In today’s digital age, securing an organization’s information is more critical than ever. The Cybersecurity and Infrastructure Security Agency (CISA) stood up a program called Secure Cloud Business Applications (SCuBA). The program was in response Solorigate in 2020, and the discovery of common cybersecurity gaps that negatively impacted organizations’ risk. One of the project’s primary purposes is to provide guidance toward bettering the security posture of cloud environments.  

The SCuBA program provides a valuable assessment tool called ScubaGear to provide reports that help harden Microsoft 365 environments. Microsoft has worked together with CISA to produce and maintain the secure configuration baselines for ScubaGear as well as an accompanying PowerShell script tool to scan M365 environments. This tool was directed at better securing the commonly misconfigured settings that enabled the adversaries to move laterally to cloud environments, gain access to data, or stay undiscovered. CISA sought to have a mechanism to check for secure configurations in the M365 cloud environment of any organization. Thus, the ScubaGear tool was born. 

The CISA and Microsoft partnership within the SCuBA program provides a unified approach to cloud application security and facilitates the sharing of best practices and threat intelligence as organizations work to better secure their environments. This post focuses on the benefits of hardening M365 and outlines some important steps to follow when using ScubaGear to scan and provide reports to assist in finding security settings that better the security posture of tenants. 

What is ScubaGear? 

ScubaGear is designed to identify weak security configurations of cloud-based business applications used by federal agencies but can be utilized by any organization. ScubaGear provides comprehensive guidelines and standards to assist cloud environments in meeting security requirements. This includes best practices for configuration management, and monitoring of those environments. Baseline implementation guides can be found at Secure Cloud Business Applications (SCuBA) Project | CISA. 

The PowerShell source code and download for the tool can be found at GitHub – cisagov/ScubaGear: Automation to assess the state of your M365 tenant against CISA’s baselines. For easier installation, you can utilize PowerShell Gallery (https://www.powershellgallery.com/packages/ScubaGear/1.3.0) to start your scanning journey (Install-Module -Name ScubaGear). Installing and running the tool provides the capability of conducting security assessments of cloud environments via PowerShell and Open Policy Agent to check compliance with the implementation guides. The combination of PowerShell and the Open Policy Agent allows anyone to check compliance with the latest ScubaGear standards through a means of automatically comparing the output of the tool with CISA’s baselines.

Flowchart showing the process of testing Microsoft 365 settings with PowerShell and OPA, ending in final reports. Source: CISA GitHub Repository, ScubaGear. 

The tool is intended to help organizations comply with various security regulations and policies. It aligns with federal mandates and frameworks, and helps systems align to security standards. A report is generated that shows where organizations have appropriately hardened their needed security controls. The tool may align with other security frameworks, but that alignment has not been done. Not all suggestions by the tool may meet the risk posture or appetite for every organization, but the tool does provide valuable insight and information regarding an infrastructure’s current security posture.  

Benefits of Hardening Microsoft 365 

Hardening your Microsoft 365 environments helps organizations to safeguard their data against potential threats. By implementing robust security measures, you can: 

Enhance data protection and privacy. 
Reduce the risk of unauthorized access. 
Improve compliance with industry standards and regulations. 
Improve upon logging. 

Key Services Checked by ScubaGear 

ScubaGear checks for several critical settings across various Microsoft services to provide recommended changes targeted at building more comprehensive security controls. Key settings are included for the following services: 

Entra ID: Enforces secure identity management and access controls, like conditional access are in place. 
Defender: Provides advanced threat protection, data loss prevention (DLP) and real-time monitoring settings. 
Exchange Online: Looks for phishing settings and other email security options (i.e., DKIM) 
Power Platform: Recommends changes to data and application settings within the Power Platform ecosystem. 
SharePoint/OneDrive: Addresses security settings for sharing and other site permissions. 
Teams: Recommends controls for more secure communication and collaboration within Microsoft Teams. 
The ScubaGear team is looking to expand into further M365 services in the future. 

By following the steps outlined in this document and using ScubaGear, you can significantly enhance the security of Microsoft 365 environments. ScubaGear’s guidelines and best practices can help you stay ahead of potential threats and foster a secure digital environment for your organization. 

Important Steps for Using ScubaGear 

To effectively use ScubaGear, it is essential to follow a regiment of regular scans and checks. Here are some key steps to consider: 

Regular Scanning: Schedule regular scans of your Microsoft 365 environments to identify and address potential vulnerabilities. Settings can fluctuate over time, and ScubaGear allows for scanning of environment settings to see if there is any deviation from a secure baseline.  
Review and Update Security Policies: Validate that your security policies are up-to-date and aligned with the latest best practices. 
Implement Recommended Settings: Apply the recommended settings provided by ScubaGear to enhance your security posture. 

Stay Connected with the Microsoft Public Sector Tech Community

Continue the conversation on advancing technology in government and public services. Join the Microsoft Public Sector Tech Community to connect with peers, share insights, and engage in discussions on IT solutions for government in the discussion space. For updates on cloud security, compliance, and digital transformation, follow the Public Sector Blog.

​Microsoft Tech Community – Latest Blogs –Read More