If your organization runs on Microsoft 365 or Google Workspace, you've already made a bet that a cloud provider can run infrastructure more securely than you can. That bet is usually a good one — but it comes with a catch too many organizations discover only after an incident.
The provider secures the platform. You are responsible for how it's configured. Default settings are built for adoption and convenience, not for your risk profile. Legacy authentication left enabled, external sharing left wide open, mail forwarding rules nobody reviews — these are the quiet misconfigurations behind a large share of real-world business email compromise and data exposure cases.
The hard part hasn't been knowing that misconfigurations exist. It's answering two deceptively simple questions: "Secure compared to what?" and "How do we prove it, repeatedly, without burning weeks of admin time?" That's exactly the gap CISA's Secure Cloud Business Applications (SCuBA) project was built to close.
What SCuBA actually is
CISA established the SCuBA project in 2022 after a string of SaaS-focused intrusions exposed how inconsistent cloud tenant configurations were, even across federal agencies with dedicated security teams. The project produced two things of real value to every organization, not just government:
Secure Configuration Baselines (SCBs). Prescriptive, policy-by-policy hardening guidance for Microsoft 365 (including Entra ID, Exchange Online, SharePoint, Teams, and Defender) and for Google Workspace (Gmail, Drive, Meet, Common Controls, and more). Each policy states what to configure, why it matters, and how it maps to threats.
Automated assessment tools. ScubaGear for Microsoft 365 tenants and ScubaGoggles for Google Workspace read your actual tenant settings and grade them against the baselines — no guesswork, no manual screenshot audits.
Why SCuBA beats ad-hoc hardening
SCuBA's first advantage is authority. It's not another vendor's "best practices" checklist — it's the configuration standard the U.S. government requires of itself. Under Binding Operational Directive 25-01, federal civilian agencies must run these very assessments and report results to CISA. Aligning to that baseline gives you a defensible, vendor-neutral answer when a board member, auditor, or cyber insurance underwriter asks why your tenant is configured the way it is.
Just as important, SCuBA automates what was previously weeks of manual work. Instead of an administrator spending days combing through conditional access policies, transport rules, and sharing settings to produce an audit report that's stale the moment it's completed, ScubaGear and ScubaGoggles pull your actual tenant settings through Microsoft and Google APIs and grade them against the baselines in minutes, delivering reports both humans and tooling can consume.
The framework also does double duty as compliance infrastructure. Every control is mapped to NIST SP 800-53 and MITRE ATT&CK, so a SCuBA report traces directly to the control families and adversary techniques that auditors under NIST CSF, GLBA, FFIEC, HIPAA, or SOC 2 want to see — hardening and compliance evidence in one artifact.
Where your business legitimately needs to deviate from the baseline, SCuBA's configuration file lets you formally document exclusions with your reasoning, turning "we turned that off and forgot why" into a traceable risk-acceptance record. And because assessments are scripted and configuration-driven, the same evaluation can run monthly or quarterly, transforming a point-in-time audit into continuous assurance that catches configuration drift before an attacker does.
The value in one line.
SCuBA turns "how are we configured?" from an archaeology project into a script — one your board, your auditor, and your insurance carrier can all read.
Honest caveats
In the interest of balanced analysis, a few things SCuBA is not:
- It assesses configuration, not behavior. SCuBA will tell you legacy authentication is enabled; it won't tell you someone is actively abusing it. You still need monitoring and response.
- ScubaGoggles is younger than ScubaGear and still maturing toward its 1.0 release, so Google Workspace findings deserve a careful human review.
- Remediation is on you. The report identifies the gap; closing it — especially conditional access changes that can lock users out if done carelessly — requires planning, testing, and change control.
- Baselines are a floor, not a ceiling. Your regulatory obligations or threat model may demand controls that go beyond SCuBA.
From framework to practice: the Digital Elevation Cloud Security Review
Those caveats are exactly why we built our Cloud Security Review service, offered for both Microsoft 365 and Google Workspace environments. Digital Elevation includes the CISA baselines rather than simply handing clients a tool and a report. Each review starts where SCuBA starts: we compare your tenant configuration against the CISA baseline standards across the full product stack (Entra ID, Defender, Exchange Online, SharePoint Online, Teams, and the Google Workspace equivalents). Then we add the layers an automated scan can't provide:
Thirty days of log analysis. Configuration tells you whether the doors are locked; logs tell you whether someone has been rattling the handles. Each review examines a month of tenant access activity to surface malicious and potentially malicious sign-ins — closing the "configuration, not behavior" gap noted above.
Standardized tenant reporting. A consistent monthly snapshot of the things that quietly drift: global administrator accounts, MFA coverage, registered applications, devices, licensing, users, mailbox settings, and mailbox rules (the last being a favorite persistence mechanism in business email compromise).
Conditional Access policy summary. A plain-language readout of the identity policies that actually govern who gets in and under what conditions.
Exception tracking. An Exception Tracking Action Report documents every intentional deviation from the baseline — a formal risk-acceptance record that turns "we turned that off on purpose" into evidence an auditor can work with.
Prioritized recommendations and a Security Risk Identifier. Findings are ranked by real-world risk and rolled up into a single indicator your leadership can track from month to month as a trend line, not just the snapshot.
All reporting is encrypted and delivered via secure download, and our security team is available to walk your team through the findings. The service runs on a cadence matched to your risk profile — monthly for high-risk or regulated environments, bi-monthly or quarterly for smaller deployments — and it's included with our IT Security Assessment and monthly Vulnerability Management engagements, so many clients gain this visibility as part of a program they already run.
Why this model fits the mid-market
Mid-market organizations live with an uncomfortable asymmetry: they face substantially the same cloud threats as the Fortune 500 — credential stuffing, token theft, business email compromise, malicious OAuth applications — without a dedicated security engineer or dedicated security vendor. Regular cloud reviews fall to the current IT team. In practice, that means well-intentioned plans for regular configuration reviews quietly become annual, then non-existent.
A recurring managed review resolves that asymmetry economically. For a predictable operational cost — far below a SaaS security posture management platform plus the analyst time to run it — you get government-grade baseline assessment, human expert interpretation, and month-over-month trend visibility, without adding headcount or pulling your team off the work that keeps the business running.
Because misconfigurations are cumulative, every admin change, migration, and vendor integration is a chance for drift. The value of the review compounds with each cycle: problems are caught in weeks, not discovered in a breach post-mortem eighteen months later.
The compliance dividend
For organizations answerable to a framework or an examiner, the recurring review pays a second dividend: it manufactures audit evidence as a byproduct of good security practice. Nearly every framework a mid-market company encounters — NIST CSF, ISO 27001, CIS Controls, HIPAA, SOC 2, GLBA, and the FFIEC expectations that flow from it — requires some version of the same three things: a defined configuration standard, periodic verification against that standard, and documented handling of exceptions. A monthly CISA-baseline review satisfies all three, and produces the dated, consistent, standardized reports that turn an audit from an archaeology project into a file pull.
The exception tracking component deserves particular emphasis. Examiners rarely fault an organization for a documented, risk-accepted deviation with a business rationale; they routinely fault organizations for deviations no one can explain. A running exception report demonstrates exactly the risk-management maturity that frameworks — and increasingly cyber insurance underwriters — are probing for. The same is true of the MFA coverage, global administrator, and mailbox rule reporting: these map directly to the access-control and monitoring questions on virtually every compliance questionnaire and insurance application your organization will face this year.
The review makes you more secure, and in a regulated or insured business it does something nearly as valuable: it keeps you continuously able to prove it.
Getting started
A one-time Cloud Security Review validates your current posture; an ongoing program keeps it validated. Either way, the first step is the same: measure your tenant against an authoritative baseline and see where you actually stand. From there, we can help you prioritize remediation, document your exceptions, and settle into a cadence that fits your risk profile and budget.
See where your Microsoft 365 or Google Workspace tenant actually stands.
A Cloud Security Review measures your tenant against the CISA baselines, surfaces the drift, and gives you a plan to close it.
Start the conversation arrow_forwardW. Scott Montgomery is Director of Security at Digital Elevation. Practical security for the mid-market — reach the team at 616-600-4737 or info@digitalelevationusa.com.