How to manage shadow IT with Microsoft 365 and Microsoft Defender for Cloud Apps
If your organisation is using Microsoft 365, Microsoft Defender for Cloud Apps can help you discover shadow IT and control the data flowing across the cloud applications in your organisation.
Defender for Cloud Apps is Microsoft’s cloud access security broker (CASB) and is an incredibly powerful tool which is included within various Microsoft subscriptions as part of their Microsoft 365 Defender suite of XDR tools, or as a standalone product.
It enables you to investigate and control the use of shadow IT, protect your data anywhere in the cloud, guard against suspicious behaviour and threats, and assess your app compliance.
‘Cloud Discovery’ is one of the core capabilities of Defender for Cloud Apps and enables you to identify which apps (including shadow IT) are being used within your organisation. Cloud Discovery can be integrated with ‘Microsoft Defender for Endpoint’ to collect data on Windows devices, whilst you can also use your firewalls and other proxies to collect further data from your endpoints. It also integrates natively with some third party proxies such as Zscaler.
This gives you a picture of the app usage across your organisation and enables you to identify non-approved apps easily. Risk levels are also calculated for each app, using a catalogue of over 16,000 apps to provide contextual information on the app and its development history. This includes various details on aspects such as security, industry and legal regulations etc.
Naturally, you’ll want to understand if app usage is compliant with your organisation’s policies and compliance obligations. Microsoft Defender for Cloud Apps helps you identify which standards the app is compliant with, for example GDPR or HIPAA etc.
To understand the nature of the app usage, Microsoft Defender for Cloud Apps enables you to analyse how the app is being used and by whom. This is useful as you can identify if only a small contained set of users are using an app, or if it’s spreading across departments or even the whole organisation. You can analyse traffic volumes for each app and identify the total active users and the departments which are using the app.
If there appears to be a strong business requirement for the functionality of a specific app, yet deemed to be risky, the catalogue of apps helps to identify apps with similar functionality which have different security controls and are considered safer to use.
With a strong understanding of the shadow IT taking place in your organsiation, Defender for Cloud Apps makes governing these apps simple. You can choose to sanction, revoke or block apps or even mark them for review. You can also take other actions such as adding some apps to Azure Active Directory in order to apply features such as single sign-on to extend your robust authentication across new apps.
With continuous monitoring, you can also choose to be notified when new or risky apps are discovered within your organisation—enabling you to take action quickly.
This is just scratching the surface of how Microsoft Defender for Cloud Apps can help you manage your shadow IT. You can also approve specific apps, use connectors that leverage app APIs, and create policies to control what activities a user can take within that app. e.g. block downloads of information containing specific data such as bank account details or external sharing of .PDF files. The possibilities are extremely granular, giving you an incredible level of control over the actions users can take in your cloud apps.
With Azure AD and Conditional Access integration, you can also use Conditional Access App Control to enforce access and session controls based on any condition in Conditional Access, such as leveraging further integrations with Azure Information Protection and its classification labels to determine what actions can be performed for data of a certain label.