Seven Reasons Why Proxy-based CASBs Are Required for Office 365

By Rich Campagna, Chief Marketing Officer, Bitglass

O365 logoA competing CASB vendor blogged recently on why proxy-based Cloud Access Security Brokers (CASBs) shouldn’t be used for Office 365.

The post cites “7 reasons,” all of which are variations of just one reason: their CASB breaks each time Microsoft makes changes to Office 365.  What they call “application breakages” due to “updates,” are really “CASB outages.”  In other words, dog ate their homework.

A commonly cited issue with proxies (the only way to achieve real-time cloud data loss prevention or DLP) is their ability to adjust to the near constant changes in cloud applications. However, without an automated solution that can respond to these changes in real time, it’s up to quick response by CASB engineers to fix breakages after they occur, which leads to inevitability of downtime. Make sure you don’t fall into this trap. Select a CASB that can adapt to changes on the fly. Don’t throw out proxy technology completely just because some vendors can’t do it properly.

Proxy-based CASBs: Seven reasons why

So, knowing that a proxy-based solution for Office 365 can work, if you pick the right one, why go inline with Office 365 versus relying purely on out-of-band API integration? Here are 7 unique reasons:

  1. Managed vs Unmanaged Device Access Control – For most organizations, a managed device represents a much lower risk than an unmanaged BYO device. Proxy-based controls allow you to distinguish between the two and provide a different level of access to the app and to sensitive corporate data.
  2. OneDrive Sync Client Control – A OneDrive sync client constantly synching many GBs of corporate data to an unmanaged device is riskier than a user on that device logging into OneDrive via web browser to download a couple of files that they need. Proxy allows you to control by access method,
  3. Real-time Data Leakage Prevention – API-based integration with apps like Office 365 is great for scanning data-at-rest, but only provides “Monday morning” notifications of data leakage. Proxies prevent data leakage in real-time.
  4. BYOD Malware Prevention – Your organization probably has unmanaged devices connecting into Office 365. Devices that could be infected with malware. Proxy-based solutions stop malware from making its way into Office 365, thwarting would-be attempts to use Office as an IT sanctioned and paid for malware distribution tool.
  5. Session Management – You likely want to aggressively time out and reauthenticate users on unmanaged or new devices. Possible with proxy, not possible with API.
  6. Step-up Multifactor Authentication – See suspicious activity mid-session? Evidence of credential compromise? Only inline CASB allows you to do something about it as it starts to occur.
  7. Data-at-rest Encryption – In many industries, there is a desire to use the public cloud but without giving up control over your data. Proxy-based CASBs allow you to encrypt data before it gets to the cloud. Public cloud apps with private cloud security – have your cake and eat it too!

Bonus: One bonus add — Office 365 might be your main (or only) cloud app today, but that will most definitely change in the future. The fact is, only a small handful of cloud applications provide APIs that are security relevant, whereas a properly architected proxy can support any application.

Microsoft Workplace Join Part 2: Defusing the Security Timebomb

By Chris Higgins, Technical Support Engineer, Bitglass

timebomb countdown to Workplace Join infosecurity riskIn my last post, I introduced Microsoft Workplace Join. It’s a really convenient feature that can automatically log users in to corporate accounts from any devices of their choosing. However, this approach essentially eliminates all sense of security.

So, if you’re a sane and rational security professional (or even if you’re not), you clearly want to disable this feature immediately. Your options?

Option #1 (Most Secure, Most Convenient): Completely disable InTune Mobile Device Management for O365 and then disable Workplace Join

As Workplace Join can create serious security headaches, one of the most secure and most convenient options is to disable the InTune MDM for Office 365 and then disable Workplace Join completely. Obviously, these should quickly be replaced by other, less invasive security tools. In particular, organizations should consider agentless security for BYOD and mobile in order to protect data and preserve user privacy.

Option #2 (Least Convenient): Use InTune policies to block all personal devices

Microsoft does not provide a method of limiting this feature that does not utilize InTune policies. Effectively, you must either not use InTune at all, or pay to block unwanted access. However, the latter approach means blocking all BYO devices (reducing employee flexibility and efficiency) and introduces the complexity of downloading software to every device, raising additional costs.

Option #3 (Least Convenient and Least Secure): Whack-a-mole manual policing of new device registrations

As an administrator in Azure AD, deleting or disabling an account only prevents automated logins on each of that account’s registered devices—this has to be done manually every time a user links a new endpoint. Unfortunately, deactivation and deletion in Azure do not remove the “Join Workplace or School” link from the control panel of the machine in question. Additionally, deactivation still allows the user to manually log in, as does deletion—neither action prevents the user from re-enrolling the same device. In other words, pursuing this route means playing an endless game of deactivation and deletion whack-a-mole.