Not all workers are found sitting in an office cube behind a computer. Some employees, such as those that work on the shop floor do not spend their day answering e-mail, working spreadsheets, or updating Word documents. These firstline workers typically do not possess a dedicated company-owned device (laptop/desktop) but still need access to company content.
Providing the appropriate level of access, and where appropriate, restricting access to data is key to finding the right balance between security/compliance and costs. Considering the costs of a Microsoft 365 E5, or even E3 license, organizations can save substantial amounts on licensing costs IF they can restrict access appropriately.
The key to deploying strategies that involve lower-level licenses while meeting compliance requirements is to carefully review what information users will have access to. By clearly defining the level of access, you can determine who is, and who is not authorized to access CUI. This, combined with effective governance strategies can lower costs and reduce the attack surface while maintaining compliance.
As organizations evaluate the proper strategy, they must consider the employees’ role, the data they should access, and, just as importantly, the data they could access. Some questions to guide the conversation include:
This blog will walk through several user-scenarios and then suggest strategies to meet this use-case going from the least amount of access to the most access.
In some cases, companies decide that users simply do not need access to company content. The nature of their job doesn’t require them to have an email account, access to Teams or SharePoint. This is simple and straightforward as no access means no licensing is needed.
We see many cases where a company establishes an e-mail account for employees, but communications are either implicitly or explicitly limited to internal communications. The goal here is to maintain a channel to communicate administrative notices, while not incurring the expense of a full license.
From a practical perspective, many companies want and need all employees to have some level of access to company content. However, by the nature of their role, they may not need access to CUI data within Microsoft 365. In this scenario, access is enabled to Microsoft 365 services such as e-mail, OneDrive, Teams, and SharePoint. However, administrative measures must be deployed to ensure these users are not exposed to CUI. Technologies used to support this include:
This is perhaps the hardest scenario to deploy because the organization is essentially setting a system boundary within the Microsoft 365 environment and must configure methods to actively prevent internal users from accessing CUI.
In this scenario, employees have access to the full suite of collaboration services (e-mail, OneDrive, Teams, SharePoint) and are authorized to access CUI data. This allows the organization to maintain the system boundaries at the perimeter of the system and significantly eases the administrative burden of regulating the flow of CUI within the environment.
As the collaborative side of Microsoft Teams gains adoption, many work roles and use-cases can evolve from e-mail into chat-based communications. Teams offers the advantage of persistent chat as well as expanded capabilities such as file access, Planner and more.
With this approach, companies must adjust policies around workplace communications and make sure they are compliant with all HR-related requirements. However, this approach brings the organization into today’s preferred communication methods for the younger generation and can enhance productivity.
Not every employee needs a full Microsoft 365 G5 license. However, the more you restrict access to data with the goal of reducing licensing costs, the more you will increase the administrative burden to enforce policies, and/or progressively limit the employees access to corporate resources.
Finding the right balance between security, compliance, and licensing starts with evaluating the data users can and need to access. Combined with the appetite and ability to enforce system boundaries within the Microsoft 365 environment, the right licensing strategy can be deployed to achieve that balance.
Our team at C3 Integrated Solutions has worked with over 100 defense industry clients to help meet this challenge and we can help you design the right licensing strategy for all of your employees. Contact us today at email@example.com to learn how we can help you build the right strategy.
 Employees may still access CUI-related content such as drawings, technical specifications, etc from file shares or other sources.
 While users may not need access to CUI regularly, they are protected in the event that they are exposed to CUI.