Others posts in this series:
One of the key advantages of Office 365 is the ability to extend productivity tools to employees no matter where they are or what device they use. In an earlier era, VPN was required to access enterprise applications running in the corporate datacenter. This requirement necessitated users to log in from managed devices that had the corporate VPN installed.
Now that employees can access corporate data in Office 365 from personal devices, new risks are emerging to corporate data. One issue is that when data is downloaded or synced to a personal device, information leaves the company when the employee leaves.
An even greater concern is information falling into the wrong hands due to a lack of endpoint security controls. Personal devices that are unmanaged lack enterprise endpoint security that enforces device policies such as drive encryption and device PIN. If that device is stolen—for instance, when an employee is working from a coffee shop or if a laptop is left in the backseat of a car—corporate data is also stolen.
Without endpoint security, the enterprise is unable to remotely wipe the data, which may not be protected at all on the endpoint. For these reasons, many enterprises want to allow employee access to the collaboration tools in Office 365 from any device, but limit the ability to download corporate data to only managed devices.
How Skyhigh helps
When users access Office 365, Skyhigh CASB performs a certificate check to validate the device has appropriate endpoint security in the form of an EMM/MDM solution. Skyhigh also goes one step further by integrating with EMM/MDM providers to pull a mapping of users and their trusted devices and validates that not only does the endpoint have a certificate, but that the user is accessing from a known device and not another device. This second-level check ensures that a malicious user or third party has not spoofed a certificate on an untrusted endpoint in order to circumvent device policies.
Blocking download necessitates intermediating the user’s session with a proxy, not just the login event. As highlighted in the architecture diagram below, personal, unmanaged devices can only be intermediated by a reverse proxy and not a forward proxy. However, while reverse proxies can intermediate logins to the web app and native app, they can only intermediate the usage (and therefore enforce download controls) for the web app.
Skyhigh solves this by enforcing a “no access” policy for unmanaged devices across native O365 applications, and a “view but no download” policy for unmanaged devices across web applications. Customers use Skyhigh to block access to corporate Office 365 instances via the native application on personal devices, while permitting web application access. By proxying the session to the web application, Skyhigh can allow employees to preview data and edit files in Word Online, Excel Online, and PowerPoint Online while preventing files from being downloaded to the endpoint.
Skyhigh can also detect device management status with a SAML assertion passed by the identity provider users log in to Office 365 with.
How it works: deployment architecture
When a file is downloaded or synced, there is no pause for an API call so enforcing a download policy requires the CASB to sit inline between the user and the cloud application. Since a personal device is unmanaged, and therefore traffic is not being routed via an endpoint agent, this control requires the reverse proxy mode.
When a user accesses Office 365, Skyhigh CASB checks the certificate and if it is a personal device it blocks access to the native application and proxies traffic to the web application. Sitting inline in reverse proxy mode, Skyhigh blocks download whenever a user attempts a download a file. If the device is managed, Skyhigh’s reverse proxy gets out of line to allow direct access from the user to Office 365.