It’s here! It’s finally here! Well, sort of…
Microsoft recently announced at its Build Conference that collaboration across clouds is (finally) in public preview. Cross cloud collaboration allows organizations in different clouds (i.e. Commercial, GCC, GCC High) to share information with one another. This has been the single biggest impediment to government cloud adoption (in addition to costs).
By design, the GCC High version of Microsoft 365 was intended to be isolated from Commercial. The business case for GCC High was driven, in part, by the requirement to secure data that had data sovereignty controls. To meet this requirement, GCC High was deployed in Azure Government which operated in a completely separate version of Azure AD.
In layman’s terms, this essentially resulted in two versions of Azure AD that didn’t “talk” to one another and as a result, couldn’t authenticate to each other. No authentication meant no collaboration. From a theoretical perspective, this made complete sense since the intent was, well, to isolate the data.
However, when implemented, the practical applications were less than ideal. As it turns out, just because companies hold some data that requires data sovereignty (i.e. export controls), not all their data requires export controls. Companies have robust supply chains and regularly team with other companies with varying degrees of collaboration, which don’t always require exchange export controls, or even CUI for that matter. Conversely, companies that are deploying in Commercial still need to share information with partners that are in GCC High.
Consider the following examples of different data exchanges:
Public: The marketing vendor needs to get updated public facing collateral.
CUI: A subcontractor needs access to personnel data analysis including PII for a trending analysis.
CUI Specified: A subcontractor needs the design specifications of a sensitive (read: ITAR) electronics component.
Each example requires collaboration between companies, but each has both different sensitivity AND compliance requirements. If all the companies were in the Commercial version of Microsoft 365, they could leverage Azure B2B to support federation and then share data effortlessly. However, when companies are in different clouds, that exchange of information has thus far been severely restricted.
In May, Microsoft rolled out native meeting participation through the Teams app. This eliminated the need to attend meetings in the Web browser when participating with a host in a different cloud. Teams 1:1 chat, VoIP, and video calls are also available with Federation as is presence.
With this new cross-cloud collaboration rollout, business to business (B2B) capabilities will be available between customers in commercial and U.S. government clouds, with some initial limitations. This allows companies to provision guest accounts for sharing in the same manner previously available within the same cloud (cross-tenant), trusting authentication from partner organizations (i.e. who the user is), while maintaining control of authorization to content (i.e. what the user can access).
Previously, the only sharing method available was one-time passcode (OTP) access to SharePoint Online and OneDrive for Business, with limited ability to control which external companies’ users could share. Now, guest accounts can be added to Microsoft Teams, Microsoft 365 groups, SharePoint sites, and Web applications, allowing external sharing and collaboration with these authenticated guests. Here is what is available in the current preview.
Cross-Tenant Settings: Control which external organizations and users can be invited as guests, and trust settings for multi-factor authentication (MFA) and device compliance.
SharePoint Online: Share files, folders, list times, document libraries, and sites with external users, using Azure B2B for authentication and management.
Microsoft Teams: Add guests to Teams to allow access to content and document sharing. Teams Channel access and authenticated meeting join are on the roadmap and will be available in future updates.
Content Encryption: While encrypting e-mail messages cross-cloud with Office Message Encryption (OME) to protect sensitive data is available today, Microsoft Information Protection (MIP) cross-cloud encryption is on the roadmap and will be available in a future update. MIP encrypted items are currently protected but cannot be accessed cross-cloud.
External Access Packages: Manage guest account lifecycle with provisioning, reviews, approvals, packaged access, and expiration for different scenarios or partners.
While the initial version of cross-cloud focuses on content sharing through SharePoint Online, OneDrive for Business, and Microsoft Teams, additional guest access scenarios are expected to become available in the future.
One important area to note is that while you can validate device compliance, you are only able to validate the compliance settings of the external tenant. This underlines the importance of validating their settings and ensuring “compliant device” means the same to them as it does to you.
So, cross collaboration is here, we can open up everything and call it a day, right?
Not so fast. Remember our examples above? Although users can share data across clouds, it doesn’t mean they should necessarily share any data across the clouds. The challenge now becomes how to manage and control the flow of CUI, especially CUI Specified (CUI that has incremental requirements such as data sovereignty), to only organizations that are “trusted” to hold that data. This requires a thoughtful approach to data governance that balances security and practicality.
Companies that plan to share across clouds need to develop a strategy for minimizing the risk of unintended spillage. This would include:
We’ll cover each of these topics in subsequent blog posts and as well as a series of upcoming webinars. In the meantime, if you are interested in learning more about cross-cloud collaboration and strategies to mitigate the risk associated with it, please contact us at email@example.com.