As organizations continue their migration to the cloud, threat groups are not far behind. According to a report earlier this year from cybersecurity firm CrowdStrike, the number of attacks against cloud environments in 2022 jumped 95% year-over-year, and those involved cloud-conscious bad actors almost tripled.

“As cloud integration continues to increase across business environments, adversaries are adding the cloud to their targeting aperture to expand the impact of their attacks,” the report’s authors wrote.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) in April 2022 rolled out a problem aimed at developing consistent and modern security configurations aimed at protecting information store in cloud environments. In October that year, the agency kicked off the first pilot initiative in the Secure Cloud Business Applications (SCuBA) project with security configuration baselines for Microsoft 365 environments.

The baselines were aimed at federal agencies, but CISA Associate Director Michael Duffy at the time encouraged even private organizations that use cloud servers to implement practices being developed within SCuBA when possible.

Baselines for Google

CISA Tuesday took another step in the SCuBA effort, announcing similar minimal secure configuration baselines for Google Workspace applications and ScubaGoggles, a related assessment tool available on GitHub to allow organizations to see how they measure up to the Google baselines.

The baselines were developed in collaboration with Google, Duffy wrote

“These materials are specifically designed to assist federal agencies with securing GWS environments and leveraging native security capabilities to enhance an organization’s overall cyber posture,” he wrote. “However, every organization, public and private, can benefit from the security recommendations and best practices outlined in the GWS Baselines and should consider whether their current baseline requires enhancements in light of the evolving cyber threat environment.”

With Microsoft 365 and Google Workspace, CISA said it is targeting two of the largest cloud business platforms. According to Statista, Google Workspace last year accounted for 50.34% of the global office productivity software market, followed by Office 365 at 45.46%.

“Users across the Federal Government and beyond rely on these cloud-based business applications daily to communicate and store sensitive information and conduct critical business functions, which is precisely why these systems remain such prime targets for malicious actors,” Duffy wrote.

In addition, CISA also offers a range of free open-source tools from its SCuBAGear and other programs that can be used with Azure, Google Cloud, AWS, and other cloud environments, with the agency noting that such tools are important to both cloud providers and users.

“In hybrid cloud operations, it is likely that the organization and its cloud service provider (CSP) share the responsibility of securing critical assets,” the agency wrote.

The new baselines include a collection of security controls for nine Google Workspace services, including Gmail, Google Chat, Calendar, Meet, Groups for Business, and Drive and Docs.

“These baselines … cover key GWS components, such as safeguarding collaboration on Google Meet, securing data stored in Gmail or protecting sensitive information in Google Drive and Docs,” Duffy wrote.

CISA is taking in comments from interested stakeholders until January 12, 2024. Comments can be mailed to [email protected].

Storm-0558 a Cautionary Tale

Programs like SCuBA are taking on a greater importance as hackers increasingly target cloud environments, he wrote, noting the attack this summer by China-linked threat group Storm-0558, which hacked its way into Microsoft 365 and Exchange Online accounts and stealing email from government and corporate accounts.

Such attacks “have demonstrated the importance of hardening email and identity infrastructure, enabling key security capabilities such as logging, and enhancing the security of underlying cloud environments,” Duffy wrote, adding that the Biden Administration’s Executive Order to strengthen the nation’s cybersecurity “has accelerated cross-government efforts to advance cloud security practices, implement encryption and multifactor authentication, and enhance operational visibility and logging on federal government networks.”

CISA earlier this year worked with 12 federal agencies to implement the Microsoft 365 baselines across their environments.