Boost your agency’s information security with our free ebook “More than Security: Public Sector Cloud-to-Cloud Data Protection for Office 365 and Microsoft Teams.“
This is the 7th installment in a series addressing the challenges facing the DOD as they move into Microsoft 365. The others are here:
As the DoD begins to move off the CVR environment into a more permanent Microsoft 365 environment, key challenges will arise around how it manages and secures data, especially Controlled Unclassified Information (CUI). Fortunately, some concepts that are being developed within the Defense Industrial Base (DIB) can help guide the way.
Background
The Cybersecurity Maturity Model Certification (CMMC) is currently rolling out to the DIB and will “go live” on November 30th of this year. With the advent of this new program, renewed emphasis has been placed on securing CUI across all layers of the supply chain. Among the controls that contractors need to adhere to are those designed to “control the flow of CUI.”
To meet this challenge, many contractors are turning to Microsoft 365 and, typically, the GCC High instance. This version of the platform resides in Azure Government and can be a good indicator of how the service will perform for the DoD.
While the Microsoft 365 platform has great tools such as Data Loss Prevention and Azure Information Protection, those tools generally aim to protect content at the file level. This is a critical aspect of protecting CUI both inside and outside the system boundaries.
However, strong data governance programs are only as good as the technology that enables them. To fully control data, admins need some control over “where” the data lives. By layering in a level of protection at the workspace level (i.e. Teams, SharePoint), organizations can reduce the exposure of CUI and gain important governance control over their data.
CMMC Provides a Path
C3 supports clients every day that are working hard to meet the requirements of CMMC. This includes (among other things), setting access control policies, securing devices, and deploying advanced firewalls. But perhaps one of the biggest challenges is securing the flow of CUI data in their environments.
We see this play out in companies that have a wide range of needs for their workforce. Some sites, like their intranet, are intended to be employee-facing with wide access. Some Microsoft Teams are related to business development and by their nature need external access. Still others hold company-sensitive information that requires an additional level of security which translates to restricted membership and no external sharing. Getting all of this under control requires a strong data governance strategy.
Empowering Users While Maintaining Control
Smart data governance includes both identifying CUI data and ensuring that the workspaces that store it are managed appropriately. One way to approach this challenge is to look at where CUI is stored and manage it at the workspace (i.e. Team and SharePoint site) level.
When we deploy data governance techniques to the workspace, we can apply controls to ensure that data repositories can be managed effectively. AvePoint’s Governance toolset applies a “governance overlay” that takes control of the individual workspace (e.g. Team, SharePoint Site) and gives the flexibility to have multiple “flavors” of Teams.
As we work with DIB clients, we see the daily challenges that organizations face delivering a governance strategy that empowers collaboration and information sharing while simultaneously protecting the company’s most sensitive data. C3, with our partner AvePoint’s Cloud Governance solution, gives admins control while enabling collaboration. We’ve outlined some of these challenges below, along with the approach we took to solve them:
Challenge: Decentralize Provisioning
The larger the organization, the harder it is to centralize administrative functions for Microsoft Teams and SharePoint. The volume of requests becomes unwieldy and too inefficient to occupy a single person’s time. This is especially challenging when organizations have multiple divisions.
Example: A manufacturing firm has multiple lines of business, each with its own operating division. Some are commercial, some are defense-related. For example, the defense division may have labeling and limits to external sharing that do not apply to the commercial division.
Solution: With AvePoint’s Governance solutions we can select users that can be empowered to create Teams within boundaries defined by the organization. This allows us to address the unique needs of each division without having to apply a one-size-fits-all approach.
Challenge: Control Membership
Once a Team is provisioned, membership sprawl is a constant challenge. Even when membership is controlled by Owners, casual link sharing can expose data beyond the intended boundaries.
Example: John in marketing needs access to the design team to check on the latest testing results. He’s friends with Bob, the Owner, who shares access rather than report those updates to him. By sharing or admitting John to the Team, he now has access to all of the content including content he is not authorized to see such as designs, construction details, etc.
Solution: Restrict membership to only those within a security group or select individuals. By doing this, any unauthorized sharing attempts will be blocked and reported.
Challenge: Inadvertent Sharing
Anyone with experience in Microsoft 365 knows that it’s very easy to accidentally share a site or Team to the wrong individual.
Example: John Smith might be the best welder the shipyard has, but he probably is not authorized to see all of the ship’s designs.
Solution: With restricted membership, this can be eliminated because John Smith isn’t part of the security group that is authorized to have access.
Challenge: Data Classification
This is the big one. Owners should know in advance whether a Team or SharePoint site will contain CUI data when it is provisioned.
Example: The Community Service Team should be open to all personnel, and data about the unit’s volunteer opportunities should be free to be widely shared. However, the unit’s readiness report is probably sensitive information. As such, it needs to be labeled “CUI” and live in a Team that is clearly marked.
Solution: Microsoft Teams and their content can be classified and labeled as defined by the data governance policy. The Community Service Team can be labeled “public” while the Readiness Team can be labeled “Readiness – Restricted – CUI.”
Challenge: Recertification
Owners should conduct a regular review of members to ensure that the personnel that accesses Teams is current and minimized appropriately. No one has to explain how the constant rotation of personnel throughout the system can create a mess of lingering access to workspaces that should be terminated.
Example: A large project has multiple vendors that rotate on and off the project regularly, creating a constant flux of users assigned to the effort.
Solution: With recertification, Team owners are asked at regular intervals to affirm whether all Team members still should have access to a Team. This institutes a process as well as documentation that Teams are limited to only those that should be authorized for them.
Challenge: Reporting
As the saying goes, “You can only expect what you inspect,” and this is certainly true with compliance. A key component of any policy is the ability to report on its effectiveness and adherence.
Solution: Audit reports can be obtained and reviewed at regular intervals providing both a review opportunity as well as an artifact for compliance audits.
Challenge: Lifecycle Management
Good data governance includes a Lifecyle Management Plan. Periodic reviews or certain events (for example, the end of a contract) should initiate an archiving process that may even include the deletion of the workspace. This eliminates sprawl and can reduce clutter, which in turn also reduces the attack surface of the environment.
Example: A contract expires and there either isn’t a renewal, or the company loses the project. As part of the wind-down, the Team should be decommissioned.
Solution: With lifecycle management, we can trigger alerts based on usage, time, and other factors to trigger a review of the workspace’s viability.
Applications in the DoD
With the advancement of the DOD services (USA, USAF, USN, USMC) moving into their own Microsoft 365 tenants and DISA providing their own tenant for multiple commands/agencies, it’s more critical than ever to deploy smart, practical methods to secure Teams and Sites. These must be built in a way that can allow a distributed workforce the ability to provision and maintain their workspaces while maintaining the proper security controls.
Each of the examples above can easily be envisioned as a corresponding challenge to the DoD. The business unit could just as easily be Army Materiel Command as a manufacturing company. John Smith could just as easily be an E5 as a welder. The DoD project could be a battalion’s deployment.
AvePoint’s governance tools can bring structure to Microsoft Teams and SharePoint in a way that empowers users to their full collaboration potential while maintaining good data governance principles.