This week’s binding directive to US government departments to implement secure configurations in cloud applications, starting with Microsoft 365 (M365), is a reminder to all CISOs that cloud platforms, even from major providers, aren’t completely secure out of the box.
“Cloud stuff is easy to manage, easy to deploy,” said Ed Dubrovsky, chief operating officer and managing partner of Cypfer, an international cyber incident response company.
“The challenge of that is the default of M365 platform is not really secure. We in the security profession have been yelling for years [at Microsoft], ‘Why aren’t you saying MFA [multifactor authentication] must be enabled? Why is it an option? That’s just wrong.’”