Microsoft Government Cloud Security for Federal Data Protection

Cloud security is imperative for government contractors, outside agencies, and small government entities that need to secure critical information and contain all sensitive data with high levels of scrutiny. These entities have an important responsibility to properly secure controlled unclassified information (CUI) and other sensitive government data contained within their cloud in order to ensure compliance with federal regulations. However, keeping this data secure can feel like an uphill battle given the increasing threat of cyber-attacks. Fortunately, with Microsoft’s Azure Cloud Government — which is present in GCC and GCC High installations — Microsoft provides a layered level of security that can help protect all of that valuable data. Azure Government provides users with a range of critical features and services that can be used to build cloud solutions to meet their data security and compliance needs.

Let’s look at how Microsoft’s Azure Government security works, and how it can help government entities or entities associated with the government (such as federal contractors and sub-contractors) protect their sensitive data in the cloud.

Microsoft Government Cloud Solutions

Currently, Microsoft has a host of solutions available for government entities and contractors. Whether you need advanced applications for government via Azure Government, or you need a government-friendly version of Microsoft 365 via GCC or GCC High, Microsoft has shown superb levels of dedication towards the government sector.

In fact, Microsoft’s investments into cloud security, particularly those targeting the federal government and Department of Defense (DoD), led to them to be one of four companies chosen by the Pentagon for a DoD cloud computing contract worth up to $9 billion. This puts Microsoft in an incredible position to continue to build its government-side cloud solutions. But how do they do it? What makes Microsoft’s solutions so attractive to DoD and government entities?

Well, part of it has to do with security. Not only do government contractors have to deal with tons of sensitive information, but they are under scrutiny to meet certain compliance requirements. Fortunately, Microsoft has done a fantastic job of baking all of those compliances directly into its underlying security structure.

The result is a profoundly secure set of solutions that still provide the same level of functionality and ease of use that Microsoft customers are accustomed to. If your organization has strict compliance requirements that you must meet and you’re looking for a government cloud computing partner you can trust to keep your data secure, keep reading to learn more about how Microsoft can help.

Understanding Microsoft Government Cloud Security

With Azure Government and Microsoft GCC and GCC High solutions being deployed across government sectors, let’s look at how Microsoft has built such an incredibly secure government-ready foundation for these solutions.

Currently, five levels of security are baked into Microsoft’s government cloud services to provide maximum data security and compliance support including:

1. Physical security
2. Encryption
3. Security Keys
4. Isolation
5. Screening

Each of these elements is separately handled, and they all come together to form the incredibly secure government ecosystem that Microsoft has produced. Below we will look at how each of these security levels works and the role they play in providing enhanced government cloud security.

Physical Security

When you think of cloud security, the first thing that comes to mind is the Digital steps Microsoft must take to enhance its cyber security posture. However, contrary to popular belief, Microsoft’s security efforts aren’t entirely digital. After all, if threat actors can physically access data stored in Microsoft’s cloud servers, then no amount of digital architecture can keep your data secured. As a result, Microsoft’s data centers are jam-packed with security efforts that ensure user data is physically protected. All Microsoft data centers have:

• High-security perimeter fences with 24/7 surveillance
• Vehicle checkpoints
• Restricted access
• Security cameras
• World-class entrance and access control procedures
• A multi-factor biometric entry point
• Full-body metal detectors
• On-site hard drive destruction
• 24/7 interior and exterior protection
• and plenty more.

In total, Microsoft invests over $1 billion in platform security each year, and part of that is directly reflected on-site with incredibly restricted access and plenty of security touchpoints. In fact, Microsoft takes extreme measures to ensure the physical security of its data centers, such as by conducting periodic physical security reviews of these facilities to ensure they meet security standards. Additionally, government cloud data is kept at separate locations from regular cloud data, and extra steps are taken to ensure compliance such as investing in rigorous third-party audits.

Encryption

By encrypting all cloud data across multiple channels, Microsoft helps ensure that all sensitive data is protected against unwarranted access, increasing the security of your overall cloud environment. Only entities with access to encryption keys can access your data, and deleting or revoking these keys renders encrypted data inaccessible.

In total, government cloud data is encrypted at two levels.

1. At Rest: Utilizing both storage service encryptions (this is added at the account level) and client-side encryption (this is built into the Java and .NET frameworks) all of the data held in storage (or at rest) is fully encrypted using multiple encryption keys.
2. In Transit: To keep data safe when it’s in transit, Microsoft utilizes a variety of encryption processes that support Transport Level Security (TLS) 1.2 protocol as well as X.509 KPI. To remain compliant with government security needs, Microsoft also employs the Federal Information Processing Standard (FIPS) 140-2 Level 1 encryption for government servers. These processes help isolate your network traffic from other traffic and protect it from interception, helping to keep data secure when in transit.

Security Keys

While encryption of data plays a critical role in data security, security keys add an additional layer of protection for secrets (i.e., passwords, usernames, etc.) and keys. To do this, Microsoft utilizes Azure Key Vault, which helps to protect all of these keys and secrets. For government servers, all security keys are stored in FIPS 140-2 Level 2 validated hardware security modules, which adds additional security.

Note that you will still need to manually ensure that no unauthorized person has access to keys. Typically, this happens when someone is invested in a government project but is later removed. Make sure that you utilize the appropriate role-based access control measures to prevent those who have been removed from still being capable of accessing information. However, when used properly, Azure Key Vault can play a critical role by minimizing the risk of secrets being exposed.

Isolation

While physical security certainly acts as a form of isolation, Microsoft also has built-in digital isolation protocols to ensure that no two customers ever deal with data cross-over. To do this, Microsoft isolates:

• Hypervisor
• Root OS
• Fabric Controllers
• VLAN
• Packet Filtering
• Guest VMs

Plus, you can always adjust your isolation settings either through your subscription itself or through your resource group. By isolating data through the use of trust boundaries, segmentation, and containers, Azure Government ensures that data access is limited to only authorized users, applications, and services.

Screening

Finally, Microsoft acts in accordance with FedRAMP High and the Department of Defense (DoD) by screening all of the data center operators at a Tier 3 Investigation as defined by Section 5.6.2.2 (Page 77) of the DoD Cloud Computing SRG. This means that anyone who could come in contact with physical servers or customer data will be checked across the following measures:

• U.S. citizenship
• Fingerprint background checks that are implemented every 5 years
• SSN search and criminal history check
• Credit Checks
• Detailed background checks before hiring
• Office of Foreign Assets Control list (OFAC)
• Office of Defense Trade Controls Debarred Persons list
• Bureau of Industry and Security list (BIS)
• Criminal Justice Information Services Check: a background check that is issued state-by-state.

These screenings help protect the security of your data by ensuring that anyone with access to Microsoft’s servers meets rigorous standards and background checks.

Let Agile IT Help You Choose the Right Microsoft Government Cloud Services for Your Organization

As you can see, Microsoft has invested extensive resources into its government security solutions. With physical, digital, and compliance-related security measures, Azure Government Cloud has never been easier or safer. But what if you’re a government contractor or other entity who deals with government work and you don’t have the resources or time to scale into a large government cloud solution like Microsoft?

We can help you scale right into GCC or GCC High no matter how small you are. So, go ahead! Contact us today. Let’s get you set up with your new Microsoft GCC or GCC High environment so that you can work safer, smarter, and better.