Last time, I introduced the function to expose ” Exchange Online ” and ” SharePoint Online ” to the outside in read-only mode by using “Session Control” . By using this function, it will be possible to provide employees with an environment where they can work safely without limiting the terminals .
However, recently, the use of various SaaS (Software as a Service) has become common, and we often receive requests to realize the same control in other SaaS applications . This time, as an “advanced edition”, we will introduce a session control function using “Cloud App Security” that meets such demands .
Operation on the client terminal side
By applying the session control function of Cloud App Security to SaaS applications, the following controls can be applied.
Downloads When you try to download a file on a SaaS app, it is blocked by Session Control.
cut / copy / paste If you try to cut / copy / paste text on the SaaS app, it will be blocked by the session control. This will prevent the text information on the screen from being copied and taken out.
■ Printing block When
you try to print the screen of the SaaS application with the print function of the browser, it is blocked. This will prevent the information from being taken out via paper media.
By providing such control from Cloud App Security, without depending on the function of the individual SaaS, it will be able to apply a uniform governance, safe on the various SaaS application in any device by Will be possible. From now on, I will introduce the specific setting procedure.
Specific procedure for setting session control
The setting procedure consists of the following three steps. If you make a mistake, unintended access control may be enabled, so be careful step by step.
· Step 1: Set up conditional access and enable session control
· Step 2: Make sure Session Control is enabled in Cloud App Security
· Step 3: Set session policy in Cloud App Security
In addition, this procedure assumes the following items.
- The target SaaS application is configured to authenticate with Azure Active Directory (Azure AD)
- Cloud App Security is available (if you do not have a license, please use the evaluation version)
[Step 1] Set up conditional access to enable session control
First, enable “conditional access” to enable session control. Sign in to the Azure portal and click Azure Active Directory> Conditional Access> New Policy to create the required policy.
- Select the app for which you want to control the session by selecting [Assign] → [Cloud App] (“Salesforce” is used in this article).
- Select [Access Control] → [Session], check “Use conditional access control of the app”, and select “Use custom policy” from the pull-down menu.
As in the case of Exchange Online / SharePoint Online, you can also specify the applicable users and groups in the users and groups in the “Assignment” item . It is also possible to define an internal / external network by specifying the location of the condition and enable this setting only for the external network.
- [Reference] Deploying Conditional Access App Control for Azure AD apps-Create a TEST policy for Azure AD conditional access
[Step 2] Make sure Session Control is enabled in Cloud App Security
Then make sure that session control is enabled with the conditional access you set up in step 1. Conditional access will take some time to actually take effect after the policy is set, so wait a few minutes after completing step 1 before implementing it.
First, sign out of all existing sessions, make sure your browser is not in “In Private mode”, and then sign in to the target SaaS app.
After successfully signing in, go to “Investigation”-> “Connected apps”-> “App conditional access control apps” from the Cloud App Security portal screen, and confirm that the target SaaS app is displayed in the list. To do.
- [Reference] Deploy Conditional Access App Control for Azure AD app-Sign in to the app as a user within the scope of the policy
[Step 3] Set session policy in Cloud App Security
Finally, create a session policy in Cloud App Security. From the Cloud App Security portal screen, go to “Control”-> “Policy”-> “Create Policy”-> “Session Policy” and create the following two policies.
- Policy 1: Policy to block file downloads
- Under Policy Templates, select Block downloads based on real-time content inspection and click Apply Template.
- Select “None” from the [Inspection method] pull-down menu.
- Policy 2: Policy to block screen cut / copy / paste / print
- Under Policy Templates, select Block cut, copy, and paste based on real-time content inspection, and click Apply Template.
- Under Add activity filter to policy, select Add Print from the drop-down list to the right of Activity Type.
- Uncheck the [Content Inspection] check box.
After creating the policy, sign out of all existing sessions and sign in to the target SaaS app from a device outside your company’s control. The following alert will be displayed. Select ” Continue Salesforce ” to continue signing in.
After signing in, you’ll see that the SaaS app has the following controls:
By using session control using Cloud App Security, you can understand that SaaS applications can be opened to employees without limiting the device
In addition, as shown in the above figure, session control using Cloud App Security can be applied not only to SaaS applications but also to on-premises web applications published by “Azure App Proxy” .
This makes it possible to open all the applications necessary for business to employees without limiting the terminal . We hope that this article will help the IT department to support the diverse work styles of employees.