CISA issues new directive to bolster cloud security – and Microsoft was singled out
A new directive issued by the US Cybersecurity and Infrastructure Security Agency (CISA) has been met positively by industry experts who say it will bolster cloud security.
Announced on 17 December, the directive will focus on safeguarding federal information and information systems.
It requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and ensure that cloud environments are aligned with CISA’s ‘Secure Cloud Business Application (SCuBA)’ baselines.
CISA will maintain and update a detailed list of in-scope policies and cloud tenants, provide agencies with reporting instructions, and provide agencies with troubleshooting support.
As of this release, CISA has published the configuration baselines for Microsoft 365 only, but the future may see CISA release additional baselines for other cloud products and services.
In recent cybersecurity incidents, CISA said the improper configuration of security controls in cloud environments has introduced substantial risk and has resulted in compromises and unauthorized access.
This directive will push the federal civilian enterprise to a more defensible posture in this regard, by reducing the attack surface of government networks.
CISA directive welcomed by industry
Tech and security experts see this as a strong move from CISA, one that will reduce agency vulnerability to attack and increase security posture in the government.
“CISA’s directive highlights known cloud risks. Misconfigured systems expose agencies to threats. Setting baselines and enforcing them reduces the attack surface. This step, though unsurprising, is critical,” Jason Soroko, senior fellow at Sectigo, told ITPro.
AppOmni CSO Cory Michal echoed this sentiment, calling the directive a “much-needed step” towards improving the organizational security posture of federal agencies leveraging cloud and Software as a Service (SaaS) tools.
“By mandating the adoption of the SCuBA Secure Configuration Baselines, the directive provides a standardized approach to securing SaaS applications and guides agencies to focus on proactive risk mitigation,” Michal told ITPro.
While it aligns with broader cybersecurity initiatives such as zero trust architecture, Michal added, the success of the directive will depend on effective implementation and deployment of appropriate security tooling.
Michal noted the requirements are reasonable and that the directive focuses on measures that are practical and actionable, such as adopting secure baselines.
“These are foundational steps that align with modern SaaS and cloud security models following the Identify, Protect, Detect and Respond methodology, allowing organizations to embrace and secure this new attack surface,” he said.
“Deadlines, lack of funding, and lack of adequate skillsets will be the main challenges in meeting these requirements,” he added.
Private sector will take time to catch up
Though CISA’s new directive is a boon for security in the federal or public sector landscape, the average firm will lag behind the guidance, according to Soroko.
“For a typical mid-sized business, implementing similar controls is costly – tools, consultants, and training strain budgets. They have a hard enough time understanding the merits of MFA,” Soroko said.
“They typically only have IT generalists who are motivated to keep the lights on rather than go through configurations with a fine toothed comb,” he added.
While government guidance often influences private sectors, he said, adoption lags, as many firms resist due to cost and complexity.
“Clear government standards can slowly shift industry norms, but it normally only works if it forces vendors who are selling into government contracts,” Soroko said.
Source link
/cdn.vox-cdn.com/uploads/chorus_asset/file/23516635/adbenedetto_220508_5192_0047.jpg)
