability insurance and mapping the IT road ahead.

Defender for Cloud can prevent major organizational catastrophes in many ways. For example:

• The right kind of encryption can ensure that if 400 files are stolen, attackers will need 400 different keys to read them.
• If users accidentally or deliberately email sensitive data, systems should be able to encrypt these messages before they leave the organization.
• CASB systems can adapt to anomalous behavior in real time to prevent unauthorized access, mitigate malware, and alert security personnel as events occur.

For more information about Microsoft Defender for Cloud and improving IT strategy for your organization, reach out to us at 781-235-1490 or email us at insource@insourceservices.com.