CISA Mandates Federal Agencies Secure Their Cloud Environments
The government’s top cybersecurity unit is requiring civilian federal agencies to better secure their cloud environments to reduce their attack surfaces and improve resilience in case of a cyberattack.
CISA is ordering the agencies to implement measures outlined in its Secure Cloud Business Applications (SCuBA) initiative, which included baselines for ensuring secure configurations and for assessment tools. The requirements were set out in the agency’s Operational Directive 25-01: Implementing Secure Practices for Cloud Services, which was issued this week.
In its order, CISA noted that “malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access. In recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises.”
Federal agencies will have to implement configuration baselines outlined in SCuBA for many software-as-a-service (SaaS) products that they use, deploy automated configuration assessments tools developed by CISA for measuring the security of configurations, integrate with CISA’s continuous monitoring infrastructure, and fix any deviations from the secure configuration baselines.
“Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape, where vendor changes, software updates, and evolving security best practices shape the threat environment,” CISA wrote. “As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also adjust.”
Misconfiguration Problems
Outdated security configurations – which can be easily mitigated – open systems up to being exploited, and configuration best practices will evolve over time as new threats are detected and defense are developed, CISA noted. This creates the need for ongoing reviews and adjustments to configuration baselines.
Misconfigurations are an ongoing concern as enterprises and government agencies increase their use of the cloud. Federal agencies likes the National Security Agency (NSA) have warned about cloud vulnerabilities, writing that “while careful cloud adoption can enhance an organization’s security posture, cloud services can introduce risks that organizations should understand and address both during the procurement process and while operating in the cloud.”
Cybersecurity firm UpGuard last month wrote about common cloud misconfigurations, ranging from unrestricted inbound and outbound ports to mismanaging secrets – including API keys, passwords, and encryption keys – disabling monitoring and logging and poorly securing automated backups.
Cloud environments are complex, with most companies running their applications and storing their data in multiple clouds. In addition, the division of responsibility for cloud environments between the cloud providers and the cloud users can be confusing.
“Cloud offerings like Amazon Web Services (AWS) are generally secure,” UpGuard wrote. “But since IaaS [infrastructure-as-a-service] uses a shared security model, there’s a great chance of data security issues, including cybersecurity and workload concerns. Misconfigurations when migrating to cloud-native environments can inadvertently lead to cybersecurity loopholes.”
This is a growing worry of organizations. According to a PcW survey, 42% of respondents said they were most concerned about cloud-related threats, yet 34% said they the least prepared to address them.
Threat Landscape Makes CISA’s Order Important
Chris Botelho, senior solutions engineer at SecOps cloud provider LimaCharlie, said that CISA’s directive forcing federal agencies to better protect their cloud environments is important.
“Given the increase in activity of both nation-state actors and ransomware groups targeting third-parties that contract with the federal government rather than the federal government itself, it has become even more important to not only ensure federal systems are protected, but also the organizations that the federal government contracts with in order to protect data and prevent large-scale incidents,” Botelho said.
Deadlines
CISA this week released a directive that give these agencies until February 21 to identify tenants in their clouds and the systems and components they own, and to update the inventory in the first quarter of every year. By April 25, agencies need to deploy the SCuBA assessment tools and integrate the results feeds with CISA’s continue monitoring solution for automated reporting or manually report the results.
All mandatory SCuBA policies have to be implemented by June 20.
LimaCharlie’s Bothelo said most challenging with the directive will be getting organizations to change their mindsets about security controls that no longer work in modern computing environments and about the costs involved with ensuring that the controls required by CISA are put into their current licenses.
“This could be something such as MFA [multifactor authentication], which may not be included in a business’ current service license and historically is seen by many as an unnecessary extra step, but significantly increases the authentication security of a business,” he said. “Additionally, there may be regulations in place that a business has to follow that are in conflict with the CISA directive.”
