Summit 7 Team Blogs

Peeling Back the Onion: Microsoft Security for Government Contractors

After having several conversations with government contractors of varying sizes (25 person company to 1000) and with differing customer portfolios and data types (CUI, CDI, ITAR) - I continue to group the security best practices and corresponding technologies into four distinct but overlapping layers.

Sure, you can create a complex web of all of these and get into the interconnectivity of it all, but most of our conversations are involving CSO's, COO's, CTO's, CEO's and other department leads that are simply not interested. Complexity doesn't always translate to compliance. Moreover, many leaders are wanting to better understand how their Microsoft security investments translate into ROI and risk management. 

Here is a four part conversation that hits on each layer.


 Part 1: Identity Management



The NIST 800-171 Controls that apply to MFA for reference: 


Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.



Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections which nonlocal maintenance is complete.


Part 2: Tenant Security


Part 3: Endpoint Security (or Container Security)


Part 4: Governance