alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

Cloud App Discovery spotlights shadow IT users

Employees that use unsanctioned apps can jeopardize the business. Cloud App Discovery generates detailed reports on unapproved services to help IT mitigate risk.

Do you know what end users do with a company's data? Do they use Dropbox to share documents with clients? Discuss trade secrets via Slack? Plan secret projects on Trello? The Cloud App Discovery feature in Office 365 reveals certain shadow IT practices admins need to know to secure the enterprise.

End users often enlist cloud services to perform their jobs, but the practice of introducing unsanctioned apps invites risk. It circumvents security practices, which potentially opens the company to an unexpected compliance issue or a cyberattack. Cloud App Discovery uncovers shadow IT without the need to implement agent-based software on users' computers and mobile devices.

Here's how to identify and monitor use of unauthorized cloud services within the organization -- and what to do about it.

Find hidden app usage with Cloud App Discovery

Office 365's E3 subscription includes Cloud App Discovery, a component of Cloud App Security. This service interprets log files from web proxy servers, firewalls and network devices, such as wireless access points and switches, to create a visual picture of the shadow IT services used in the organization.

Cloud App Security dashboard
Figure 1. The Discover tab in Office 365 Cloud App Security presents a visual summary of shadow IT services used in the organization.

The Office 365 version of Cloud App Discovery indicates services that have similar functions to Office 365 apps, especially productivity services. Therefore, the discovered apps section does not include nonproductivity applications. We'll show how to uncover those later in this article.

Create reports of productivity apps

Cloud App Discovery uses logs taken from a network device that sits between end users and the internet. The Cloud App Discovery service supports common log file formats, such as those generated by Cisco access points, open source web proxy servers or third-party cloud services, such as Symantec Websense.

The admin then accesses the Cloud App Discovery feature from the Security & Compliance Center. Download a log file from the network device in a format that Cloud App Discovery supports, navigate to the main console and choose Discover > Create new snapshot report.

Search for and specify the log format from the list, then upload the log file. Office 365 takes up to 24 hours to process and display the results.

Log file upload
Figure 2. To create a new snapshot report, search for the log format you want to use, and upload the log file.

Navigate to Discover > Manage snapshot reports to see the uploaded file. Office 365 shows processed reports as Ready.

Manage snapshot reports
Figure 3. The snapshot reports section indicates when the admin uploaded the report and its status.

The report shows the productivity apps in use from the Office 365 platform and from other cloud services. Select an app to open an Excel spreadsheet for more details, such as how many users accessed the service, how many times users accessed it and the amount of traffic uploaded to and downloaded from the service.

Discovered apps
Figure 4. View the report to see the productivity apps that are in use and to see detailed information about each app.

Automate the log upload process

Organizations that subscribe to Enterprise Mobility and Security (EMS) E3 can extend Cloud App Discovery's functionality in several powerful ways.

The continuous reports feature automates log uploads through a customized VM with a syslog server and an HTTPS uploader.

To configure continuous reports, use the Discover > Upload logs automatically option in Cloud App Security. The admin adds a data source, which replaces the uploaded log file. The admin then defines a log collector and links it to the data source, which generates the information to deploy the Hyper-V or VMware VM.

After the VM deploys, configure one or more network devices to send data to the log collector in the format that matches the defined data source. Figure 5 shows an example of a Cisco Meraki device set up to send URL data in syslog format to the log collector's VM IP address.

Configure URL data
Figure 5. Configure a network device to send data to the VM IP address for the log collector.

After about 24 hours, results from logged data will appear in the Cloud App Discovery section. The admin accesses both real-time and historic information related to app usage.

Cloud App Discovery dashboard
Figure 6. The Cloud App Discovery dashboard shows current app usage statistics and provides access to historical information.

See the threat level of shadow IT services

Aside from productivity services -- such as webmail, cloud storage and content sharing -- Cloud App Discovery also provides visibility into other areas. The EMS-based version of the tool detects internet of things devices, cloud service use from providers such as Amazon Web Services and visits to websites.

Cloud App Discovery ranks the discovered services based on risk score from one to 10. A lower score indicates a more suspicious application. The Cloud Discovery service determines the rank through assessment of security policies, such as where the data resides, who has access, who has control and whether organizations can prevent unauthorized access.

Apps designed for enterprise use, such as Google's G Suite, get good scores. Services that provide less organizational control, such as WhatsApp, receive poor grades.

WhatsApp is considered a risky service because no one has administrative control. For example, a financial advisor who communicates with a client over WhatsApp could breach regulations because the business cannot record the conversation for future discovery.

View the detailed report on each service, and decide whether to approve the cloud service.

Figure 7 lists the services with usage statistics and threat level:

Discovered apps tab
Figure 7. The Discovered apps tab lists the services used on the company network with details on the traffic used and the risk score.

Take action against shadow IT

Administrators should take action when armed with data from Cloud App Discovery. If workers use Trello, Slack and Box, then admins should deploy the corresponding Office 365 services -- Planner, Teams and OneDrive for Business, respectively.

However, IT should still take action even if the business can't make these Office 365 apps immediately available. In that case, let end users know that the company plans to roll out Microsoft services to replace shadow IT apps. Explain the benefits of the move, such as service integration across the Office 365 suite.

The EMS-integrated capabilities give admins a way to configure security alerts when workers use these unsanctioned apps. Part of the continuous reports feature partially controls the use of apps. For example, an admin creates a rule that identifies when a user downloads a lot of data from Office 365 and then uploads a lot of data to Dropbox. When the rule detects this activity, the admin gets an alert and notifies the security team to block that user's access to Office 365.

Next Steps

Slack or Microsoft Teams: Which one makes more sense?

Shadow IT dangers present best opportunity to use cloud access security brokers

Regulate shadow IT to reduce risk

Dig Deeper on Office 365 and Microsoft SaaS setup and management