someone at a team meeting who says lets hear from those who oppose this plan is performing a This is a topic that many people are looking for. star-trek-voyager.net is a channel providing useful information about learning, life, digital marketing and online courses …. it will help you have an overview and solid multi-faceted knowledge . Today, star-trek-voyager.net would like to introduce to you Office 365 GCC High Overview and Compliance Strategy. Following along are instructions in the video below:
We go so were just coming off of a big event that we had had in dc last week. We had the ignite the tour which we held in and had a good opportunity to have many of the folks participating from the defense industrial base as well as the department of defense and government agencies. How many of you have got an opportunity to go to ignite okay so just a few hands.
We do have what i did is i took three sessions that we delivered last week and compressed it into some content to share with you this morning and you know if you look at for example. The evolving market that we have in terms of looking at especially cybersecurity and alignment with the defense industrial base microsoft has innovated alongside the dod compliance requirements in terms of looking at delivering to you a us. Sovereign cloud to meet requirements for data handle they have controlled unclassified information so well delve into that id like to give you just a quick primer on the compliance that we have in terms of looking at especially the the requirements for satisfying.
The department of defense regulations. This goes back to our first introduction to the us government clouds in which case weve had now for seven years. A federal moderate accreditation.
Now of course fred ramped high that weve achieved in a number of our clouds about five years ago. We had a major initiative internally across all of microsoft to align on the nist framework for cybersecurity so the way that were able to achieve what you see it called the nascar slide have all the various different accreditations that we have ranging from regional to industry. Specific regulations and certifications and standards.
Etc. Is because we do hit this high bar for a control set that we implement and across the board. All of our product groups and teams do develop towards the the nist cybersecurity framework.
And that doesnt include for example. If you look at our system security plan for office 365 for services for both infrastructure as a service and platform as a service. Youll find that our system security plan is all based on nest 853.
We also of course implement iso 27001 for nearly a decade now if we look and dive into the various standards that we have for the. Government this is where youll find you know an introduction of our us. Sovereign cloud which ill ill give you a primer on here in just a moment that includes this security requirements guideline for example in our us.
Sovereign cloud. We do hit an aisle five level of accreditation. We now have even a level six that we have with our our secret cloud and of course.
Theres a lot of cross dependencies on things like our our fips 140. 2. Encryption.
We do have the largest set of requirements in terms of being able to satisfy the regional and industry specific standards especially if you look at international traffic arms regulation itar controlled unclassified information export controls so we worked with the department of defense and we built a new data enclave specific for the dod initially this is our il5 environment. That includes now azure government thats been extended beyond just the dod to include also the defense industrial base and other federal civilian cabinet level agencies that have requirements that we would extend into data sovereignty. Its fully isolated both physically and virtually it has an infrastructure.
That is only within the continental united states. Its managed by screened us persons by contract. We actually do implement screen us.
Citizens as part of the service personnel for the us. Sovereign cloud and we also have all the networks and data processing. All held within the continental united states.
They did give us that platform now to build software as a service on top of so with the first cloud that we introduced as part of the us. Sovereign cloud software. As a service would be the dod environment to office.
365 dod is available to those that are authorized by the dod as il5 environment. Now that did preclude. The defense industrial base from having ownership of tenants within that environment in most cases and if you look at the federal cabinet level agencies like the department of homeland security.
Fbi. Etc. They also were not allowed into that enclave for the dod.
So. We built a twin environment. And the twin environment is managed the same set of controls as dod and we refer to that as you can see hi and this is where many of you being defense industrial base customers would reside the one key takeaway is a around branding.
If you look at software as a service. Generally. We will brand software as a service as gcc hi infrastructure.
As a service and platform as a service will refer to as as your. Government the overlap there though is that they both are part of the us. Sovereign cloud and certain services like enterprise mobility and security would be shared between the two as microsoft.
We only have a contractual obligation for data serenity for being able to give you assurances around itar and controlled unclassified information. In general within. The us sovereign cloud.
So thats a combination of azure government and gcc hi okay commercial. We do not have any contractual obligations primarily if you look at commercial theres theres tens of thousands of tenants that represent everything from education customers. The healthcare customers financial services.
We simply cannot identify individual tenants within commercial as being a government tenant or a dod or dib aligned tenant. So its untenable for us for it to be able to for example do the reporting requirements. That that we have for example d.
Fire seventy. Twelve and the c through g flow down clauses. Ill be remiss.
If i didnt call out that it is a shared responsibility for compliance. Youll hear that repeated throughout the day here today so in terms of looking at for example. Some of the follow up sessions that we have would go into depth in terms of what your customer responsibility is in order to take a lot of the capabilities.
That we provide microsoft provides to you and to configure it in such a manner that would help you to close the gap. You know the the size of the slice of pie. If you will for customer responsibilities largely will depend on the workload that youre deploying so you can imagine for software as a service that that microsoft would close a gap in terms of looking at customer responsibilities much being a much shorter putt for you as opposed to infrastructure as a service for example so for software as a service.
You know we would manage all the physical security and host infrastructure. Etc. And you can inherit our controls.
So for office 365 for enterprise. Mobility. And security.
You can take our system security plan. You can overlay your configuration. As well as for example.
How you how you would document implement access control for you know us persons. Only having access to controlled unclassified information. Etc.
That would give you a holistic solution in terms of infrastructure as a service natural. Youll own more than half of those controls. Because you would be all the way down to the os cmmc.
So i had quite a bit more content. But i at this point in time do not have authorization from legal to share our exact commitment on cmc but let me just delve into from a high level a number of principles if you look at the the cmc framework levels one through five you know we have for the last seven years implement a fisma fedramp. Now even fedramp high accreditation.
That has and incorporates. Many of the cyber security controls that overlay with cmm. See we also have implemented the cybersecurity framework for nist.
Weve had those in place as i mentioned across all of our product groups now for the last five years. You know many of the disciplines that youll see called out as part of cmc. We align.
With and already have implementation of in all of our clouds. And this is virtually every customer. I talk to i mean whenever i go back to the very.
We had the initial release of of the us sovereign cloud back it was called pathfinder and then trailblazer not to be confused with the pathfinder discussed later on today. But if you look at the initial release of our whats now known as gcc high environment our very first customers went into this data enclave approach versus now looking at comparing or contrasting. That to going all in theres theres just quickly.
I want to set a principle here that theres a difference between shared data and personal data and whenever i say personal data. Its im not referring to like your hotmail account and your your you know your family photo library. Im referring to personal data that would be that inside the context of your enterprise.
So be your personal mailbox where you send and receive email that would be your onedrive for business or your m drive your my documents directory. That would be where you host meetings from right your your sip. Account your your account that would be within teams or within.
Skype for business. Etc. Thats all personal data versus shared data which would primarily be unstructured file storage now if we look at this in a spectrum.
It would go from okay well. Ive got a data enclave approach and this is where a lot of my customers have begun their journey of saying today. Im gone all my users either deployed on premises with their personal data.
Or in a commercial side environment or some combination of on premise system commercial in which case. I need to set up this itar compliant data enclave. Now what that often translates to is.
Im going to go. By office 365. Gcc hi.
And im going to set up some sharepoint online document libraries or teams where im gonna instruct my employees save your itar stuff there right now if you look at the other end of the spectrum. It would say okay well our entire organization has exposure to controlled unclassified information and even if its only five percent of your user population that that would have a day to day data handling. But now you have this whole concept of saying that youre going all in ending your entire user population.
Your company internet all your personal data would all migrated into gcc hi and then of course somewhere there in the middle. Especially. If youre in the process of migrating and why is that and we we just talked about that briefly one of them this is going through agonizing discussions with many of the large defense contractors right.
Its like you know the cost of gcc high is of course a quite a bit of an uplift. We cant discount it in most cases or in any case. If you look at commercial has more feature capabilities.
Etc. Historically so its given a lot of incentive for customers to be in commercial versus gcc. Hi.
How are the exposure to data spillage into the personal data is extremely high in fact. Ive had customers say. Its over 90 percent of their their spill.
Remediation. Isnt where they tell people to put diet our data. Its inside of their own email mailbox.
Its inside of their my documents. And you have to go find that and the more people that you have involved its going and finding that data and doing remediation the larger your spill is right so the its almost like an insurance policy to say if i move all of my users within the us. Sovereign cloud.
Now we have our entire user population even the ones that dont necessarily need it within the highest level in terms of the compliance boundary. Now you can still have people within your organization that are foreign nationals or shouldnt have access to itar. But at least.
If it gets spilled into lets just say foreign nationals mailbox in your tenant. The platform itself at least hits that high bar for compliance now. Im running out of time would love to go delve into this a lot more id like to say this last.
Bullet point is not to be overlooked and they say that if you have your entire organization within gcc high and you go through the certification process for cmmc. Theres a lot of assumptions. Especially the adoption of the the system security plan for microsoft that would simplify that certification process.
If you are straddling and both commercial and gcc high at the same time. Now. You have a lot more complextis in terms of data.
Protection and so forth to explain how you manage those two environments. Lets hear from richard applause. .
Thank you for watching all the articles on the topic Office 365 GCC High Overview and Compliance Strategy. All shares of star-trek-voyager.net are very good. We hope you are satisfied with the article. For any questions, please leave a comment below. Hopefully you guys support our website even more.