Secure Cloud Business Applications (SCuBA) Project - 20230809004

Overview

Cybersecurity & Infrastructure Security Agency (CISA) in the US have provided their agencies with detailed guidance and capabilities to secure cloud business application environments and protect information that is created, accessed, shared and stored in those environments. WA SOC having reviewed this content sees great value in this guidance for both state agencies and private industry.

Key Resources

1. The CISA Secure Cloud Business Applications (SCuBA) Project overview.

2. SCuBA Technical Reference Architecture (TRA) - A security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks.

3. Extensible Visibility Reference Framework (eVRF) Guidebook - Provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.

   • eVRF Guidance Document

   • eVRF Google Workspace Workbook Overview

   • eVRF Google Workspace Workbook

   • eVRF Microsoft 365 Workbook Overview

   • eVRF Microsoft 365 Workbook

4. ScubaGear M365 Secure Configuration Baseline Assessment Tool - Verifies that an M365 tenant's configuration conforms to the policies described in the Secure Cloud Business Applications (SCuBA) Minimum Viable Secure Configuration Baseline documents.

Recommendation

The WA SOC recommends agencies with cloud business applications that host any sensitive information review the TRA for guidance on securing those applications, and relevant eVRF documents to assist in gaining increased visibility over their services. Specific guidance documents relate to Google Workspace and Microsoft 365 cloud services, but broader principles can be applied across many cloud business applications.