The Cybersecurity and Infrastructure Security Agency is about to give cloud security across government a boost with the impending finalization of security “baselines” for widely used Microsoft applications.
Meanwhile, the hacking of a Biden administration cabinet member’s emails via Microsoft’s cloud environment has sparked a high-level government investigation into the incident, as well as broader review of cloud security best practices
CISA’s work under the “Secure Cloud Business Applications” or “SCuBA” project has been ongoing since 2021. The project aims to give agencies and other organizations resources for securing their cloud environments. CISA released an initial set of security baselines for the Microsoft 365 suite of business applications last year for feedback from the technical community.
Grant Dasher, the architecture branch chief for the Office of the Technical Director for Cybersecurity at CISA, said the agency plans to release a finalized version of those SCuBA baselines in “the next short period of time.”
The baselines specify the implementation controls organizations can use to secure applications like Azure Active Directory. And CISA also developed an automated tool that organizations can use to evaluate their implementation of those controls.
“We’ve seen really across the cybersecurity industry, both inside the government and outside of the government, a use of that tool to start assessing the posture and configuration in these environments,” Dasher said at the FCW/NextGov Identity Summit yesterday. “And it’s been a helpful tool for us to work with the agencies to try and make sure that they’re implementing best practices in the cloud identity space.”
With the Microsoft 365 baselines set to be finalized in the near future, Dasher said CISA will also soon be releasing configurations for Google’s suite of cloud-based business applications. Earlier this summer, CISA also finalized the high-level architectural guidance for the SCuBA project, as well as a framework for ensuring agencies have visibility into threats in their cloud environments.
Dasher said the transition to cloud services gives organizations an opportunity to modernize and transform their identity infrastructure.
“Agencies are in a whole spectrum of different places,” he said. “Some have very robust, mature, existing identity infrastructure that they’re continuing to expand and leverage. Others are sort of redoing things in a more greenfield approach. Different agencies are taking different directions, but we’re trying to support and assist them in in that journey, and make significant progress towards these goals.”
For years now, federal officials have said the move to cloud computing will be a major boon for securing data and networks, while also cautioning the shift doesn’t eradicate the cybersecurity responsibilities of agencies.
Ken Bible, the chief information security officer at the Department of Homeland Security, commented that “identity in the cloud has become kind of the new attack surface,” pointing to a high-profile hack of Microsoft’s cloud-based email service.
“I don’t know whether it’s an offshoot directly of pandemic as much as it is the fact that when we started to make this move towards these cloud based services, it exposed that fact that there was a potential soft spot there that could be taken advantage of,” Bible said at yesterday’s Identity Summit.
The Cyber Safety Review Board announced last week that it would investigate the Microsoft incident, which occurred earlier this summer. It involved suspected Chinese hackers using a stolen Microsoft key to forge access to the cloud-based email accounts of Commerce Secretary Gina Raimondo and high-level State Department officials in what CISA called a “targeted” attack.
The board in a press release said its review will focus on the incident, as well as “the malicious targeting of cloud computing environments” and what government, industry and cloud service providers should “employ to strengthen identity management and authentication in the cloud.”
“The board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves,” the press release states.
With agencies continuing to adopt cloud services, officials are keenly interested in further developing the “shared responsibility model” between cloud service providers and their customers.
“I think we’re in a point of irreversible momentum in terms of moving and continuing the migration towards cloud based capabilities,” Bible said.