The most counter-intuitive aspect of cloud app security is the fact that the source of greatest risk is not cloud data stored at rest in the cloud, but rather, the simple fact that cloud apps are accessible from ANY device and often include capabilities that allow for easy and automatic synchronization of data to those devices. Cloud adoption and consumerization are growing together, with employees demanding use of their own devices to access corporate data.
With this proliferation of data outside of corporate control, companies must be able to protect cloud data downloaded to mobile devices. Controlling data accessibility from unmanaged mobile devices, and revoking data when required, such as when an employee leaves the company or when the device is lost or stolen, is a key requirement for Office 365 security.
SOLUTION: DEVICE PROFILING & SELECTIVE WIPE
In order to secure mobile devices today you should look to solutions that allow for device profiling. The chart to below shows an example of this.
The idea is to provide different levels of access to applications and to data based on key contextual variables including the user’s role in the organization, the app being accessed, the device and whether it is managed, location, and more. In this example, an employee on a managed device, located inside of the corporate headquarters has full access to Office 365. That same employee accessing Office 365 from an unmanaged device has a much more restricted level of access—browser- based email only, with sensitive data being redacted and encrypted upon download. If a device is lost or any employee leaves the company, a CASB gives you the ability to selectively wipe corporate data from all of their mobile devices.
Another possible route for data to be downloaded to unmanaged devices is through external sharing. As an example, an employee that wants to get access to corporate data from their smartphone or tablet, but doesn't want to enroll in the "big brother" MDM solution, may choose to share their corporate files externally to a personal account, bypassing the MDM requirement. A CASB should be able to notify you of such situations and give you the ability to control them - removing the external share, for example.
Pro Tip: Rather than reinvent the wheel, many organizations start by creating policies very similar to those that they have created for remote access to internal applications on SSL VPN platforms, saving considerable policy development time.
Stay tuned to find out more about Securing Office 365, and don't forget to subscribe to the blog to get new posts in your inbox!
To help provide more color on Office 365 security challenges, we have created The Definitive Guide to Office 365 Security. We're providing the entire document via a series of posts on this blog. Of course, if you binge watched all of Game of Thrones on Netflix in one sitting, you might want to binge-read the Definitive Guide by "streaming" it to your device right here.