{"id":1337,"date":"2024-12-20T22:05:23","date_gmt":"2024-12-20T22:05:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1337"},"modified":"2024-12-20T22:05:23","modified_gmt":"2024-12-20T22:05:23","slug":"us-order-is-a-reminder-that-cloud-platforms-arent-secure-out-of-the-box","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1337","title":{"rendered":"US order is a reminder that cloud platforms aren\u2019t secure out of the box"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

This week\u2019s binding directive to US government departments to implement secure configurations in cloud applications, starting with Microsoft 365 (M365), is a reminder to all CISOs that cloud platforms, even from major providers, aren\u2019t completely secure out of the box.<\/p>\n

\u201cCloud stuff is easy to manage, easy to deploy,\u201d said Ed Dubrovsky, chief operating officer and managing partner of Cypfer, an international cyber incident response company.<\/p>\n

\u201cThe challenge of that is the default of M365 platform is not really secure. We in the security profession have been yelling for years [at Microsoft], \u2018Why aren\u2019t you saying MFA [multifactor authentication] must be enabled? Why is it an option? That\u2019s just wrong.\u2019\u201d<\/p>\n

Recently Microsoft has made MFA mandatory<\/a> for logins through Azure.<\/p>\n

\u201cEven more fundamental are [setting controls for] things like having to keep logs for a certain amount of time in case there is a forensic investigation [of a breach of security controls] \u2026 What we find in many subscription options of M365 is the logs are being kept for less than 30 days. Which is not sufficient at all,\u201d he added.<\/p>\n

\u201cAll these little tweaks that you need to do in order to harden M365 are not being taken advantage of. And that creates an influx of weak infrastructure of M365 being deployed at larger and larger organizations \u2014 including governments and sensitive agencies \u2014 because people are still focusing on the functionality rather than the security of M365. It\u2019s an age-old problem: Security is taking a second seat to functionality, as opposed to truly having a seat at the [senior management] table and discussing what a secure deployment of M365 looks like.\u201d<\/p>\n

\u201cAnd by the way,\u201d he said, \u201cthere are tons of best practice guides of how to deploy this securely. What I don\u2019t understand is why you don\u2019t make it by default, Microsoft?\u201d<\/p>\n

Dubrovsky\u2019s comments came after the US Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive on Implementing Secure Practices for Cloud Services<\/a> to federal, executive branch, departments, and agencies. This, however, doesn\u2019t include national security systems or systems run by the defense or intelligence communities.<\/p>\n

Affected IT departments are ordered to implement a set of baseline configurations set out by the Secure Cloud Business Applications (SCuBA)<\/a> project for certain software as a service (SaaS)\u00a0platforms. So far, the directive notes, the only final configuration baseline set is for Microsoft 365.<\/p>\n

There is also a baseline configuration for Google Workspace listed on the SCuBA website that isn\u2019t mentioned in this week\u2019s directive. However, the order does say that in the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products. When the baselines are issued, they will also will fall under the scope of this week\u2019s directive.\u00a0<\/p>\n

To give CISA a better handle on federal cloud assets, the order says affected agencies have to provide the cloud tenant names to CISA by Feb. 21, 2025, and deploy all SCuBA assessment tools for them and begin continuous reporting by April 25.<\/p>\n

By June 20, agencies have to implement all mandatory SCuBA policies, such as the required configurations.<\/p>\n

Coincidentally, the CISA directive comes the same week as CSO reported that Amazon has halted its deployment of M365<\/a> for a full year, as Microsoft tries to fix a long list of security problems that Amazon identified.<\/p>\n

A CISA spokesperson said he couldn\u2019t comment on why the directive was issued this week, but Dubrovsky believes it\u2019s \u201cmore of a generic warning\u201d to federal departments, and not linked to an event.<\/p>\n

Asked how private-sector CISOs should secure cloud platforms, Dubrovsky said they should start with cybersecurity basics. That includes implementing tough identity and access management policies, including MFA, and performing network monitoring and alerting for abnormalities, before going into the cloud.<\/p>\n

\u201cFix the basics at home before you start installing new doors,\u201d he said.<\/p>\n

Forrester Research principal analysts Andras Cser and Geoff Cairns\u00a0noted the directive means that CISA is asking federal agencies to perform cloud asset discovery, continuous cloud assessment, and reporting, as well as baseline cloud security configuration management.<\/p>\n

Manual methods to meet the above mandates are impractical, if not impossible, Forrester believes, so it expects cloud-native application protection platforms (CNAPP<\/a>s) and SaaS security\u00a0vendors to enhance their CISA and FedRAMP<\/a> cloud infrastructure security templates to meet the new requirements. FedRAMP is the Federal Risk and Authorization Management Program, which was established in 2011 to provide a risk-based approach for the adoption and use of cloud services by the federal government.\u00a0\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

This week\u2019s binding directive to US government departments to implement secure configurations in cloud applications, starting with Microsoft 365 (M365), is a reminder to all CISOs that cloud platforms, even from major providers, aren\u2019t completely secure out of the box. \u201cCloud stuff is easy to manage, easy to deploy,\u201d said Ed Dubrovsky, chief operating officer […]<\/p>\n","protected":false},"author":0,"featured_media":1331,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1337","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1337"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1337"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1337\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1331"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}