Understanding Microsoft Government Cloud Security

Cloud security is imperative for government contractors, outside agencies, and small government entities that need to secure critical information and contain all sensitive data with high levels of scrutiny. Indeed, with Microsoft’s Azure Government Security — which is present in GCC and GCC High installations — Microsoft provides a layered level of security that can help protect all of that valuable data.

Today, let’s look at how Microsofts GovCloud security works and how it can help government entities or entities associated with government work protect their information.

Microsoft Government Solutions

Currently, Microsoft has a host of solutions available for government entities and contractors. Whether you need advanced government for applications via Azure Government or you need a government-friendly version of Office 365 via GCC or GCC High, Microsoft has shown superb levels of dedication towards the government sector.

In fact, Microsoft’s investments into the government and DoD sector recently landed them a $1.76 billion DoD contract. And, with an $8 billion Pentagon deal on the way and a vested interest in the upcoming JEDI contract, Microsoft is in an incredible position to continue to build their government-side cloud solutions.

But, how do they do it? What makes Microsoft’s solutions so attractive to DoD and government entities?

Well, part of it has to do with security. Not only do governments contractors have to deal with tons of sensitive information, but they are under scrutiny from compliance. Microsoft has done a fantastic job of baking all of those compliances directly into its underlying security structure.

The result is a profoundly secure set of solutions that still provide the same level of functionality and ease-of-use that Microsoft customers are accustomed to.

Understanding Microsoft Government Cloud Security

Partners discussing new plans with government cloud security. With Azure Government and Microsoft GCC and GCC High solutions being deployed across government sectors, let’s look at how Microsoft has built such an incredibly secure government-ready foundation for these solutions. In fact, here are five levels of security baked into Microsoft’s government cloud services.

  1. Physical security
  2. Encryption
  3. Security Keys
  4. Isolation
  5. Screening

Each of these elements is separately handled, and they all come together to form the incredibly secure government ecosystem that Microsoft has produced.

Physical Security

Contrary to popular belief, Microsoft’s security efforts aren’t entirely digital. After all, if threat actors can physically access data stored in Microsoft’s cloud servers, then no amount of digital architecture can keep your data secured. As a result, Microsoft’s data centers are jam-packed with security efforts. Data centers have:

  • High-security perimeter fences with 24/7 surveillance
  • Vehicle checkpoints
  • Restricted access
  • Security cameras
  • World-class entrance and access control procedures
  • A multi-factor biometric entry point
  • Full body metal detectors
  • On-site hard drive destruction
  • 24/7 interior and exterior protection
  • and plenty more.

In total, Microsoft is investing over $1 billion in platform security, and part of that is directly reflected on-site with incredibly restricted access and plenty of security touchpoints.


By encrypting all cloud data across multiple channels, Microsoft helps ensure that all sensitive data is protected against unwarranted access. In total, government cloud data is encrypted at two levels.

  1. At Rest: Utilizing both storage service encryptions (this is added at the account level) and client-side encryption (this is built into the Java and .NET frameworks) all of the data held in storage (or at rest) is fully encrypted.
  2. In Transit: To keep data safe when it’s in transit, Microsoft utilizes a variety of encryption processes that support Transport Level Security (TLS) 1.2 protocol as well as X.509 KPI. To remain compliant to government security needs, Microsoft also employs the Federal Information Processing Standard (FIPS) 140-2 Level 1 encryption for government servers.

Security Keys

While encryption of data plays a critical role in data security, security keys add an additional layer of protection for secrets (i.e., passwords, usernames, etc.) and keys. To do this, Microsoft utilizes Azure Key Vault, which helps to protect all of these keys and secrets. For government servers, all security keys are stored in FIPS 140-2 Level 2 validated hardware security modules, which adds additional security.

Note that you will still need to manually assure that no unauthorized person has access to keys. Typically, this happens when someone is invested in a government project but is later removed. Make sure that you utilize the appropriate role-based access control measures to prevent those who have been removed from still being capable of accessing information.


While physical security certainly acts as a form of isolation, Microsoft also has built-in digital isolation protocols to ensure that no two customers ever deal with data cross-over. To do this, Microsoft isolates:

  • Hypervisor
  • Root OS
  • Fabric Controllers
  • VLAN
  • Packet Filtering
  • Guest VMs

Plus, you can always adjust your isolation settings either through your subscription itself or through your resource group.


Finally, Microsoft acts in accordance with  FedRAMP High and Department of Defense (DoD) Impact Level 4 accreditation by screening all of the data center operators through NACLC — which means that all of those in contact with the physical servers will be checked across the following measures.

  • U.S. citizenship
  • Fingerprint background check that’s implemented every 5 years
  • SSN and criminal history check
  • Office of Foreign Assets Control list (OFAC)
  • Office of Defense Trade Controls Debarred Persons list
  • Bureau of Industry and Security list (BIS)
  • Criminal Justice Information Services check — which is a background check that is issues state-by-state.


As you can see, Microsoft has invested time and resources into its government security solutions. With physical, digital, and compliance-related security measures, government cloud has never been easier or safer. But, what if you’re a government contractor or other entity who deals with government work and you don’t have the resources or time to scale into a large government cloud solution like Microsofts? After all, you have to have over 500 seats to even think about GCC or GCC High, right?

What if we told you that AgileIT is now one of only six Microsoft Partners that has been approved to resell GCC and GCC High to those with under 500 seats?

It’s true!

We can help you scale right into GCC or GCC High no matter how small you are. So, go ahead! Contact us. Let’s get you set up with your new Microsoft GCC or GCC High environment so that you can work safer, smarter, and better.

Request a Quote


Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon Sales@AgileIT.com

Don’t want to wait for us to get back to you?