While hackers often target email and other cloud-based work applications, agencies and other organizations now at least have security “baselines” for many of the leading productivity tools on the market.
The Cybersecurity and Infrastructure Security Agency, as part of its Secure Cloud Business Applications (SCuBA) project, released a series of nine security configuration baselines for Google Workspace today, including applications like Gmail, Google Drive, and Google Meet. The latest release follows up on CISA’s publication of baselines for Microsoft 365 products last year.
“With the addition of these baselines, we cover the vast majority of business collaboration suite of software-as-a-service offerings that everyone uses and relies on to conduct their work every single day,” Chad Poland, the manager for cyber shared services at CISA, said in an interview.
CISA is requesting comments on the Google Workspace configurations through Jan. 12, while also asking other federal agencies to specifically “help validate and enhance the automated implementation of these SCuBA baselines.”
The latest release continues CISA’s efforts under the SCuBA program to develop security standards for technology applications that are used across the federal government. The lack of security standardization across agencies was one of the gaps that emerged from the 2020 SolarWinds incident.
After spending the last year piloting the Microsoft 365 configurations with 12 agencies, CISA took lessons from those efforts and applied them to the Google Workspace configurations, Poland said.
“[We] went through and methodically analyzed which threats can be prevented by which settings in the admin console for Google Workspace, which we feel provides a very strong level of security to prevent misconfigurations [and] have been known to allow threat actors into these environments,” he said.
As it did with the Microsoft security baselines, CISA has also released an assessment tool for the Google security baselines, called “ScubaGoggles,” on GitHub. Agencies can use the open-source tool to evaluate how they stack up against the security baselines.
“The tool is where the rubber meets the road,” Poland said. “It allows organizations to run in their environment and quickly see exactly where any deficiencies against the baseline are. And so it really allows them to focus their scarce resources and their time to really shore up those differences or those settings that aren’t properly configured.”
CISA specifically developed a “configuration drift detection” tool for Google Workspace. Poland said the tool is designed to notify an administrator when any change is made to the baseline settings.
“If a threat actor gets in and opens up a door or reduces some of the security posture, it alerts them right away that something is amiss, and they can take corrective action to fix it,” Poland said.
CISA has also more broadly been pushing technology companies, including Google and Microsoft, to offer their products “secure-by-default,” so less of the onus is on customers to properly configure security settings in the first place.
“We continue to have that conversation about making sure that default settings are at the highest level of security for end users,” Poland said. “We’ve seen that with recent announcements, such as when default phishing resistant [multifactor authentication] is enabled for users. And we applaud organizations that have adopted those more secure-by-default practices.”
In addition to the baselines specific to Google and Microsoft products, respectively, CISA’s SCuBA team also released a “Hybrid Identity Solutions Architecture” this past spring, as well as a “Technical Reference Architecture” and a “Visibility Reference Framework Guidebook” over the summer.
Moving into 2024, Poland said a top priority for the SCuBA program is driving adoption of the security configurations. CISA plans to hold a series of hybrid workshops with federal agencies for in-depth discussions about adopting the security baselines.
“We’re going to bring in some of the pilot agencies that actually went through and implemented the baselines and talk about how they helped secure their environment, any issues they may have faced that can be helpful and insightful to other users who are, you know, starting out on this journey,” Poland said. “At the end of the day, we want to increase adoption. We want people to understand how to use it and what applying the different security policies does to their environment.”