CISA Seeks Feedback on Baseline Measures to Secure Cloud Configuration

The Cybersecurity and Infrastructure Security Agency is inviting public comment—particularly from agencies—on what it’s proposing as the bare minimum set of actions organizations should take to control access to their assets in cloud environments, and how to implement them.

As part of its Securing Cloud Business Applications—or SCUBA—project, the agency will be accepting comments through Nov. 24 on security configuration baselines it published Thursday for eight Microsoft products, including Microsoft Teams, Exchange Online, Defender for Office 365 and the Azure Active Directory.

Configuration baselines for Google Workspace, as well as a request for agencies to pilot them, will be published next, “in the coming months,” CISA said.

The guidance comes as Google tries to woo enterprise customers by promising to evolve the model of shared responsibility for security in the cloud, which puts the onus of configuring data access on the owners of that data.

Speaking at a recent conference hosted by the cybersecurity firm Mandiant—a Google partner—Google CISO Phil Venables said the company is focused on “shifting from what everybody knows as shared responsibility in the cloud, to what we call shared fate, which is us reaching across that line of shared responsibility, and really partnering with customers.”

“We recognize it's important not just to have defense in depth from attacks, but also defense in depth from configuration errors and all the other things that can go wrong in the cloud if we don't partner effectively,” he said.

Correctly architecting systems to control who has access to what assets has proven to be a persistent challenge for even well-resourced cloud customers. The 2019 Capital One breach, for example, was due to the misconfiguration of a firewall in Amazon Web Services, that cloud service provider said, disputing allegations that it was responsible for the breach of consumers’ personal information. 

Cloud service providers themselves are hardly immune from configuration errors. Microsoft is currently taking heat from security researchers for its handling of their discovery of a misconfiguration issue with a storage bucket, which the researchers say exposed sensitive information of more than 65,000 entities—across 111 countries—including those in the U.S. government.

Ensar Seker, CISO of SOCRadar, the security research company that scans the internet for misconfiguration issues and brought the exposure to Microsoft’s attention, told SCMedia the company’s Azure cloud bucket was one of six—the others were at different CSPs—that were affected by similar configuration errors.     

CISA’s guidance for agencies and other cloud customers provides step-by-step instructions for the complex task of assigning permission levels to the various individuals—including those from a range of managed services providers—who may need to access their assets in each of the Microsoft services.

When using the Azure Active Directory, for example, CISA says, among other things, “phishing-resistant multi-factor authentication SHALL be required for all users,” which also means “legacy authentication SHALL be blocked,” and that, “only administrators SHALL be allowed to register third-party applications.”