Microsoft has announced the unification of its Office 365 service APIs into a single REST URL namespace called the Microsoft Graph. With this release, Microsoft allows other services to easily consume Office 365 data such as user, groups, files, mail and calendar information to offer capabilities that will allow for faster adoption and consumption of Office 365. Skyhigh was a part of Microsoft’s announcement as the first and only CASB to leverage Microsoft Graph to provide enterprises with compliance, threat protection, and data security controls as they deploy and adopt Office 365.
According to the Office 365 Adoption & Risk Report by Skyhigh, the average company uploads 1.37 TB of data to Office 365 each month and 17.4% of the documents uploaded contain sensitive data. Office 365 is seeing massive adoption, and as companies deploy this service they are looking for additional security capabilities that will enable them to better support their compliance and governance requirements. Microsoft is committed to protecting the data in its cloud-based services, but employees often use these cloud services in risky ways and end up making the company susceptible to data breaches and compliance violations. So, enterprises use Skyhigh for Office 365 to gain visibility to activity within Office 365, detect threats from insiders and compromised accounts, enforce data loss prevention policies, and secure data by capturing audit trails and controlling access to data based on user role, device, and location.
By accessing Office 365 data on users, groups, mail and files using Microsoft Graph, Skyhigh is able to scan this data to identify sensitive data and enforce policies. These capabilities are used by several enterprises including Cargill, Aetna, Western Union and Adventist Health across multiple use cases to enforce security, compliance and governance policies in Office 365 deployments.
1. Scan files for sensitive data
Skyhigh’s analysis of documents containing sensitive data on Office 365 showed that 9.2% of files contain confidential corporate data, 4.2% contain sensitive personal information, 2.2% contain protected health information, and 1.8% contains bank accounts and card numbers. One of the most common use cases for companies securing Office 365 usage is to scan the data for DLP policy violations. An On-Demand Scan of the Office 365 deployment scans pre-existing data-at-rest in OneDrive against DLP policies to identify sensitive data and DLP violations. This visibility can help companies take appropriate action, such as quarantining or deleting documents containing sensitive information uploaded outside of policy, or imposing access and sharing restrictions for sensitive content. Skyhigh uses the Graph API to select users or groups to be included as part of the scan and to pull the required files from OneDrive.
2. Scan email for sensitive data
Recent research has indicated that a vast majority of employees send classified or confidential information as email attachments, making email a key source of potential data loss for companies. To protect against this type of potential data loss, companies use Skyhigh to scan email content for sensitive information. By using Microsoft Graph, Skyhigh pulls mail data from Microsoft Exchange and inspects it for policy violations.
3. Apply policies by groups
Companies often have to apply different security policies to groups within the company based on industry regulations or internal company policies. For example, policies may be imposed for all teams except accounting and management to prevent them from exchanging financial information. Similarly all teams except engineering may be prevented from uploading and sharing source code. A Fortune 500 conglomerate uses Skyhigh to apply different policies to its Healthcare and Financial Services companies based on their respective industry regulations. While enforcing group-based policies, Skyhigh uses Microsoft Graph to extract user and group information from Office 365 Groups, which is then used to inform group-specific polices.
4. Extend on-premises DLP to the cloud
When applying DLP to Office 365 usage, most companies would likely prefer leveraging existing policies and workflows built into their on-premises data loss prevention (DLP) solutions such as Symantec-Vontu, RSA or McAfee should they already exist. Skyhigh enables this by seamlessly integrating with on-premises DLP solutions and extending policies and remediation workflows to the cloud. When files are uploaded to Office 365, Skyhigh intercepts and sends these files to the on-premises DLP solution. On receiving violation and remediation information from the on-premises DLP, Skyhigh enforces these policies accordingly. In doing so, Skyhigh leverages Microsoft Graph to access the files stored in OneDrive and also to broker remediation responses when it needs to block, quarantine or delete files.
5. Quarantine Management
If a document violates a data loss prevention policy, one of the remediation responses is to tombstone/quarantine the file. To execute this, Skyhigh uses the Microsoft Graph API to move the file to an administrator account and replace it with a ‘tombstone’ file. Administrators can then review the quarantined files and decide to either remove the file or restore it (with history/revision information).
In analyzing Skyhigh’s 23 million users, we saw that over 87% of the enterprises had at least 100 Office 365 users. While this shows broad adoption of the solution, our data also shows that 93% of the enterprises have yet to fully migrate to Office 365 from the on-premises version, indicating the massive opportunity that lies ahead for Microsoft’s cloud-based offering. Microsoft Graph is a significant advancement that will help Microsoft capitalize on this opportunity by making it easy for their customers to adopt and expand their Office 365 usage. The use cases enabled by Skyhigh using Microsoft Graph allow enterprises to remove security, compliance and governance obstacles, which can delay or prevent the full deployment Office 365. While these use cases address most concerns that enterprises have today, considering the potential of what can be accomplished using these two technologies, this is just the beginning.