bp’s app access and governance processes were preventing the company from embracing a more proactive, continuous security posture for its growing technology footprint. Recognizing change was needed, bp worked with Microsoft to provide feedback on the automation capabilities of the app governance add-on for Microsoft Defender for Cloud Apps. As a result, the energy company deployed several services to provide more robust app tracking, regulation, and monitoring capabilities. bp simplified how it defines and enforces app behaviors for thousands of third-party and line-of-business apps across its global enterprises for 90,000 users.
“We capture 39 million activities daily, so we need to quickly identify apps with high permissions that pose the biggest risks if compromised. App governance in Microsoft Defender for Cloud Apps helps us focus on the most valuable data for a company of our size and complexity.”
Stephen Portillo, Information Protection Security Engineering Principal, bp
Dynamic insights drive response
bp is undergoing a digital overhaul as it shifts from being an international oil company, to an integrated energy company, aiming to be net zero by 2050 or sooner. o. The energy company generates billions of data signals across its global enterprise and uses thousands of third-party and line-of-business Microsoft 365 Open Authorization (OAuth) applications to run a global enterprise with 90,000 users. It’s committed to developing and investing in innovative, cloud-first digital solutions that can help protect its expansive network of cloud applications from malicious app-based attacks that threaten its enterprise-critical data and global infrastructure at the edge.
bp wanted better visibility of app permissions, how much data each app handles, and app behavior so it could scale with real-time, automated controls and policy settings. Previously, its security engineering team supported the monitoring and reporting process manually by running one or two scripts per scheduled activity to monitor permissions. The security team recognized that they lacked real-time visibility and in-depth insights into its apps.
Stephen Portillo, Information Protection Security Engineering Principal at bp, were keen to work with Microsoft to automate application threat detection and remediation, while deriving more insights from the data that the company’s growing list of cloud apps and expanding hybrid infrastructure were generating.
“We capture 39 million activities daily, so we need to quickly identify apps with high permissions that pose the biggest risks if compromised,” says Portillo, who owns the vision and strategy for protecting the company’s information on different platforms, including endpoints and Microsoft Office 365. “App governance in Microsoft Defender for Cloud Apps helps us focus on the most valuable data for a company of our size and complexity.”
bp collaborated with Microsoft in testing, iterating, and providing enterprise-scale feedback on the capabilities of the app governance add-on for Defender for Cloud Apps. As a result, the energy company deployed a comprehensive trio of app management and governance solutions to bolster its existing Azure Active Directory (Azure AD) identity governance capabilities with more robust cloud app access, use, and behavior capabilities.
“We’re changing from an international oil company to an integrated energy company, which means as our digital footprint expands, bp needs to be compliant with hundreds of different global data protection policies,” says Portillo. “We have much better access and permission visibility with app governance, and it interoperates with other Microsoft tools so that we can build robust policies for our users.”
Machine learning safeguards
One of bp's key strategies is to focus on cloud-first digital innovations that improve operational efficiency. The objective is to empower engineering teams with technology that helps solve inefficiencies and overcome obstacles
“App governance saves a lot of time and valuable engineering resources because it’s always working,” says Portillo. “This kind of automated, continuous activity helps us ’shift-left‘ on security, and allows us to proactively focus on other activities to solve the next pain point.”
bp simplified how it defines and enforces cloud app behaviors to protect its enterprise-critical data. By implementing machine learning–based threat detections and policy-based alerts, the security engineering team can identify abnormal app behaviors outside of defined governance policy with fewer manual steps.
“The built-in threat detection policies in app governance are valuable,” says Geoff Elton, Information Security Engineering Lead at bp. “Due to the volume of data we receive, it’s challenging to correlate across different signals, and having multiple machine learning indicators pull it all together for us is very useful.”
bp can discover and manage unsanctioned apps, restrict access to them and the resources they use, and enforce cloud app security policies and compliance requirements without leaving the Defender for Cloud Apps portal. And app governance includes automated remediation capabilities, so the security engineering team can quickly address issues.
Identity and access at the API level
bp added app governance to its existing Azure AD and Defender for Cloud Apps capabilities. Now, the identity and access management capabilities provide detailed information about an app’s identity at the API level, which can help the company manage the risks associated with privileged apps. Policy alerts are generated from the policies that bp creates, and they’re sorted into incidents and displayed in the Defender for Cloud Apps alerts queue. These automated alerts can then be integrated with other systems using Microsoft Graph API, which enables bp to manage resources and actions related to apps in Azure AD.
“App governance empowers a much richer conversation with our platform app owners,” says Elton. “We can analyze app permissions and access to data with data-driven insights to evaluate issues that require remediation.”
bp now has its system monitoring and creating alerts rather than having to create scripts to identify problems. The app governance add-on to Defender for Cloud Apps portal features categories that highlight apps that have access to sensitive data, including those that haven’t used permissions in the past or apps with robust permissions.
“The ability to baseline application activity is very important to us,” says Elton. “The automated alerts for application behavior changes such as increased data transfer or API errors gives us advance warning of possible issues so we can focus investigations. It’s great for us to be able to see how our data flows, where it’s flowing to, and which applications are accessing the different data workloads.”
Secure app access expedites innovation
bp has accelerated its adoption of app governance and accumulated more cloud apps in its quest to engineer modern, sustainable energy solutions through technology. With the proliferation of cloud apps, however, comes increased risk from malicious, app-based attacks. “Modern productivity and collaboration require automation and programmatic access to information,” says Portillo. “You need apps to make that work. So, digital-first companies like us need to pay attention to programmatic access—API access to data and app permissions—and maintain the comprehensive visibility required to monitor and govern apps.”
By understanding app behavior through data-led insights, bp has gained a clearer picture of vulnerabilities, which helps it reduce the risks of app-based threats. The app governance add-on to Microsoft Defender for Cloud Apps has empowered its security engineering team to proactively define policies that govern how apps interact with data and users, helping the company meet the demand for a modern security posture and protect its digital transformation.
“App governance now gives us focus on an app’s footprint—who the owner is, who the users are, and what the value of the app data is,” says Portillo. “From an enterprise point of view, having that forward visibility into threats and vulnerabilities is incredibly valuable, because it drives proactive responses.”
“The built-in threat detection policies in app governance are valuable. Due to the volume of data we receive, it’s challenging to correlate across different signals, and having multiple machine learning indicators pull it all together for us is very useful.”
Geoff Elton, Information Security Engineering Lead, bp
Follow Microsoft