Alert essentials:
CISA issued Binding Operational Directive (BOD) 25-01 on December 17, 2024, requiring Federal Civilian Executive Branch agencies to implement secure practices determined by The Secure Cloud Business Applications (SCuBA) project.
Review guidance and verify cloud services are securely configured.
Detailed threat description:
Often, users expect that security is included when purchasing cloud services, but that is rarely true. Cloud security refers to the cybersecurity policies, best practices, controls, and technologies to secure applications, data, and infrastructure in cloud environments. It works to provide storage and network protection against internal and external threats and strengthen access management, data governance, and disaster recovery efforts.
Cloud computing has become the technology of choice for companies looking to gain the agility and flexibility needed to accelerate innovation and meet the expectations of technology advancements. However, migrating to more dynamic cloud environments requires new approaches to security to ensure that data remains protected across online infrastructure, applications, and platforms.
Cloud service providers (CSPs) typically follow a shared responsibility model, which means cloud computing security is the responsibility of both the cloud provider and the customer. Understanding where the provider’s security responsibilities end and the customers’ begin is critical for building a resilient cloud security strategy.
This week, CISA issued a new directive from the Secure Cloud Business Applications (SCuBA) project to help. Their guidance addresses cybersecurity and visibility gaps within cloud-based business applications. The directive provides secure configuration baselines and covers various services, including Microsoft 365 offerings such as:
- Azure Active Directory / Entra ID
- Microsoft Defender
- Exchange Online
- Power Platform
- SharePoint Online & OneDrive
- Microsoft Teams
Some key security measures include:
- Blocking legacy authentication
- Enforcing phishing-resistant multi-factor authentication
- Restricting application registration and consent
- Implementing strict email security policies
- Limiting external sharing in SharePoint and OneDrive
While mandatory for federal agencies, CISA recommends all stakeholders implement these policies to enhance cybersecurity resilience.
Impacts on healthcare organizations:
Securing a cloud environment offers numerous benefits to organizations, such as enhanced data protection, business continuity, reduced administrative burden, and cost savings.
By safeguarding digital assets, cloud security increases data protection, ultimately contributing to patient loyalty and community health.
Recommendations
Engineering recommendations:
- Identify all cloud tenants within the organization
- Deploy SCuBA assessment tools for in-scope cloud tenants
- Promptly review and resolve any security issues
- Update the inventory list of cloud computing devices and review again in the first quarter annually
Leadership/ Program recommendations:
The Federal Executive Branch, departments, and agencies must adopt a binding operational directive to safeguard federal information and information systems.
44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of Title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.
Federal agencies are required to comply with these directives. 44 U.S.C. § 3554(a)(1)(B)(ii).
These directives do not apply to statutorily defined “national security systems” or certain systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3).
This directive refers to the systems it applies to, such as “Federal Civilian Executive Branch” systems and agencies operating those systems as “Federal Civilian Executive Branch” agencies.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Secure Cloud Guidance: Secure Cloud Business Applications (SCuBA) Project | CISA
- https://www.cisa.gov/resources-tools/services/bod-25-01-implementing-secure-practices-cloud-services-required-configurations
- https://www.cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services
