Cloud App Discovery–Cool tool, but is it ready for Primetime?

It’s no secret, I perfectly OK with the cloud. So when I heard about Cloud App Discovery back when it was released to preview, I immediately jumped on it, testing it out in my lab and doing a few demos. The idea is to provide a tool that identifies the unknown or hard to track down services that your users might be using (and leaking corporate data onto) as well as facilitating easy utilization numbers to SaaS tools. Microsoft put a lot of thought into solving this particular problem and it shows.

Cloud App Discovery and Azure AD Premium seem built for each other. Cloud App identifies workloads and data usage that IT doesn’t know about, kind of like the Application Compatibility Toolkit for cloud tools. The agent is installed on each system (silent deploy supported) and it sends the highlighted service access to Azure storage. Azure then does some analytics work on it and provides easy to read reports on your data, informing you which users are using 3rd party services, whether or not they are in your control and federated. In the event Cloud App doesn’t recognize the app (and it recognizes a very large number), it records the URLs, ports as well as the frequency of access and amount of data transmitted.

If it does recognize the service and it’s in the Azure AD Premium gallery, it guides me to making decisions on where to trust/federate I can enable SSO in a couple clicks.

Thanks to access to the Azure Storage blob, if I want to grab files and do my own analysis, like running it through a Security Information Monitoring tool, I’m able to. The raw logs look like this:

Machine Name    User Name    App Name    Category    Is Business App    Device Family    Requests    Bytes Sent    Bytes Received    Date Begin Window    Date End Window
X79    X79\Joe    google    noisecategory    False    Windows 8.1    0    5173    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    dropbox    collaboration    True        0    0    179    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    live    noisecategory    False    Windows 8.1    0    1567    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    live    noisecategory    False        0    0    662    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    google    noisecategory    False        0    0    783    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    dropbox    collaboration    True    Windows    1    352    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    192.168.1.111_8080    othercategory    False        1    100    277    12/31/2014 12:01:00 AM    12/31/2014 12:02:00 AM

X79    X79\Joe    live    noisecategory    False    Windows 8.1    0    4637    0    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    google    productivity    False    Windows 8.1    2    4186    0    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    live    noisecategory    False        0    0    1986    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    outlook.com    othercategory    False        1    1481    10562    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM

Pretty straight forward. Aside from the slightly annoying aspect of only being available in the “Preview” Azure portal, the finished reports however, are really nice and filter well. I can easily drill down and see who is using which apps, how much data, and how often they use it.

image

So that’s the good. What’s the not so good? The implementation of the Network listener. I haven’t ripped fully into it to understand how it interacts with the network stack, but my notes from the field have not been without issues. Big issues. On many types of hardware. On a disturbing percentage of the systems. Now is where I take long breath and have to tamp down my enthusiasm as I really wanted to like Cloud App Discovery. On my Hyper-V lab, it’s run for months without issue. On physical hardware though, there have been more systems with serious issues than systems without.

I really hope this gets fixed, and I’ll gladly update this post once the issues are resolved, but here’s the symptoms I’ve seen:

  • After reboot, it prevents all network access. Uninstallation immediately fixes.
  • After reboot, a sudden rash of blue screens when opening web browsers that clear up immediately after product is removed.
  • After reboot, most access works, but certain cloud services are completely inaccessibly including: OneDrive for Business, Dropbox and Crashplan. Uninstallation immediately resolves issue.

I’ve noted this behavior on Windows 7, 8.1 and 10.

If you have a fix, I’d love to hear it. Hit me up on twitter: @Joe_Kuster