Microsoft Gets the Pentagon’s Highest Cloud Security Rating for Unclassified Data

By Phil Goldstein as written on fedtechmagazine.com

Last month, the Defense Department gave Microsoft’s Azure Government cloud platform its highest certification in terms of security for unclassified data.

In a company blog post, Tom Keane, general manager for Microsoft Azure, noted that Azure Government is “the first commercial cloud service to be awarded an Information Impact Level 5 DoD Provisional Authorization by the Defense Information Systems Agency (DISA).”

Such an authorization allows all DOD customers to use Azure Government for the most sensitive controlled unclassified information (CUI), including CUI of National Security Systems. FCW reports that Microsoft already held FedRAMP High, FedRAMP Moderate and FedRAMP Accelerated approvals under the General Services Administration's Federal Risk and Authorization Management Program.

“This achievement is the result of the collective efforts of Microsoft, DISA and its mission partners to work through requirements pertaining to the adoption of cloud computing for infrastructure, platform and productivity across the DOD enterprise,” Keane noted.

ACHIEVING A HIGH LEVEL OF CLOUD SECURITY

According to a March 2016 DISA guide on cloud computing security guidelines, “CUI is information the federal government creates or possesses that a law, regulation, or governmentwide policy requires, or specifically permits, an agency to handle by means of safeguarding or dissemination controls.”

CUI can encompass numerous kinds of information, including unclassified information concerning items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect U.S. national security and nonproliferation objectives.

This includes dual-use items; items identified in Export Administration Regulations, International Traffic in Arms Regulations and the munitions list; license applications; and sensitive nuclear technology information.

CUI can also include Personally Identifiable Information, Protected Health Information; and other data requiring explicit CUI designation (i.e., For Official Use Only, Official Use Only, Law Enforcement Sensitive, Critical Infrastructure Information, and Sensitive Security Information).

Level 4 authorization accommodates CUI or other mission critical data, according to DISA. Level 5 accommodates CUI that requires a higher level of protection than that afforded by Level 4 as deemed necessary by the information owner, public law or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP +Control and Control Enhancements.

IMPLICATIONS OF THE CLOUD SECURITY AUTHORIZATION

Microsoft has had to set up separate cloud infrastructure to achieve the certification. Keane noted that Information Impact Level 5 “requires processing in dedicated infrastructure that ensures physical separation of DOD customers from non-DoD customers.”

Keane added that DOD authorizing officials can use the Azure Government authorization “as a baseline for input into their authorization decisions on behalf of mission owner systems using the Azure Government cloud DOD Region.”

According to FCW, “the company said it has built multiple data centers to provide DOD with exclusive services for Azure and Office 365 U.S. Government Defense services.”

Over the past few months, Microsoft ran a preview program with more than 50 customers across the Pentagon, including all branches of the military, unified combatant commands and defense agencies.

“We are thrilled to announce the general availability of the DOD Region to all validated DoD customers,” Keane said. “Key services covering compute, storage, networking and database are available today with full service level agreements and dedicated Azure Government support.”

Katell Thielemann, research director for the public sector and U.S. federal government at Gartner, told MeriTalk that the approval is significant for both industry and the government “in that it sends a strong signal that companies like Microsoft are taking both security and Federal-specific requirements very seriously.”

“The FedRAMP and DISA review processes are stringent, lengthy, and costly. Federal agencies, and the DoD specifically, are looking for ways to leverage all the benefits of the cloud, but their mission environments demand high levels of data protection and security,” Thielemann said.

[vc_row][vc_column][vc_column_text]

Employee devices bring added security concerns

By Cindy Bates

The explosion in recent years of mobility solutions and ‘bring your own device’ policies has had a big impact on small businesses.

In fact, 52 percent of information workers across 17 countries report using three or more devices for work, according to research from Forrester and 61 percent of workers mix personal and work on their devices.

On one hand, there are huge benefits for organizations and employees — employees can be far more productive and work on the go with untethered access to the information they need. Business owners can also realize cost savings while reducing the time spent managing IT.  Yet, there are risks: namely, how do businesses protect confidential information from leaking outside of the organization when employees can access and store data in a multitude of ways across devices.

When employees use personal devices for work, they can be mishandled inadvertently, like an accidental forward of a confidential mail, or in more nefarious ways, such as a hacker gaining access to confidential information through stolen credentials.  According to a Verizon data breach investigation report, 75 percent of network intrusions used weak or stolen credentials to gain access.

It’s important to have a strong device policy in place but even when the rules are clear, there is room left for costly errors. CEB found that as many as 93 percent of employees admit to violating information security policies. That means, depending on your business, there is a wide variety of data that could be at risk.  It may be customers’ personally identifiable information, such as in healthcare, retail or financial institutions, or company confidential information, such as trade secrets, company financials, or employee records.  With so much data available, traditional company firewalls and perimeter solutions no longer suffice to protect confidential information wherever it lives.  Today, many small businesses are cobbling together a number of solutions to attempt to solve this problem.  But none tie it all together until now.

Microsoft has developed Microsoft Enterprise Mobility Suite (EMS), which is the only comprehensive solution that protects information assets across four layers: user identity, content, applications & cloud services, and devices.  When combined with Office 365, it offers native protection for applications and services. Best of all, it’s about half the cost of competitive solutions. Not only is EMS flexible and easy to integrate, it offers enterprise-grade security for small businesses. Key security features include:

• Threat detection: Detect abnormal user behavior, suspicious activities, known malicious attacks and security issues right away.

• Conditional access: Control access to applications and other corporate resources like email and files with policy-based conditions that evaluate criteria such as device health, user location etc.

• Single sign-on: Sign in once to cloud and on-premises web apps from any device. Pre-integrated support for Salesforce, Concur, Workday, and thousands more popular SaaS apps.

To Learn More about Professional Services, contact us at 800-208-3617

Network Assessment & Technology Roadmap

[/vc_column_text][/vc_column][/vc_row]