For information about Office 365 Cloud App Security, see Get started with Office 365 Cloud App Security.

• © Copyright 2016 Microsoft Corporation. All rights reserved.
• CloudApp is a customer experience and productivity led video messaging & image sharing platform with 3 million + users. With its Integrations: with Slack, Atlassian, Asana, AdobeXD, Jira, Zapier.

Important

Azure Cloud Services (extended support) is a new Azure Resource Manager based deployment model for the Azure Cloud Services product. With this change, Azure Cloud Services running on the Azure Service Manager based deployment model have been renamed as Cloud Services (classic) and all new deployments should use Cloud Services (extended support).

When you create a Cloud Service, Azure assigns it to a subdomain of cloudapp.net. For example, if your Cloud Service is named 'contoso', your users will be able to access your application on a URL like http://contoso.cloudapp.net. Azure also assigns a virtual IP address.

However, you can also expose your application on your own domain name, such as contoso.com. This article explains how to reserve or configure a custom domain name for Cloud Service web roles.

Do you already understand what CNAME and A records are? Jump past the explanation.

Note

The procedures in this task apply to Azure Cloud Services. For App Services, see Map an existing custom DNS name to Azure Web Apps. For storage accounts, see Configure a custom domain name for your Azure Blob storage endpoint.

Tip

Get going faster--use the NEW Azure guided walkthrough! It makes associating a custom domain name AND securing communication (TLS) with Azure Cloud Services or Azure Websites a snap.

Understand CNAME and A records

CNAME (or alias records) and A records both allow you to associate a domain name with a specific server (or service in this case,) however they work differently. There are also some specific considerations when using A records with Azure Cloud services that you should consider before deciding which to use.

CNAME or Alias record

A CNAME record maps a specific domain, such as contoso.com or www.contoso.com, to a canonical domain name. In this case, the canonical domain name is the [myapp].cloudapp.net domain name of your Azure hosted application. Once created, the CNAME creates an alias for the [myapp].cloudapp.net. The CNAME entry will resolve to the IP address of your [myapp].cloudapp.net service automatically, so if the IP address of the cloud service changes, you do not have to take any action.

Note

Some domain registrars only allow you to map subdomains when using a CNAME record, such as www.contoso.com, and not root names, such as contoso.com. For more information on CNAME records, see the documentation provided by your registrar, the Wikipedia entry on CNAME record, or the IETF Domain Names - Implementation and Specification document.

A record

An A record maps a domain, such as contoso.com or www.contoso.com, or a wildcard domain such as *.contoso.com, to an IP address. In the case of an Azure Cloud Service, the virtual IP of the service. So the main benefit of an A record over a CNAME record is that you can have one entry that uses a wildcard, such as *.contoso.com, which would handle requests for multiple sub-domains such as mail.contoso.com, login.contoso.com, or www.contso.com.

Note

Since an A record is mapped to a static IP address, it cannot automatically resolve changes to the IP address of your Cloud Service. The IP address used by your Cloud Service is allocated the first time you deploy to an empty slot (either production or staging.) If you delete the deployment for the slot, the IP address is released by Azure and any future deployments to the slot may be given a new IP address.

Conveniently, the IP address of a given deployment slot (production or staging) is persisted when swapping between staging and production deployments or performing an in-place upgrade of an existing deployment. For more information on performing these actions, see How to manage cloud services.

Add a CNAME record for your custom domain

To create a CNAME record, you must add a new entry in the DNS table for your custom domain by using the tools provided by your registrar. Each registrar has a similar but slightly different method of specifying a CNAME record, but the concepts are the same.

1. Use one of these methods to find the .cloudapp.net domain name assigned to your cloud service.

   • Login to the Azure portal, select your cloud service, look at the Overview section and then find the Site URL entry.

     OR

   • Install and configure Azure Powershell, and then use the following command:

     Save the domain name used in the URL returned by either method, as you will need it when creating a CNAME record.

2. Log on to your DNS registrar's website and go to the page for managing DNS. Look for links or areas of the site labeled as Domain Name, DNS, or Name Server Management.

3. Now find where you can select or enter CNAME's. You may have to select the record type from a drop down, or go to an advanced settings page. You should look for the words CNAME, Alias, or Subdomains.

4. You must also provide the domain or subdomain alias for the CNAME, such as www if you want to create an alias for www.customdomain.com. If you want to create an alias for the root domain, it may be listed as the '@' symbol in your registrar's DNS tools.

5. Then, you must provide a canonical host name, which is your application's cloudapp.net domain in this case.

For example, the following CNAME record forwards all traffic from www.contoso.com to contoso.cloudapp.net, the custom domain name of your deployed application:

Note

A visitor of www.contoso.com will never see the true host(contoso.cloudapp.net), so the forwarding process is invisible to theend user.

The example above only applies to traffic at the www subdomain. Since you cannot use wildcards with CNAME records, you must create one CNAME for each domain/subdomain. If you want to direct traffic from subdomains, such as *.contoso.com, to your cloudapp.net address, you can configure a URL Redirect or URL Forward entry in your DNS settings, or create an A record.

Add an A record for your custom domain

To create an A record, you must first find the virtual IP address of your cloud service. Then add a new entry in the DNS table for your custom domain by using the tools provided by your registrar. Each registrar has a similar but slightly different method of specifying an A record, but the concepts are the same.

1. Use one of the following methods to get the IP address of your cloud service.

   • Login to the Azure portal, select your cloud service, look at the Overview section and then find the Public IP addresses entry.

     OR

   • Install and configure Azure Powershell, and then use the following command:

     Save the IP address, as you will need it when creating an A record.

2. Log on to your DNS registrar's website and go to the page for managing DNS. Look for links or areas of the site labeled as Domain Name, DNS, or Name Server Management.

3. Now find where you can select or enter A record's. You may have to select the record type from a drop down, or go to an advanced settings page.

4. Select or enter the domain or subdomain that will use this A record. For example, select www if you want to create an alias for www.customdomain.com. If you want to create a wildcard entry for all subdomains, enter '*****'. This will cover all sub-domains such as mail.customdomain.com, login.customdomain.com, and www.customdomain.com.

   If you want to create an A record for the root domain, it may be listed as the '@' symbol in your registrar's DNS tools.

5. Enter the IP address of your cloud service in the provided field. This associates the domain entry used in the A record with the IP address of your cloud service deployment.

For example, the following A record forwards all traffic from contoso.com to 137.135.70.239, the IP address of your deployed application:

This example demonstrates creating an A record for the root domain. If you wish to create a wildcard entry to cover all subdomains, you would enter '*****' as the subdomain.

Warning

IP addresses in Azure are dynamic by default. You will probably want to use a reserved IP address to ensure that your IP address does not change.

Next steps

• General configuration of your cloud service.
• Learn how to deploy a cloud service.
• Configure TLS/SSL certificates.

Note

For information about Office 365 Cloud App Security, see Get started with Office 365 Cloud App Security.

Moving to the cloud increases flexibility for employees and IT alike. However, it also introduces new challenges and complexities for keeping your organization secure. To get the full benefit of cloud apps and services, an IT team must find the right balance of supporting access while maintaining control to protect critical data.

Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

Microsoft Cloud App Security natively integrates with leading Microsoft solutions and is designed with security professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.

For information about licensing, see the Microsoft Cloud App Security licensing datasheet.

What is a CASB?

Moving to the cloud increases flexibility for employees and IT teams. However, it also introduces new challenges and complexities for keeping your organization secure. To get the full benefit of cloud apps and services, an IT team must find the right balance of supporting access while protecting critical data.

This is where a Cloud App Security Broker steps in to address the balance, adding safeguards to your organization's use of cloud services by enforcing your enterprise security policies. As the name suggests, CASBs act a gatekeeper to broker access in real time between your enterprise users and cloud resources they use, wherever your users are located and regardless of the device they are using.

CASBs do this by discovering and providing visibility into Shadow IT and app use, monitoring user activities for anomalous behaviors, controlling access to your resources, providing the ability to classify and prevent sensitive information leak, protecting against malicious actors, and assessing the compliance of cloud services.

CASBs address security gaps in an organization's use of cloud services by providing granular visibility into and control over user activities and sensitive data. CASB coverage scope applies broadly across SaaS, PaaS, and IaaS. For SaaS coverage, CASBs commonly work with the most popular content collaboration platforms (CCP), CRM systems, HR systems, Enterprise resource planning (ERP) solutions, service desks, office productivity suites, and enterprise social networking sites. For IaaS and PaaS coverage, several CASBs govern the API-based usage of popular cloud service providers (CSP) and extend visibility and governance to applications running in these clouds.

Why do I need a CASB?

You need a CASB to better understand your overall cloud posture across SaaS apps and cloud services and, as such, Shadow IT discovery and app governance are key use cases. Additionally, an organization is responsible for managing and securing its cloud platform including IAM, VMs and their compute resources, data and storage, network resources, and more. Therefore, if you are an organization that uses, or is considering using, cloud apps to your portfolio of network services, you most likely need a CASB to address the additional, unique challenges of regulating and securing your environment. For example, there are many ways for malicious actors to leverage cloud apps to get into your enterprise network and exfiltrate sensitive business data.

As an organization, you need to protect your users and confidential data from the different methods employed by malicious actors. In general, CASBs should help you do this by providing a wide array of capabilities that protect your environment across the following pillars:

• Visibility: detect all cloud services; assign each a risk ranking; identify all users and third-party apps able to log in
• Data security: identify and control sensitive information (DLP); respond to classification labels on content
• Threat protection: offer adaptive access control (AAC); provide user and entity behavior analysis (UEBA); mitigate malware
• Compliance: supply reports and dashboards to demonstrate cloud governance; assist efforts to conform to data residency and regulatory compliance requirements

The Cloud App Security framework

• Discover and control the use of Shadow IT: Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 16,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.

• Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real-time across all your cloud apps.

• Protect against cyberthreats and anomalies: Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.

• Assess the compliance of your cloud apps: Assess if your cloud apps meet relevant compliance requirements including regulatory compliance and industry standards. Prevent data leaks to non-compliant apps, and limit access to regulated data.

Architecture

Cloud App Security integrates visibility with your cloud by:

• Using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.
• Sanctioning and unsanctioning apps in your cloud.
• Using easy-to-deploy app connectors that take advantage of provider APIs, for visibility and governance of apps that you connect to.
• Using Conditional Access App Control protection to get real-time visibility and control over access and activities within your cloud apps.
• Helping you have continuous control by setting, and then continually fine-tuning, policies.

Data retention & compliance

For more information about Microsoft Cloud App Security data retention and compliance, see Microsoft Cloud App Security data security and privacy.

Cloud Discovery

Cloud Discovery uses your traffic logs to dynamically discover and analyze the cloud apps that your organization is using. To create a snapshot report of your organization's cloud use, you can manually upload log files from your firewalls or proxies for analysis. To set up continuous reports, use Cloud App Security log collectors to periodically forward your logs.

For more information about Cloud Discovery, see Set up Cloud Discovery.

Sanctioning and unsanctioning an app

You can use Cloud App Security to sanction or unsanction apps in your organization by using the Cloud app catalog. The Microsoft team of analysts has an extensive and continuously growing catalog of over 16,000 cloud apps that are ranked and scored based on industry standards. You can use the Cloud app catalog to rate the risk for your cloud apps based on regulatory certifications, industry standards, and best practices. Then, customize the scores and weights of various parameters to your organization's needs. Based on these scores, Cloud App Security lets you know how risky an app is. Scoring is based on over 80 risk factors that might affect your environment.

App connectors

App connectors use APIs from cloud app providers to integrate the Cloud App Security cloud with other cloud apps. App connectors extend control and protection. They also give you access to information directly from cloud apps, for Cloud App Security analysis.

Cloudapps.starbucks.com

To connect an app and extend protection, the app administrator authorizes Cloud App Security to access the app. Then, Cloud App Security queries the app for activity logs, and it scans data, accounts, and cloud content. Cloud App Security can enforce policies, detects threats, and provides governance actions for resolving issues.

Cloud App Security uses the APIs provided by the cloud provider. Each app has its own framework and API limitations. Cloud App Security works with app providers on optimizing the use of APIs to ensure the best performance. Considering the various limitations that apps impose on APIs (such as throttling, API limits, and dynamic time-shifting API windows), the Cloud App Security engines utilize the allowed capacity. Some operations, like scanning all files in the tenant, require a large number of APIs, so they're spread over a longer period. Expect some policies to run for several hours or several days.

Conditional Access App Control protection

Microsoft Cloud App Security Conditional Access App Control uses reverse proxy architecture to give you the tools you need to have real-time visibility and control over access to and activities performed within your cloud environment. With Conditional Access App Control, you can protect your organization:

Cloudapp

• Avoid data leaks by blocking downloads before they happen
• Set rules that force data stored in and downloaded from the cloud to be protected with encryption
• Gain visibility into unprotected endpoints so you can monitor what's being done on unmanaged devices
• Control access from non-corporate networks or risky IP addresses

Policy control

Cloudapp.pandora.net

You can use policies to define your users' behavior in the cloud. Use policies to detect risky behavior, violations, or suspicious data points and activities in your cloud environment. If needed, you can use policies to integrate remediation processes to achieve complete risk mitigation. Types of policies correlate to the different types of information you might want to gather about your cloud environment and the types of remediation actions you might take.

Related Videos

Cloudappsec

Next steps

• Read about the basics in Getting started with Cloud App Security.

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket..