What is Office 365 Cloud App Security?

Microsoft Office 365 Cloud App Security is achieved through a Cloud Access Security Broker (CASB) that delivers rich visibility, control over data and sophisticated analytics to help protect organizations from threats to cloud services and applications. 

Office 365 Cloud App Security is now part of Microsoft Defender for Cloud Apps, a comprehensive cross-SaaS solution that delivers full visibility of and protection for SaaS apps along with tools for threat protection and data security. Microsoft Defender for Cloud Apps and Office 365 Cloud App Security excel at protecting data and applications within the Microsoft ecosystem. However, these solutions are less effective at securing data in other operating systems and at unifying policies for all cloud instances outside of Office 365. 

To improve cloud app security, organizations that rely on Office 365 for productivity often adopt a third-party CASB that provides broader coverage, greater control, stronger protections and simpler management.

CASBs are security tools that may be deployed as software on-premises or in the cloud or accessed as a service from a CASB vendor. A CASB tool sits between users and the cloud resources they consume, monitoring traffic and requests, filtering out threats and suspicious login attempts, authenticating users and enforcing a wide range of security policies. A CASB service can also help IT and security teams to discover and identify all the cloud applications within the organization’s ecosystem as well as all the users interacting with them. This feature of CASBs helps to eliminate security gaps and uncover instances of shadow IT.

By monitoring activity and enforcing security policies, CASBs can help organizations to:

• Prevent data loss by inspecting traffic and blocking sensitive data from being publicly exposed or shared without authorization.
• Control which cloud apps can be securely adopted and safely used.
• Monitor traffic for malware and identify malicious files in cloud-based apps, blocking or remediating dangerous code quickly.
• Protect data on both managed and unmanaged devices with granular access controls that prevent downloads or apply protection labels.
• Secure shadow IT by identifying and blocking access to unsanctioned apps or redirecting employees to approved cloud applications.
• Monitor and control how users access cloud services from specific devices.
• Improve data security by preventing exfiltration, enforcing encryption and managing authentication and access.
• Enhance compliance by increasing the visibility of regulated data in cloud applications, enforcing security policies and proving demonstrable control over data to regulators.
• Simplify management with one platform for setting, managing and enforcing security policies across all cloud applications.
   

The best way to protect Office 365 is with a centralized security platform that manages all cloud applications and infrastructure and provides capabilities in five key areas.

• Extending protection to the cloud. A superior solution for Office 365 Cloud App Security will extend enterprise-class data protection to cloud apps and application environments across the enterprise, not just the Office 365 ecosystem.
• Detecting threats. A cloud security solution should detect and prevent advanced threats in email and online file shares.
• Improving visibility and control. Gaining visibility and control of unmanaged and managed device access for Office 365 and other cloud apps is critical to cloud app security.
• Managing high-risk users. A cloud app security solution for Office 365 should detect and control high-risk users, including compromised accounts and threat actors with malicious intent.
• Minimizing costs. An Office 365 Cloud App Security solution should reduce operational costs and configuration risk by eliminating security silos across the ecosystem, including siloed information in Microsoft, third-party cloud app security and other technology in the security stack.

Office 365 Cloud App Security and Microsoft Defender for Cloud Apps offer API protection for applications supported by Microsoft, but these solutions can’t adequately support applications outside the Microsoft ecosystem. 

For organizations relying solely on Office 365 Cloud App Security to protect cloud assets, this limitation introduces significant security gaps.

• Office 365 Cloud App Security does not provide control of both managed and unmanaged apps.
• The native CASB in Office 365 may not adequately protect data shared with popular productivity platforms like Salesforce, Dropbox, Marketo and others.
• Security teams relying solely on the native CASB in Office 365 will need to create separate security policies and protocols for cloud applications outside the Microsoft ecosystem, rather than unifying policies for all cloud apps on a single platform.
• Any sensitive data that is not within the Microsoft ecosystem may not be protected by Office 365 Cloud Security.
• Data protection policies in Office 365 Cloud App Security and Microsoft Defender are available only for Microsoft products through Microsoft.
• Microsoft’s built-in anomaly protection policies offer only basic templates that must be tailored for use within an organization, adding more tasks to already over-burdened IT teams.
• Microsoft does not provide options for agent deployment or in-line (proxy) deployment of Office 365 Cloud App Security, and provides reverse proxy deployment only with an Azure AD license.

Forcepoint offers market-leading solutions built to protect the modern enterprise. As part of Forcepoint ONE – an all-in-one, cloud-native security platform – Forcepoint offers a CASB solution that can add additional protections, functionality and flexibility to Office 365 Cloud App Security.

Forcepoint ONE CASB brings Zero Trust access to cloud applications with continuous control of business-critical data, no matter where users are working or what device they’re using. Forcepoint ONE CASB delivers a comprehensive solution for securing applications in the cloud that extends best-in-class data security to Office 365 deployments.

With Forcepoint ONE CASB, organizations can surpass the limitations of Office 365 Cloud App Security.

• Anomaly detection. Forcepoint CASB offers pre-defined, sophisticated algorithms to fingerprint devices and learn user behaviors, helping to detect anomalies and prevent unauthorized access using stolen login credentials.
• One platform for all cloud applications. Forcepoint enables security teams to set policies from a central location and enforce them across all cloud applications, including Office 365.
• Block auto-syncing. The automatic data synchronization feature of Outlook and other Microsoft applications poses a serious risk to cloud security. Forcepoint CASB enables granular access control to block real-time auto-syncing of email and files on unmanaged devices, preventing data proliferation and enhancing security.
• Enhanced Data Loss Prevention (DLP). Forcepoint’s CASB DLP capabilities can monitor activities and control the sharing of sensitive data files through granular file-sharing policies.
• View all users. Forcepoint CASB delivers complete visibility into all Office 365 users, including contractors and ex-employees. Forcepoint can monitor activities in real time, including uploads, downloads and shares to see what users are doing down to individual actions and data objects.
• Enhance compliance. Forcepoint identifies sensitive information and regulated data stored in OneDrive to ensure compliance with regulatory frameworks like FISMA, HIPAA and NIST. 
• Control shadow IT. By helping security teams identify and protect all cloud applications in use, Forcepoint ONE CASB takes back control of unsanctioned cloud applications that may hinder the complete adoption of Office 365.