The Cyber Safety Review Board recently clarified when its next review will be held into malicious attacks on cloud computing environments.

The review will be geared towards government and industry that embed cloud security services within their systems, scoping identity management and authentication in the cloud, as well as security concerns related to migrating cloud data.

Microsoft’s security systems were attacked and exploited to gain access to dozens of U.S. government email accounts in July 2023, forging authentication using a stolen Microsoft encryption key.

The attack has generated scrutiny towards Cloud Service Providers and a broader investigation will be conducted to provide learnings and advanced recommendations for cloud-computing customers like Microsoft.

With industries and governments all reliant on data storage and migration to cloud systems, it is “imperative that we understand the vulnerabilities of that technology”, Alejandro N. Mayorkas, Secretary of Homeland Security, said.

“Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure. In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one. Actionable recommendations from the CSRB will help all organizations better secure their data and further cyber resilience.”  

Threat actor group, Lapsus$, was the subject of other review findings conducted by the U.S. Department of Homeland Security that concluded attackers evaded top security tools and leveraged the risks associated with text messaging and calls for multi-factor authentication.