Cloud App Discovery: The best kept secret in Enterprise Mobility

CloudAppDiscovery

By Emily Coates

Emily Coates is a Premier Field Engineer at Microsoft UK. She specialises in Messaging and Business Productivity, and is the proprietor ofMissTech, a tech blog for all things cloud.

The Enterprise Mobility Suite has a large array of features within its product set, which is the reason it has proven so popular. One of the challenges facing such a broad suite of products, however, is that of feature awareness. Potential customers are aware of the overarching products, but not necessarily of the nuances of the feature set.

One such nuance is contained within the Azure AD Premium product and is in my opinion one of Microsoft's best kept secrets. It’s called Cloud App Discovery and it allows you to gain visibility of 'Shadow IT' lurking within the ones and zeros of your organisation's user activities. The phrase ‘Shadow IT’ is, admittedly, becoming overused at the moment, but it’s for good reason. Let’s face it, users are getting more tech savvy all the time and they expect to be able to be productive on whatever device they happen to be holding at that moment in time. Also, given the proliferation of Software as a Service (SaaS) applications (such as Dropbox, Salesforce and Twitter), users will easily find a tool which allows them to meet their productivity or communication goals. Just to give you an idea of the proliferation of SaaS apps, the average Enterprise can have anywhere between 500-1000 SaaS applications in use. The potential for data leakage here is gigantic, and all this modern technology means that controlling the flow of corporate data has never been more challenging!

Enter Cloud App Discovery

This is where Cloud App Discovery comes in. It’s an agent based service that reports on which SaaS applications your targeted users are making use of on their Windows based machines. You can monitor all SaaS apps or you can target data collection for certain categories of applications, such as Business, Marketing or Finance. The data which is reported on includes a list of which apps are in use, how many users are making use of them, and most importantly, how much data is flowing through them. I can guarantee you, from personal experience that you will be shocked by how much shadow IT exists in your organisation, even if you have already taken steps to limit it. Users always find a way to circumvent your best intentions and often don’t understand the risks they are putting the company’s data under.

Be more secure

Now data collection and reporting is all well and good, and can make you look super cool at your monthly management meetings, but it is practically useless unless you can do something about it. This is where Azure AD SaaS integration comes in. This tool allows you to integrate over 2500 SaaS applications into Azure Active Directory, allowing users to sign into 3rd party SaaS applications using the Azure AD credentials. Doing this provides multiple benefits: it stops the proliferation of “Yet Another Username and Password” (YAUP); it makes account administration much simpler; and also provides a way to allow your users to use the tools they want to use in a more secure manner. Let me give you a couple of examples of this in action, so that you can get a flavour of how useful this could be!

Twitter

Twitter is a great example of how SaaS integration can help your business avoid a PR disaster. There have recently been several cases of employees leaving a business, and such was their dissatisfaction with the firm in question, they posted inappropriate tweets from the company Twitter account. This makes for some egg covered faces and hurried meetings about how to stop this happening in the future. What IT could do to mitigate this is to integrate this Twitter account with Azure Active Directory. This way, the user never has knowledge of the actual Twitter account username and password, and logs into this account using their Active Directory credentials. When the user leaves the company, their Active Directory account is disabled and they can no longer access that Twitter account. A simple and effective solution to a potential PR disaster.

SugarCRM

Another example is SugarCRM. This application relies on individual logons for all users who access the service. This is over-complicated and confusing for users as they have to remember multiple username and passwords. This application could be integrated with Azure Active Directory on a per user basis, including automatic password rollover. This way the user accesses SugarCRM using their AD account, and once again when they leave the business, their AD account is disabled and they can no longer access their SugarCRM account.

Cloud based file sharing

Finally, let’s say that using Cloud App Discovery, you have identified a particular file sharing application which your users are leaning on. You can see that tens of gigabytes of data is flowing through this application every month. This is particularly dangerous as corporate data leakage is already taking place in this instance. Whilst you could just block the application and declare that you have mitigated the risk, you haven’t solved the core problem. Users clearly need a cloud based file sharing tool to achieve their productivity goals. This data gives you the leverage you need to go to your management team and justify the purchase of enterprise grade file sharing services which can be centrally controlled, secure and auditable. By going through this process you have reduced the risk of corporate data leakage, whilst allowing users to be productive. A win-win situation.

Hopefully these examples can help you see the benefit of using Cloud App Discovery and SaaS app integration to help yourselves, your users and your security team work smarter, not harder. The only caveat to note here is regarding proxy servers; if your users are configured to use a proxy .pac file to access the internet, there is currently no way to tell the Cloud App Discovery agent to use the .pac file. I have been assured that a central data collector is in the works, but this is not available at the time of writing. The features described in this article are available standalone as part of Azure AD Premium, or as part of the larger Enterprise Mobility Suite. I hope this has given you an insight into the finer details of some of the components which make up EMS. It is a product set with massive depth of scope and functionality, and I for one look forward to using EMS whenever it crops up in my day to day work.

Resources