教學課程:在網路中探索及管理影子 ITTutorial: Discover and manage shadow IT in your network

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

詢問 IT 系統管理員他們認為其員工使用多少個雲端應用程式時,他們平均說是 30 或 40 個,但事際上,組織員工使用平均超過 1,000 個不同的應用程式。When IT admins are asked how many cloud apps they think their employees use, on average they say 30 or 40, when in reality, the average is over 1,000 separate apps being used by employees in your organization. 影子 IT 可協助您得知並找出所使用的應用程式,以及您的風險層級為何。Shadow IT helps you know and identify which apps are being used and what your risk level is. 80% 的員工使用未經任何人檢閱而未獲批准的應用程式,可能不符合您的安全性與合規性原則。80% of employees use non-sanctioned apps that no one has reviewed, and may not be compliant with your security and compliance policies. 而且,因為您的員工可以從公司網路之外,存取您的資源與應用程式,因此在防火牆上設定規則與原則已不再足夠。And because your employees are able to access your resources and apps from outside your corporate network, it's no longer enough to have rules and policies on your firewalls.

本教學課程提供的指示,說明如何使用 Cloud Discovery 來探索所使用的應用程式、探索這些應用程式的風險、設定原則來找出所用新的但具風險之應用程式,以及不批准這些應用程式,以便使用您的 Proxy 或防火牆設備,以原生方式進行封鎖。This tutorial provides instructions for using Cloud Discovery to discover which apps are being used, explore the risk of these apps, configure policies to identify new risky apps that are being used, and to unsanction these apps in order to block them natively using your proxy or firewall appliance.

  • 探索及識別影子 ITDiscover and identify Shadow IT
  • 評估及分析Evaluate and analyze
  • 管理您的應用程式Manage your apps
  • 進階陰影 IT 探索報告Advanced Shadow IT discovery reporting
  • 控制獲批准的應用程式Control sanctioned apps

如何在網路中探索及管理影子 ITHow to discover and manage Shadow IT in your network

使用此處理程序,在組織中導入影子 IT Cloud Discovery。Use this process to roll out Shadow IT Cloud Discovery in your organization.

影子 IT 生命週期

階段 1:探索及識別影子 ITPhase 1: Discover and identify Shadow IT

  1. 探索影子 IT:藉由在您的組織中執行 Cloud Discovery,確認組織的安全性狀態,以查看網路中實際發生的狀況。Discover Shadow IT: Identify your organization's security posture by running Cloud Discovery in your organization to see what's actually happening in your network. 如需詳細資訊,請參閱設定雲端探索For more information, see Set up cloud discovery. 您可以使用下列任一方法來完成此動作:This can be done using any of the following methods:

    • 藉由與 Microsoft Defender ATP 整合,來快速啟動並執行 Cloud Discovery。Get up and running quickly with Cloud Discovery by integrating with Microsoft Defender ATP. 這種原生整合可讓您在網路內外的 Windows 10 裝置上,立即開始收集雲端流量的資料。This native integration enables you to immediately start collecting data on cloud traffic across your Windows 10 devices, on and off your network.

    • 如需所有網路連線裝置的涵蓋範圍,請務必在防火牆和其他 Proxy 上部署 Cloud App Security 記錄收集器,從端點收集資料,並將其傳送至 Cloud App Security 進行分析。For coverage on all devices connected to your network, it's important to deploy the Cloud App Security log collector on your firewalls and other proxies to collect data from your endpoints and send it to Cloud App Security for analysis.

    • 將 Cloud App Security 與您的 Proxy 整合。Integrate Cloud App Security with your proxy. Cloud App Security 原本就已與一些協力廠商 Proxy 相整合,包括 ZscalerCloud App Security natively integrates with some third-party proxies, including Zscaler.

因為使用者群組、區域與商務群組之間的原則有所不同,所以建議您為每個單元建立專用的影子 IT 報表。Because policies are different across user groups, regions and business groups, you might want to create a dedicated Shadow IT report for each of these units. 如需詳細資訊,請參閱 Windows 上的 Docker 內部部署For more information, see Docker on Windows on-premises.

您的網路上現已執行 Cloud Discovery,可查看所產生的連續報表,並查看 Cloud Discovery 儀表板,全面了解組織內使用的應用程式。Now that Cloud Discovery is running on your network, look at the continuous reports that are generated and look at the Cloud Discovery dashboard to get a full picture of what apps are being used in your organization. 根據類別查看這些應用程式是個相當不錯的主意,因為常常會發現使用到了非獲批准的應用程式,進行獲批准應用程式並未解決的合法工作相關用途。It's a good idea to look at them by category, because you will often find that non-sanctioned apps are being used for legitimate work-related purposes that were not addressed by a sanctioned app.

  1. 確認您應用程式的風險層級:使用 Cloud App Security 雲端應用程式目錄,深入了解每個探索到之應用程式所涉及的風險。Identify the risk levels of your apps: Use the Cloud App Security cloud app catalog to dive deeper into the risks that are involved with each discovered app. Cloud App Security 的風險目錄包含 16,000 個以上的應用程式,使用超過 80 個風險因素來評定。Cloud App Security's risk catalog includes over 16,000 apps that are assessed using over 80 risk factors. 風險因素從應用程式的一般資訊開始 (應用程式的總部位於何處、發行者是誰),涵蓋安全性措施與控制 (支援待用加密,提供使用者活動的稽核記錄)。The risk factors start from general information about the app (where are the app's headquarters, who is the publisher), and through security measures and controls (support for encryption at rest, provides an audit log of user activity). 如需詳細資訊,請參閱使用風險分數For more information, see Working with risk score,

    • 在 Cloud App Security 入口網站的 [Discover] (探索) 下,按一下 [Discovered apps] (探索到的應用程式)。In the Cloud App Security portal, under Discover, click Discovered apps. 根據您關心的風險因素,篩選在組織中探索到的應用程式清單。Filter the list of apps discovered in your organization by the risk factors you are concerned about. 例如,您可以使用 [進階] 篩選來尋找風險分數低於 8 的所有應用程式。For example, you can use the Advanced filters to find all apps with a risk score lower than 8.

    • 您可以按一下應用程式名稱,然後按一下 [資訊] 索引標籤,來查看應用程式安全性風險因素的詳細資料,以向下切入應用程式來深入了解其合規性。You can drill down into the app to understand more about its compliance by clicking the app name and then clicking the Info tab to see details about the app's security risk factors.

階段 2:評估及分析Phase 2: Evaluate and analyze

  1. 評估合規性:檢查應用程式是否經過認證,符合貴組織標準,例如 HIPAA、SOC2、GDPR。Evaluate compliance: Check whether the apps are certified as compliant with your organization's standards, such as HIPAA, SOC2, GDPR.

    • 在 Cloud App Security 入口網站的 [Discover] (探索) 下,按一下 [Discovered apps] (探索到的應用程式)。In the Cloud App Security portal, under Discover, click Discovered apps. 根據您在意的合規性風險因素,篩選在組織中探索到的應用程式清單。Filter the list of apps discovered in your organization by the compliance risk factors you are concerned about. 例如,使用建議的查詢來篩選掉不合規的應用程式。For example, use the suggested query to filter out non-compliant apps.

    • 您可以按一下應用程式名稱,然後按一下 [資訊] 索引標籤,來查看應用程式合規性風險因素的詳細資料,以向下切入應用程式深入了解其合規性。You can drill down into the app to understand more about its compliance by clicking the app name and then clicking the Info tab to see details about the app's compliance risk factors.

    提示

    使用探索到的應用程式安全性缺口內建警示,即可在探索到應用程式與最近發佈的安全性缺口有關聯時,收到通知。Get notified when a discovered app is associated with a recently published security breach using the built-in Discovered app security breach alert. 調查過去 90 天內存取遭入侵應用程式的所有使用者、IP 位址及裝置,並套用相關控制措施。Investigate all users, IP addresses, and devices accessing the breached app in the last 90 days, and apply relevant controls.

  2. 分析使用方式:您現已明白是否想要在組織中使用該應用程式,所以可以調查其使用方式及使用人員。Analyze usage: Now that you know whether or not you want the app to be used in your organization, you want to investigate how and who is using it. 如果在貴組織中只有限地使用,可能沒有問題,但如果使用的情況增加,您就會希望能取得有關使用情況的通知,以決定是否要封鎖該應用程式。If it's only used in a limited way in your organization maybe it's ok, but maybe if the use is growing you want to be notified about it so you can decide if you want to block the app.

    • 在 Cloud App Security 入口網站的 [Discover] (探索) 下,按一下 [Discovered apps] (探索到的應用程式),然後按一下您想要調查的特定應用程式,來向下切入。In the Cloud App Security portal, under Discover, click Discovered apps and then drill down by clicking on the specific app you want to investigate. [Use] (使用) 索引標籤能讓您知道有多少作用中的使用者正在使用該應用程式,以及其所產生的流量有多少。The Use tab lets you know how many active users are using the app and how much traffic it's generating. 光是這樣就已經可讓您清楚了解應用程式的情況。This can already give you a pretty good picture of what's happening with the app. 接著,如果想要查看具體是誰使用該應用程式,可以按一下 [Total active users] (作用中使用者總計),進一步向下切入。Then, if you want to see who, specifically, is using the app, you can drill down further by clicking Total active users. 這個重要的步驟可以提供相關資訊,例如,如果發現特定應用程式的所有使用者都來自行銷部門,則可能對這個應用程式有業務上的需求,而如果存在風險,則應該在封鎖之前與這些使用者討論替代方法。This important step can give you pertinent information, for example, if you discover that all the users of a specific app are from the Marketing department, it's possible that there's a business need for this app, and if it's risky you should talk to them about an alternative before blocking it.

    • 在查已探索到之應用程式的使用時,更深入了解。Dive even deeper when investigating use of discovered apps. 檢視子網域與資源,以了解您雲端服務中的特定活動、資料存取與資源使用狀況。View subdomains and resources to learn about specific activities, data access, and resource usage in your cloud services. 如需詳細資訊,請參閱深入探討探索到的應用程式探索資源與自訂應用程式 (部分機器翻譯)。For more information, see Deep dive into Discovered apps and Discover resources and custom apps.

  3. 識別替代應用程式:使用雲端應用程式目錄辨別較安全的應用程式,這類應用程式所擁有的商務功能與偵測到的具風險應用程式相同,但符合您組織的原則。Identify alternative apps: Use the cloud app catalog to identify safer apps that achieve similar business functionality as the detected risky apps, but do comply with your organization's policy. 若要這麼做,您可以使用進階篩選來尋找相同類別中,符合不同安全性控制的應用程式。You can do this by using the advanced filters to find apps in the same category that meet with your different security controls.

階段 3:管理您的應用程式Phase 3: Manage your apps

  • 管理雲端應用程式:Cloud App Security 可協助您管理在組織中使用應用程式的程序。Manage cloud apps: Cloud App Security helps you with the process for managing app use in your organization. 在您找出組織中使用的不同模式和行為之後,即可建立新的自訂應用程式標籤,並根據其業務狀態或理由,將每個應用程式分類。After you identified the different patterns and behaviors used in your organization, you can create new custom app tags in order to classify each app according to its business status or justification. 然後,這些標籤即可用於特定的監視用途,例如,找出要進入應用程式且已標記為風險性雲端儲存體應用程式的高流量。These tags can be then used for specific monitoring purposes, for example, identify high traffic that is going to apps that are tagged as risky cloud storage apps. 應用程式標籤可以在 [Cloud Discovery settings] (Cloud Discovery 設定) > [App tags] (應用程式標籤) 下進行管理。App tags can be managed under Cloud Discovery settings > App tags. 之後,即可使用這些標籤在 Cloud Discovery 頁面中進行篩選,並使用這些標籤來建立原則。These tags can then be used later for filtering in the Cloud Discovery pages and creating policies using them.

  • 使用 Azure Active Directory (Azure AD) 資源庫管理探索到的應用程式:Cloud App Security 也會利用其與 Azure AD 的原生整合,以供在 Azure AD 資源庫中管理探索到的應用程式。Manage discovered apps using Azure Active Directory (Azure AD) Gallery: Cloud App Security also leverages its native integration with Azure AD to enable you to manage your discovered apps in Azure AD Gallery. 針對已出現在 Azure AD 資源庫中的應用程式,您可套用單一登入並使用 Azure AD 來管理應用程式。For apps that already appear in the Azure AD Gallery, you can apply single sign-on and manage the app with Azure AD. 若要進行此作業,請在相關應用程式出現的資料列上,選擇位於資料列結尾的三個點,然後選擇 [使用 Azure AD 管理應用程式]。To do so, on the row where the relevant app appears, choose the three dots at the end of the row, and then choose Manage app with Azure AD.

    影子 IT 生命週期

  • 持續監視:您現已徹底調查了該應用程式,建議您設定用於監視應用程式的原則,並視需要提供控制。Continuous monitoring: Now that you have thoroughly investigated the apps, you might want to set policies that monitor the apps and provide control where needed.

現在可以開始建立原則,以便在您所關心的事項發生時,自動收到警示。Now it's time to create policies so you can be automatically alerted when something happens that you're concerned about. 例如,建議您建立應用程式探索原則,讓您知道所在意的應用程式何時出現下載或流量暴增的情況。For example, you might want to create an App discovery policy that lets you know when there is a spike in downloads or traffic from an app you're concerned about. 若要達成此功能,您應該啟用 [探索到的使用者中的異常行為原則]、[雲端儲存體應用程式合規性檢查] 與 [新增具風險的應用程式]。To achieve this, you should enable Anomalous behavior in discovered users policy, Cloud storage app compliance check, and New risky app. 您也應該將原則設定為以電子郵件或簡訊通知您。You should also set the policy to notify you by email or text message. 如需詳細資訊,請參閱原則範本參考並深入了解 Cloud Discovery 原則及設定應用程式探索原則For more information, see policy template reference, more about Cloud Discovery policies and Configure App discovery policies.

查看 [警示] 頁面,並使用原則類型篩選,來查看應用程式探索警示。Look at the alerts page and use the Policy type filter to look at app discovery alerts. 針對符合您應用程式探索原則的應用程式,建議您執行進階調查,以深入了解使用該應用程式的業務理由,例如與應用程式使用者連絡。For apps that were matched by your app discovery policies, it is recommended that you do an advanced investigation to learn more about the business justification for using the app, for example, by contacting the users of the app. 接著,重複階段 2 中的步驟,評估應用程式的風險。Then, repeat the steps in Phase 2 to evaluate the risk of the app. 然後決定應用程式的後續步驟,是否核准未來使用該應用程式,或是要在使用者下次存取時將其封鎖。若要封鎖,您應該將其標記為未批准,如此即可使用防火牆、Proxy 或安全 Web 閘道來進行封鎖。Then determine next steps for the application, whether you approve use of it in the future or want to block it the next time a user accesses it, in which case you should tag it as unsanctioned so it can be blocked using your firewall, proxy, or secure web gateway. 如需詳細資訊,請參閱與 Microsoft Defender ATP 整合與 Zscaler 整合與 iboss 整合,以及匯出封鎖指令碼治理探索到的應用程式 (部分機器翻譯)。For more information, see Integrate with Microsoft Defender ATP, Integrate with Zscaler, Integrate with iboss, and Export a block script to govern discovered apps.

階段 4:進階陰影 IT 探索報告Phase 4: Advanced Shadow IT discovery reporting

除了 Cloud App Security 中可用的報告選項之外,您還可以將 Cloud Discovery 記錄整合到 Azure Sentinel,以進一步調查及分析。In addition to the reporting options available in Cloud App Security, you can integrate Cloud Discovery logs into Azure Sentinel for further investigation and analysis. 一旦資料進入 Azure Sentinel,您就可以在儀表板中加以檢視、使用 Kusto 查詢語言執行查詢、將查詢匯出到 Microsoft Power BI、與其他來源整合,以及建立自訂警示。Once the data is in Azure Sentinel, you can view it in dashboards, run queries using Kusto query language, export queries to Microsoft Power BI, integrate with other sources, and create custom alerts. 如需詳細資訊,請參閱 Azure Sentinel 整合For more information, see Azure Sentinel integration.

階段 5:控制獲批准的應用程式Phase 5: Control sanctioned apps

  1. 若要透過 API 啟用應用程式控制,請透過 API 連結應用程式,以進行持續監視。To enable app control via APIs, connect apps via API for continuous monitoring.

  2. 使用條件式存取應用程式控制保護應用程式。Protect apps using Conditional Access App Control.

雲端應用程式的本質表示應用程式每天都會更新,且會隨時出現新的應用程式。The nature of cloud apps means that they are updated daily and new apps appear all the time. 因此,員工會持續使用新的應用程式,請務必持續追蹤及檢閱和更新您的原則、檢查使用者正在使用的應用程式,以及其使用方式與行為模式。Because of this, employees are continuously using new apps and it's important to keep tracking and reviewing and updating your policies, checking which apps your users are using, as well as their usage and behavior patterns. 您可以隨時前往 Cloud Discovery 儀表板,查看所使用的新應用程式,然後再次依照本文中的指示進行操作,確保您的組織與資料受到保護。You can always go to the Cloud Discovery dashboard and see what new apps are being used, and follow the instructions in this article again to make sure your organization and your data are protected.

另請參閱See Also

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.