Implementing CISA's SCuBA Project
In Your Cloud
Micah Linehan
CTO - Cybersecurity
As more federal civilian agencies migrate their business applications to the cloud, it’s critical that they take an aggressive stance toward managing security configuration baselines proactively in order to ensure data remains secure while adhering to Cybersecurity and Infrastructure Security Agency (CISA) guidance.
CISA has published two Microsoft configuration baseline documents and developed an automated assessment tool called ScubaGear to analyze GWS tenant configurations against these baselines.
Microsoft 365
Federal efforts to avoid another SolarWinds-like breach are becoming more centralized in one agency: the Cybersecurity and Infrastructure Security Agency (CISA). CISA is spearheading a national cybersecurity agenda intended to extend into private industry environments amid mounting geopolitical tension; one high-profile initiative being SCuBA.
SCuBA stands for Secure Cloud Business Applications. It is a project that seeks to assist federal agencies with protecting their business application environments and safeguarding federal information created, accessed, shared, or stored within those apps. In addition, visibility gaps that impeded federal civilian executive branch (FCEB) efforts at managing cybersecurity risks for their IT enterprises, as well as detecting or responding to cyber threats, are addressed through SCuBA.
SCuBA will not only establish baselines for critical business applications, but will also ensure FCEBs are configured and integrated correctly into existing enterprise systems. It aims to standardize security configurations across widely used cloud business apps while mandating agencies share relevant telemetry with CISA in order to facilitate threat analysis, incident response, and risk-mitigation activities.
The initial release of resources under SCuBA includes two documents—the Technical Reference Architecture (TRA) document and an Extensible Visibility Reference Framework (eVRF) guidebook. The TRA document establishes a model of “shared responsibility,” where agencies are accountable for configuring business applications securely while vendors must ensure the integrity of SaaS platforms underlying those applications; CISA then is accountable for outlining baseline security requirements.
The eVRF guidebook will enable organizations to identify the visibility data necessary for threat detection and response, assess their ability to collect and leverage this telemetry, as well as any gaps in their product offerings. Both documents will eventually be accompanied by an assessment tool to assess compliance of an organization’s Microsoft 365 environment with new security baselines.
Hybrid Identity Guidance
The Cybersecurity and Infrastructure Security Agency (CISA) recently issued new identity management guidelines that address transitioning identity management capabilities to the cloud. Entitled “SCuBA Hybrid Identity Solutions Architecture,” these guidelines seek to inform agencies on their options for migrating identity management functions to the SaaS model, also known as IDaaS (Identity as a Service).
CISA provides guidance that details various hybrid identity architectures, outlining their advantages and disadvantages to assist agencies in choosing one that best meets their unique needs and risk tolerances. Key factors considered when making their selection include time, existing infrastructure complexity, and implementation cost compared to each alternative option.
Provisioning and synchronizing identity data across both on-premises Active Directory (AD) and Entra ID are crucial steps in creating hybrid identities, as it ensures all identity data in both directories remain consistent. There are various methods to do this; PIM solutions offer one such means.
Other practices recommended in this guidance are federated authentication, pass-through authentication, password hash synchronization, and cloud primary authentication. Furthermore, two-factor authentication should be required when providing outbound guest access to resources within another tenant, and activation duration should not exceed one hour for privileged accounts, significantly decreasing an attacker’s window of opportunity.
The SCuBA project aims to assist federal civilian executive branch (FCEB) agencies secure their Microsoft 365 and Google Workspace environments by offering baseline configurations that ensure federal information created, accessed, shared, or stored within these environments remains intact. Furthermore, its primary goal is to strengthen FCEB cybersecurity postures against continuously-evolved threat actors.
Technical Reference Architecture (TRA)
CISA’s SCuBA Project provides federal civilian agencies with much-needed guidance for securing SaaS applications, to address visibility gaps that impede our understanding and managing of cyber risk across our entire federal network.
The SCuBA project released two guidance documents —Technical Reference Architecture (TRA) and Extensible Visibility Reference Framework (eVRF). Both guides outline a technical architecture and framework for protecting SaaS applications; with TRA outlining a layered, scalable approach for protecting common business applications while the latter provides advice for overseeing security in multi-cloud environments.
eVRF provides an architecture to enable the identification of visibility data for specific applications and identify gaps that might exist between visibility data and actual application use. Furthermore, its flexible framework can easily accommodate changes to technologies or capabilities to enable security integration into business processes as well as managing overall security posture.
One of the more comprehensive sections of TRA is its Shared Services Layer, which details cloud-service models, FedRAMP roles and responsibilities, and application authorization boundaries. Organizations should closely consider this section when planning for cloud security-layered approaches.
Extensible Visibility Reference Framework (eVRF)
CISA recently unveiled its inaugural series of security guidance resources under its SCuBA project—Technical Reference Architecture (TRA) and an Extensible Visibility Reference Framework (eVRF). CISA actively solicited input for these documents in order to make sure our guidance allows for rapid technological evolution while continuing to protect federal enterprises.
These two documents assist agencies with creating secure implementation architectures for Microsoft 365 and Google Workspace cloud business apps, providing guidance around their deployment as well as tips and recommendations on how best to configure them to comply with Federal Risk and Authorization Management Program requirements.
Additionally, the eVRF provides agencies with capabilities they can use to identify and mitigate threats that could threaten business application environments. This enables agencies to gain visibility into their cloud services as well as detect anomalous behavior or activities that may indicate an attack attempt.
CISA will continue its leadership of various identity and visibility projects, while strengthening our cloud capabilities, such as publishing an official guidance document on recommended cybersecurity configuration baselines for selected products that should become available soon.
We Can Help!
If you have questions about securing your cloud infrastructure or any of the concepts discussed in this article, contact our team at info@eGroup-us.com or complete the form below.
Need Assistance with Cybersecurity?
Contact our team of experts today!
