Cloud Security Reminders for CISOs

A Binding Directive for Secure Configurations in Cloud Applications

This week, the US government issued a binding directive to all government departments to implement secure configurations in cloud applications, starting with Microsoft 365 (M365). This reminder is a wake-up call for all Chief Information Security Officers (CISOs) that cloud platforms, even from major providers, are not completely secure out of the box.

Cloud Security Challenges

Ed Dubrovsky, Chief Operating Officer and Managing Partner of Cypfer, an international cyber incident response company, emphasizes the ease of managing and deploying cloud applications.

“Cloud stuff is easy to manage, easy to deploy,” said Dubrovsky. “However, the challenge lies in the default settings of the M365 platform, which are not necessarily secure.”

Security Concerns with M365

Dubrovsky highlights a specific security concern with M365: the lack of mandatory multifactor authentication (MFA) for all users. He notes that the security profession has been advocating for years for Microsoft to make MFA a requirement, rather than an optional feature.

“Why aren’t you saying MFA must be enabled? Why is it an option? That’s just wrong,” said Dubrovsky, emphasizing the importance of implementing robust security measures.

Implementation of Secure Configurations

The binding directive issued by the US government emphasizes the need for secure configurations in cloud applications. CISOs must ensure that their cloud platforms are configured to meet the required security standards.

Implementation of secure configurations requires a thorough understanding of the cloud platform, as well as the security requirements of the organization. CISOs must work closely with their teams to ensure that all security measures are implemented correctly.

Conclusion

In conclusion, the binding directive issued by the US government serves as a reminder to CISOs that cloud platforms, even from major providers, are not completely secure out of the box. The lack of mandatory MFA in M365 is a significant security concern that must be addressed. CISOs must ensure that their cloud platforms are configured to meet the required security standards, and that all security measures are implemented correctly.

FAQs

Q: What is the purpose of the binding directive issued by the US government?

A: The purpose of the binding directive is to require all government departments to implement secure configurations in cloud applications, starting with Microsoft 365 (M365).

Q: Why is MFA not mandatory in M365?

A: MFA is not mandatory in M365 because it is considered an optional feature. However, security professionals, including Ed Dubrovsky, argue that MFA should be a requirement for all users to ensure robust security measures.

Q: What are the implications for CISOs?

A: The implications for CISOs are that they must ensure that their cloud platforms are configured to meet the required security standards. This includes implementing secure configurations and ensuring that all security measures are implemented correctly.

Q: How can CISOs ensure secure configurations in cloud applications?

A: CISOs can ensure secure configurations in cloud applications by working closely with their teams, having a thorough understanding of the cloud platform, and implementing robust security measures, including MFA.