Abstract

Network design has dramatically changed over the past decade, with innovation in cloud technologies and security approaches such as Zero-trust; Microsoft is a leading competitor in the Cloud and Security industries. A cloud-only, serverless environment leveraging Azure and GCC High can offer many benefits to government contracting companies, including increased collaboration and security. Leveraging Microsoft’s current suite of solutions can help organizations implement technical controls and frameworks. Organizations can use Microsoft’s Zero-Trust model, which leverages Intune and Endpoint Manager to achieve compliance with frameworks such as NIST SP 800-171. Microsoft’s paid solutions provide smaller IT/IS departments, part of defense contractors, the capability to securely administer the network and provide employees with collaboration tools, virtualization, and DevOps capabilities.

Technical Controls and Frameworks from Microsoft

Zero-trust is a big buzzword in the technology industry these days; one of the best ways to look at Zero-trust or answer the question: What is Zero-trust?" – is to start with the analogy that Zero-trust is the modernized version of defense-in-depth. "Zero Trust is a security model that assumes breach and requires verification for every request regardless of user or location. With Endpoint Manager and Intune, IT admins can set policies that verify devices, identities, apps, and services before granting access" (Microsoft, 2021).

Layered approaches to network defense can be implemented using Microsoft Zero-trust framework, just one example is conditional access policies, such as requiring different types of MFA verification depending on IP address of resource access request.

"Intune includes endpoint protection features like conditional access policies and Windows Defender, as well as a zero-trust security model that only grants access based on device health and compliance" (PC Mag, 2021).

Microsoft equips admins to be able to adequately defend their networks by design, with built-in controls to effectively implement Zero-trust.  This is essential when it comes to modern DoD contractors' network design. "Endpoint Manager provides features that enable government contractors to meet compliance requirements such as NIST SP 800-171, including the ability to enforce BitLocker encryption and to manage and monitor device compliance status" (Microsoft, 2020). NIST SP 800-171 compliance is what Cybersecurity Maturity Model Certification's (CMMC) technical controls are based on, and many contractors will be subject to CMMC to be able to handle Controlled Unclassified Information (CUI).

Intelligent data and log tracking is necessary for defense contractors to protect their networks and should be part of their design discussions early on. Microsoft's cloud provides subscriptions and solutions to achieve data and log tracking, such as Sentinel.

"Sentinel is a cloud-native security information and event management (SIEM) service that provides intelligent security analytics and threat intelligence across the enterprise" (PC Mag, 2021). Sentinel is just one of the products Microsoft provides for log collection and network defense. When coupled with products such as Purview by Microsoft, data integrity can be assured. "Azure Purview helps organizations understand and manage their data across their entire data estate and simplify compliance with regulatory requirements" (Microsoft, n.d.).

Technical controls will always help harden a network defense, but the backbone of any network will be its human personnel. When it comes to network design and defending that network, employee education must be considered. Phishing simulations or other attack simulations can greatly help in the education of employees, quickly spreading awareness. Microsoft thought of this with their "Attack Simulator." - "Attack Simulator is a feature in Microsoft Defender for Office 365 that lets IT teams run simulated attacks against their users to identify vulnerabilities and help users learn how to spot and avoid real attacks" (Microsoft, 2021)

Collaboration and Communication

Microsoft provides a comprehensive solution for collaboration and communication with their commercial and GCC High tenants. Their GCC High tenants would be ideal, though, for government contracting companies, allowing for the storage of CUI if proper technical controls are implemented on the tenant. Microsoft Teams provides various communication capabilities on one platform, coupled with OneDrive and SharePoint – cross-collaboration on data becomes extremely easy. "Teams is a collaboration app with a workspace that includes chat, video meetings, file storage, and collaboration on files" (PC Mag, 2021).

Coupling Teams with OneDrive allows for secure file storage and collaboration, sharing documents with someone and working in real-time on the document together, tracking each other's place and changes. "OneDrive helps teams share and work together on documents and files from anywhere while maintaining version control and access controls" (Microsoft, 2021). On GCC High tenants, this means having the capability to work on CUI data in a very collaborative manner; GCC High is an important part of Microsoft's Security. "Microsoft Teams and other Microsoft 365 apps are available in GCC High, providing government contractors with powerful collaboration and communication tools while maintaining strict security controls" (Microsoft, 2021). Using Microsoft's cloud product allows for the centralization of your data, enabling IT Administrators to focus on securing one entity, the GCC High tenant. "OneDrive and Teams allowed staff to collaborate and share information securely, even while working remotely, while also improving efficiency by providing a centralized location for documents and information" (Microsoft, n.d.).

Virtualization and Cloud Computing

Microsoft Azure provides a vast amount of virtualization and cloud computing capabilities, with their portfolio including solutions from AI app development to machine learning hosting.  The cloud provides scalability at a click of a button that on-premises infrastructure cannot provide. Secondly, serverless computing provides greater flexibility than traditional infrastructure, as users only pay for the resources they actually use. This means that government contracting companies can more easily adjust their computing resources to meet changing business needs, without incurring unnecessary expenses.

"The serverless model is a great fit for government agencies because it offers a lot of benefits that traditional infrastructure can't match. In a serverless fully cloud environment, agencies can scale up their infrastructure to meet demand and then scale back down when demand subsides. Additionally, serverless computing offers more flexibility than traditional infrastructure, since users only pay for what they use. Finally, serverless computing can save money since users do not need to continuously invest in expensive hardware or software. Overall, the serverless model is a good fit for government agencies looking to modernize their infrastructure and reduce costs" (Microsoft, n.d.).

Setting up a fully compliant system that adheres to NIST Frameworks such as NIST SP 800-171 can be challenging for contractors looking to accomplish such a network at other cloud providers, Microsoft has made it easier with their GCC High tenant licensing. "Azure and GCC High provide government contractors with a secure and compliant cloud computing platform that can help them meet strict regulatory requirements. Azure offers a wide range of security features, including built-in compliance controls, advanced threat protection, and identity and access management tools. GCC High is a government-only cloud environment that meets stringent security and compliance requirements. By leveraging Azure and GCC High, government contractors can create a layered defense strategy that includes virtualization and other security features to help protect against cyber-attacks" (Microsoft, 2020).

Security and Compliance

Defense contractors working to defend the nation by developing cutting edge technologies or research must take the utmost comprehensive approach to their network design to protect sensitive data. Government agencies have strict regulations surrounding specific data sets such as CUI to protect the nations security.  Data breaches and cyber attacks against defense contractors can lead to the exposure of sensitive data that could harm the nations defense.  Defense companies must comply and prioritize security certification such as CMMC.  "The US government has outlined strict cybersecurity requirements for contractors that handle sensitive information. The rules mandate that contractors adopt security measures to protect that information, including proper training and incident response planning, and comply with federal requirements for incident reporting. Failure to meet these requirements can result in significant financial and reputational damage" (CSO, 2021). GCC High from Microsoft is a government-only cloud environment, and Microsoft works to keep it that way with a scrutinous procedure to receive the licensing for an organization.

GCC High meets requirements for NIST SP 800-171 ensuring organizations that have this licensing and tenant that their data is compliant with the correct technical controls.  Another unique part of the GCC High licensing is that it restricts the storage of data to US data centers and US persons. Microsoft provides the most comprehensive and secure out of the box “network.” "Protecting data in the cloud is critical for all organizations, but it is especially important for those that handle sensitive data, such as government contractors. Microsoft's cloud solutions offer a comprehensive approach to security and compliance, with features such as Azure AD Identity Protection and Azure Information Protection. These tools help protect against a wide range of threats, including phishing, malware, and insider threats, while also ensuring that sensitive data is protected and properly managed. Additionally, Microsoft offers a range of compliance certifications, including SOC 1, SOC 2, and ISO 27001, to demonstrate their commitment to security and compliance" (CDW, 2021).

DevOps and Automation

Developing secure DevOps practices and adhering to the best industry practices can be challenging for smaller organizations, but Microsoft’s frameworks for Azure DevOps and Azure Automation can’t greatly maximize the capabilities of a single IT Administrator. The automation capabilities from Azure are included but are also factored into the overall pricing model Microsoft Azure provides, which is a premium product when considering all the Microsoft capabilities end-users and IT Administrators are able to leverage. "DevOps and automation are critical for government contracting companies, especially those with smaller IT departments. By leveraging these practices and tools, these companies can increase efficiency, improve software quality, and keep pace with technological changes, ultimately leading to improved customer satisfaction and success in the marketplace" (Sungard AS, 2021). Automation enhances the quality being provided and thus the security of the overall DevOps environment.

"Microsoft's cloud solutions offer a range of tools and frameworks for DevOps and automation, including Azure DevOps and Azure Automation. These tools enable government contracting companies to automate manual processes, streamline software development and deployment, and improve the quality and speed of software releases. Additionally, Azure DevOps and Azure Automation are designed to be highly scalable and adaptable, making them ideal for companies of all sizes and with varying levels of IT resources" (CDW, 2021). Coupled with the security of GCC High tenants, government contractors have the abilities to build and host secure apps that have various sensitive domains of capability.

Licensing and Cost

Many smaller defense contracting companies struggle with IT funding and IT department staffing. Microsoft’s Azure provides a one-stop shop for many industry solutions, but this comes at a premium cost. The premium cost can be associated with the comprehensiveness of the solutions Microsoft provides. The pricing for the GCC High C5 subscription plan starts at $110/user/month. This premium cost is mostly because of the exclusivity of the GCC High tenant – being a government-only cloud. Prior to organizations being able to join the GCC High tenant, they are reviewed by Microsoft to ensure eligibility. Some organizations might be concerned with the monthly costs associated with the licensing; however, organizations should consider the security and compliance features that are also included, which in the long term will provide cost savings and other benefits. Below are the features that comes the GCC High C5 subscription plan:

• Microsoft 365 GCC High: This includes access to Microsoft's suite of productivity tools such as Word, Excel, PowerPoint, and Teams, as well as email and file storage services.

• Azure Government: This provides a secure and compliant cloud platform for hosting applications and data.

• Azure Government Secret: This provides an even higher level of security and compliance for classified data.

• Azure Active Directory (AAD) P2: This provides advanced identity and access management features, such as identity protection and risk-based conditional access policies.

• Azure Information Protection (AIP) P2: This provides advanced data classification and protection features, such as automatic classification based on sensitivity, labeling, and encryption.

Source to review G1, G3, G5 Microsoft subscription plans: https://www.microsoft.com/en-us/microsoft-365/government/compare-office-365-government-plans 

Open-Source Solutions

There are many open-source solutions out there available for defense contractors to leverage, but these projects require a vast range of knowledge in many different domains to be able to adequately deploy and administer them.  Forum support is often cited by backers of open-source solutions, and is a great example to cite as it might not be suitable for government contractors to be reaching out to get support via a forum. Solutions such as Red Hat are also typically discussed, but should be noted Red Hat stems from open-source projects such as Centos and Debian but are not free and are paid solutions just like Azure Cloud by Microsoft. "Benefits of open source include greater agility and flexibility, reduced vendor lock-in, more rapid development, access to a wider talent pool, greater transparency, and lower costs. Challenges of open source include potentially increased risk of security vulnerabilities, difficulty finding and retaining expertise, greater complexity, integration challenges, less predictable timelines, and more difficult to customize" (Red Hat, n.d.).

This does not mean that when leveraging Microsoft’s Azure cloud that there is no opportunity to use open-source projects, just highlights why defense contractors should use Microsoft’s GCC High tenant as their network’s design backbone. Virtual Machines on Azure can be deployed using Linux distributions. "Linux on Azure allows you to use your preferred Linux distribution, such as Ubuntu, CentOS, Debian, and Red Hat Enterprise Linux (RHEL). You can choose to deploy these operating systems as virtual machines, containers, or use Azure App Service to deploy web applications that use Linux as their hosting platform. Additionally, you can use the Azure Marketplace to discover and deploy popular open-source software solutions, such as MySQL, PostgreSQL, and Cassandra, to meet your business needs" (Microsoft Azure, n.d.). Overall, the best approach for security is to leverage Azure compute on GCC High as the backbone of the network design, which will still allow for open-source projects and distributions to be used as needed or justified on Virtual Machines.

Case Study Example

BlueHaven Group is a government Defense Contracting company that currently leverages a GCC High Tenant. Not only do they leverage GCC High Tenant, but they also have a full cloud environment. By adopting a fully cloud environment BlueHaven Group has been able to reduce costs on networking equipment onsite at their office, and also server hardware infrastructure.  Take a look at the diagram below explaining how devices leverage Azure AD appose to on-prem AD –

(Microsoft, 2021)

Migration to GCC High can be challenging and was challenging for BlueHaven Group. The migration began with identifying the on-premise solutions, such as Active Directory, and identifying the corresponding cloud-based solutions that would replace the on-premise solutions, Azure Active Directory, in this case. After all the required services and services were identified, a swing migration was performed. A swing migration was performed by setting up a new GCC-High Tenant and then migrating users in groups to the new Azure Government Cloud.

One of the main benefits immediately seen by BlueHaven Group was the security; their entire environment was now serverless, only dependent on the cloud. Their “umbrella” for security was now only the GCC High Tenant they set up. This tenant meets the stringent security and compliance requirements for government defense contracting. BlueHaven Group now also receives key network insights from Azure AD Identity Protection and Azure Information Protection. The licensing costs at first were high to face the organization, but two years into the licensing structure, there was no need to replace physical servers on-premise, leading to the cost savings the cloud provides. BlueHaven Group successfully implemented a serverless and fully cloud environment in GCC High and is now benefiting from improved security, scalability, flexibility, and cost savings.

Conclusion

Microsoft is the premiere cloud provider that provides comprehensive solutions that range from LDAP, collaboration, communication, security, and virtualization with government clients in mind. Their GCC High Tenant provides many companies like BlueHaven Group with a secure cloud environment that meets stringent security and compliance requirements. BlueHaven Group created a layered defense strategy to protect against cyber-attacks by combining Azure's security features and GCC High tenant. Automation with Azure DevOps and Azure Automation enhances the quality and security of the overall DevOps environment, not only at BlueHaven Group but at other contracting companies. The initial look at licensing costs for the GCC High tenant may be high initially. However, the benefits of the comprehensive security features and cost savings of the cloud in the long term outweigh the costs, providing system assurance. Leveraging Microsoft's Azure cloud and their GCC High tenant is the backbone of creating a network design that provides government contracting companies with the capabilities to work with sensitive data collaboratively and protect it from cyber threats.

References

CSO. (2021). Cybersecurity requirements for federal contractors. https://www.csoonline.com/article/3516403/cybersecurity-requirements-for-federal-contractors.html

CDW. (2021). Security and compliance in the cloud. https://www.cdw.com/content/cdw/en/solutions/microsoft/security-and-compliance-in-the-cloud.html

Gallagher, S. (2021). Microsoft's Azure Cloud Has Security Tools, Too. Wired. https://www.wired.com/story/microsoft-azure-cloud-security-tools/

Microsoft. (2021). How the Department of Energy moved to remote work with Microsoft 365. https://www.microsoft.com/en-us/microsoft-365/blog/2021/04/01/how-the-department-of-energy-moved-to-remote-work-with-microsoft-365/

Microsoft. (2021). Microsoft Teams meetings now available in GCC High environments. https://www.microsoft.com/en-us/microsoft-365/blog/2021/01/14/microsoft-teams-meetings-now-available-in-gcc-high-environments/

Microsoft. (2021). Using Attack Simulator in Microsoft Defender for Office 365 to test your phishing awareness. https://techcommunity.microsoft.com/t5/security-compliance-and-identity/using-attack-simulator-in-microsoft-defender-for-office-365-to/ba-p/2272749

Microsoft. (2021). Zero Trust security for the new normal of work is now available with Microsoft Endpoint Manager. https://www.microsoft.com/en-us/microsoft-365/blog/2021/04/27/zero-trust-security-for-the-new-normal-of-work-is-now-available-with-microsoft-endpoint-manager/

Microsoft. (n.d.). Azure Purview. https://azure.microsoft.com/en-us/services/purview/

Microsoft. (n.d.). Microsoft Teams. https://www.microsoft.com/en-us/microsoft-365/microsoft-teams/group-chat-software

Microsoft. (n.d.). OneDrive. https://www.microsoft.com/en-us/microsoft-365/onedrive/online-cloud-storage

Microsoft. (n.d.). Serverless computing in government. https://azure.microsoft.com/en-us/industries/government/serverless-computing/

Microsoft. (2020). How Endpoint Manager helps government contractors meet compliance requirements. https://www.microsoft.com/en-us/microsoft-365/blog/2020/11/18/how-endpoint-manager-helps-government-contractors-meet-compliance-requirements/

PC Mag. (2021). Microsoft Azure Sentinel Review. https://www.pcmag.com/reviews/microsoft-azure-sentinel

PC Mag. (2021). Microsoft Intune Review. https://www.pcmag.com/reviews/microsoft-intune

PC Mag. (2021). Microsoft Teams Review. https://www.pcmag.com/reviews/microsoft-teams

Red Hat. (n.d.). Open source pros and cons. Red Hat. https://www.redhat.com/en/topics/open-source/what-is-open-source#open-source-pros-cons