Thank you for your interest in Obsidian! Please enter your information in the form and we will contact you shortly to schedule a demo.
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal civilian agencies to secure their Microsoft 365 cloud environments. Going forward, agencies like the Department of Homeland Security, Department of Energy, and hundreds more must adhere to this binding order (BOD 25-01) by ensuring their Microsoft 365 environments comply with secure configuration baselines.
“In a number of recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and has resulted in actual compromises.” — Matt Hartman, deputy executive assistant director for cybersecurity at CISA
The goal of this government-wide directive is to reduce the attack surface of federal networks by mandating best practice security rules and settings for critical SaaS applications—a similar directive for Google Workspace is expected in 2025.
Applications like Microsoft 365 now house the most critical data for both public and private organizations. And attackers are taking notice. Large-scale breaches like the Midnight Blizzard attack on Microsoft—where attackers gained unauthorized access through a vulnerable test tenant—showcase the effectiveness and damage attacks on these cloud environments can have if applications are not properly configured.
Monthly SaaS breaches have increased 300% — with 1-in-6 of these attacks due to misconfigurations
All scoped federal agencies must take the following actions for their Microsoft 365 products, including Azure Active Directory and Entra ID, Microsoft Defender, Exchange Online, Microsoft Teams, Power Platform, SharePoint Online and OneDrive services.
SaaS applications are easy to deploy and integrate, making them prone to being hidden; as many as 45% of all applications in a corporate environment might be shadow SaaS (invisible to IT and security teams). Plus, applications like Microsoft 365 may have multiple tenants. This makes discovery a challenging but necessary process to ensure vulnerabilities are eliminated.
CISA’s Secure Cloud Business Applications (SCuBA) project outlines specific configuration baselines to map Microsoft 365 settings. This framework will be used to audit if each application meets the secure baseline standard required. Because every service has a unique process to remediate out-of-compliance posture settings, without a dedicated SaaS Security Posture Management (SSPM) solution, teams will need an internal application expert for every in-scope service.
Federal agencies must enforce and prove every Microsoft 365 service adheres to the security settings and controls within the SCuBA framework. Because there are many services offered within Microsoft 365, manually aligning every posture control quickly becomes unmanageable.
Moving forward, these public agencies must also implement all future updates to the SCuBA policies. Monitoring configuration drift when new services, accounts, integrations, and other changes are made is needed to maintain compliance.
While not directly within CISA’s scope, public organizations should also adhere to these policy standards to ensure their data and Microsoft environments remain secure.
Obsidian helps customers address the challenges of identifying cloud tenants in their environment and ensuring ongoing compliance to SCuBA requirements across the Microsoft suite. To support this, the Obsidian platform delivers three distinct outcomes customers can take advantage of to accelerate their adherence efforts:
To ensure ubiquitous coverage and visibility, Obsidian’s Extend and browser extension capabilities automatically identify every SaaS application used within the organization.
User access, authentication mechanisms, roles, permissions, and details about tenants and subservices are continuously identified. This provides a low friction method of inventorying every Microsoft tenant across subservices and provides the necessary details to mitigate risks that result in non-conformity with binding order BOD 25-01.
When it comes to evaluating whether the settings called out in the SCuBA framework are in compliance, it’s important to understand the scale and complexity of where these settings exist and their effect across tenants.
Obsidian simplifies this process by validating and reporting on each setting simultaneously with custom notifications when a particular setting has changed, along with the audit record of who made the change and when. Due to all the complexity and variance across Microsoft applications and tenants, a single pane of glass for the entire ecosystem, with the ability to quickly identify and remediate failures at scale, is a critical component of a holistic approach.
Once a SCuBA compliant posture has been achieved across Microsoft applications, it’s of utmost importance to maintain it. Using Obsidian’s action policy system, alerts, notifications, and ticketing integrations can be set up to ensure the right teams are engaged if any configuration drifts towards a non-conforming state.
This, combined with Obsidian’s compliance module, enables customers to demonstrate adherence to SCuBA with on-demand access to evidence for each control in scope.
With these capabilities, customers gain comprehensive visibility and continuous assessment of their Microsoft environment to meet BOD 25-01 baseline requirements.
To learn more about the Obsidian platform and how we help our customers secure their Microsoft 365 environments, schedule a demo today.