This week’s binding directive to US government departments to implement secure configurations in cloud applications, starting with Microsoft 365 (M365), is a reminder to all CISOs that cloud platforms, even from major providers, aren’t completely secure out of the box.”Cloud stuff is easy to manage, easy to deploy,” said Ed Dubrovsky, chief operating officer and managing partner of Cypfer, an international cyber incident response company.”The challenge of that is the default of M365 platform is not really secure. We in the security profession have been yelling for years [at Microsoft], ‘Why aren’t you saying MFA [multifactor authentication] must be enabled? Why is it an option? That’s just wrong.’”Recently Microsoft has made MFA mandatory for logins through Azure.”Even more fundamental are [setting controls for] things like having to keep logs for a certain amount of time in case there is a forensic investigation [of a breach of security controls] “¦ What we find in many subscription options of M365 is the logs are being kept for less than 30 days. Which is not sufficient at all,” he added.”All these little tweaks that you need to do in order to harden M365 are not being taken advantage of. And that creates an influx of weak infrastructure of M365 being deployed at larger and larger organizations, including governments and sensitive agencies, because people are still focusing on the functionality rather than the security of M365. It’s an age-old problem: Security is taking a second seat to functionality, as opposed to truly having a seat at the [senior management] table and discussing what a secure deployment of M365 looks like.””And by the way,” he said, “there are tons of best practice guides of how to deploy this securely. What I don’t understand is why you don’t make it by default, Microsoft?”Dubrovsky’s comments came after the US Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive on Implementing Secure Practices for Cloud Services to federal, executive branch, departments, and agencies. This, however, doesn’t include national security systems or systems run by the defense or intelligence communities.Affected IT departments are ordered to implement a set of baseline configurations set out by the Secure Cloud Business Applications (SCuBA) project for certain software as a service (SaaS) platforms. So far, the directive notes, the only final configuration baseline set is for Microsoft 365.There is also a baseline configuration for Google Workspace listed on the SCuBA website that isn’t mentioned in this week’s directive. However, the order does say that in the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products. When the baselines are issued, they will also will fall under the scope of this week’s directive. To give CISA a better handle on federal cloud assets, the order says affected agencies have to provide the cloud tenant names to CISA by Feb. 21, 2025, and deploy all SCuBA assessment tools for them and begin continuous reporting by April 25.By June 20, agencies have to implement all mandatory SCuBA policies, such as the required configurations.Coincidentally, the CISA directive comes the same week as CSO reported that Amazon has halted its deployment of M365 for a full year, as Microsoft tries to fix a long list of security problems that Amazon identified.A CISA spokesperson said he couldn’t comment on why the directive was issued this week, but Dubrovsky believes it’s “more of a generic warning” to federal departments, and not linked to an event.Asked how private-sector CISOs should secure cloud platforms, Dubrovsky said they should start with cybersecurity basics. That includes implementing tough identity and access management policies, including MFA, and performing network monitoring and alerting for abnormalities, before going into the cloud.”Fix the basics at home before you start installing new doors,” he said.Forrester Research principal analysts Andras Cser and Geoff Cairns noted the directive means that CISA is asking federal agencies to perform cloud asset discovery, continuous cloud assessment, and reporting, as well as baseline cloud security configuration management.Manual methods to meet the above mandates are impractical, if not impossible, Forrester believes, so it expects cloud-native application protection platforms (CNAPPs) and SaaS security vendors to enhance their CISA and FedRAMP cloud infrastructure security templates to meet the new requirements. FedRAMP is the Federal Risk and Authorization Management Program, which was established in 2011 to provide a risk-based approach for the adoption and use of cloud services by the federal government.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3629746/us-order-is-a-reminder-that-cloud-platforms-arent-secure-out-of-the-box.html
