CISA, the US Cybersecurity & Infrastructure Security Agency, began an initiative to help organizations manage cloud risks with the Secure Cloud Business Applications (SCuBA) project. While there are many secure cloud configuration guides, such as CIS (Center for Internet Security), SCuBA puts a new twist on them by measuring attack patterns and measuring the visibility into them. Intriguing!
Here are some takeaways compared to CIS:
- Simpler than CIS Benchmarks, SCuBA is minimum viable security requirements, so depending on risk tolerance and the criticality of data in O365, you can scale back to SCuBA vs CIS.
- Both give scripts and a step-by-step of how to configure. While both SCuBA and CIS offer scripts to implement and audit configurations, SCuBA offers GitHub downloads for easier implementation.
- CIS requires email and identification information to download while SCuBA has no requirements.
- SCuBA has additional insights into risks, attack patterns, and visibility into those with its eVRF framework. While I haven’t walked through one completely, it’s an interesting take and can provide valuable insight into monitoring, alerting, and configuration. Here’s an example from CISA’s framework document:
- SCuBA was released in 2023, and was subject to a comment period in 2022. It doesn’t have as much mileage on it as the CIS Benchmarks, which started in 2000.
While the SCuBA has an interesting approach for a control framework, I haven’t seen an implementation of this yet. CIS has much more experience and is a suggested replacement for the Cybersecurity Assessment Tool (CAT) by the FFIEC. However, SCuBA could complement with attack patterns and visibility into cloud applications.
Here are links to the framework and information to explore:
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project