New guidance from the US Cybersecurity and Infrastructure Security Agency (CISA) has been met favorably by industry experts who say it will strengthen cloud security.
The directive, announced on December 17, will focus on protecting federal information and information systems.
The order requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and ensure cloud environments comply with CISA's “Secure Cloud Business Application (SCuBA)” baselines.
CISA will maintain and update a detailed list of in-band policies and cloud tenants, provide agencies with reporting instructions, and provide agencies with troubleshooting support.
As of this release, CISA has only published configuration baselines for Microsoft 365, but the future may see CISA release additional baselines for other cloud products and services.
In recent cybersecurity incidents, CISA said improper configuration of security controls in cloud environments created significant risks and led to compromises and unauthorized access.
This directive will push the federal civilian establishment into a more defensible position in this regard, by reducing the attack surface on government networks.
The industry welcomed CISA's guidance
Technology and security experts see this as a strong move by CISA, one that will reduce the agency's vulnerability to attack and increase the government's security posture.
“CISA guidance highlights known cloud risks. Misconfigured systems expose agencies to threats. Defining and enforcing baselines reduces the attack surface. This move, although “Not surprising, very important.”
Corey Michel, CSO at AppOmni, echoed this sentiment, calling the guidance a “much-needed step” toward improving the regulatory security posture of federal agencies that leverage cloud and software-as-a-service (SaaS) tools.
“By mandating the adoption of SCuBA secure configuration baselines, the directive provides a uniform approach to securing SaaS applications and directs agencies to focus on proactive risk mitigation,” Michel told ITPro.
Michel added that while it is in line with broader cybersecurity initiatives such as Zero Trust Architecture, the success of the directive will depend on effective implementation and deployment of appropriate security tools.
Michel noted that the requirements are reasonable and that the guidance focuses on practical and implementable measures, such as adopting safe baselines.
“These are foundational steps that align with modern SaaS and cloud security models following an identify, protect, detect and respond methodology, allowing organizations to embrace and secure this new attack surface,” he added.
“Deadlines, lack of funding, and lack of sufficient skills will be the main challenges in meeting these requirements,” he added.
The private sector will take some time to catch up
Although CISA's new guidance is a boon for security in the federal or public sector landscape, the average company will fall behind the guidance, according to Sorocco.
“For a typical mid-sized company, implementing similar controls is expensive – tools, consultants and training budgets are strained. They have a hard enough time understanding the benefits of the FCO,” Soroko said.
“They usually just have IT professionals who are motivated to keep the lights on rather than going through configurations with a fine-toothed comb,” he added.
While government directives often impact private sectors, adoption is lagging, with many companies resistant due to cost and complexity, he said.
“Clear government standards can slowly change industry standards, but they usually only work if they force vendors who sell into government contracts,” Soroko said.