One of the profiles that we often see when working with clients involves staff augmentation firms.  For these companies, people are – quite literally – the product.  Their employees work at a government location, use government equipment, and operate almost entirely outside of their employer’s corporate IT Network.

While these workers are found in cubicles, they typically do not possess a dedicated company-owned device (laptop/desktop) and more likely access a laptop or desktop managed by the government agency they are assigned to.  This is another example of firstline workers.  Because of their user profile, providing the appropriate level of access, and where appropriate, restricting access to data is key to finding the right balance between security, compliance and costs.

As a managed service provider with a wide array of government contractor clients, we’ve seen organizations where 90%+ of the company fits this profile.  Therefore, when considering the costs of a Microsoft 365 G5, or even G3 license, organizations can save substantial amounts on licensing costs if they can smartly manage data access and restrict access appropriately.   Many of these strategies parallel a similar use-case that we outlined recently for factory workers.

Setting Boundaries

The key to deploying strategies that involve lower-level licenses while meeting compliance requirements is to carefully review what information users will have access to.  By clearly defining the level of access, you can determine who is, and who is not authorized to access CUI. This, combined with effective governance strategies, can lower costs and reduce the attack surface while maintaining compliance.

As organizations evaluate the proper strategy for protecting CUI, they must consider the employees’ role, the data they should access, and, just as importantly, the data they could access.  Some questions to guide the conversation include:

  • What workloads do employees need access to?
  • In what situations will (or could) they be exposed to CUI?
  • What devices do they use to access data?
  • Do they need to communicate outside the organization?
  • How will you protect the flow of CUI within the Microsoft 365 system?
  • How will you detect and respond to unintended spillage?

This blog will walk through several user scenarios and then suggest strategies to meet this use-case going from the least amount of access to the most access.

Example #1: No Access

In some cases, companies decide that users simply do not need access to company content.  The nature of their job doesn’t require them to have an e-mail account, access to Teams or SharePoint.  This is simple and straightforward as no access means no licensing is needed.

Benefits: Reduces user counts, IT costs, administrative burden and attack surface.

Drawbacks: Maintaining communications with employees can prove to be difficult.  Simple administrative messages (i.e. benefits, scheduling and company notices) relies on maintaining personal e-mail addresses and navigating any concerns around sending privacy related information to employees.

License Impact: No licenses are needed.

Example #2: Internal E-mail Only

We see many cases where a company establishes an e-mail account for employees, but communications are either implicitly or explicitly limited to internal communications.  The goal here is to maintain a channel to communicate administrative notices, while not incurring the expense of a full license.

Benefits: Companies establish a channel of communications, mostly for administrative notices and internal workflows.  Prohibiting external communications (both send and receive) maintains the system boundary as data is not transferred outside of the organization.

Drawbacks: Employees do not have access to OneDrive, Teams or SharePoint which prohibits them from participating in collaborative functions.  For example, a company intranet or process redesign team is not an option for these employees.

Licensing Impact: Users can be assigned an e-mail only license with either Plan 1 or Plan 2, depending on whether Data Loss Prevention or eDiscovery is required.

Example #3 – Firstline Worker Access – No CUI

From a practical perspective, many companies want and need all employees to have some level of access to company content.  However, by the nature of their role, they may not need access to CUI data within Microsoft 365.[1]  In this scenario, access is enabled for Microsoft 365 services such as e-mail, OneDrive, Teams and SharePoint.  However, administrative measures must be deployed to ensure these users are not exposed to CUI.  Technologies used to support this include:

  • Data Loss Prevention
  • Data Labeling and Classification
  • Workspace Policies and Insight

This is perhaps the hardest scenario to deploy because the organization is essentially setting a system boundary within the Microsoft 365 environment and must configure methods to actively prevent internal users from accessing CUI.

Benefits: Employees can participate in non-CUI related activities and collaboration.

Drawbacks: Significant administrative burden to establish and maintain system boundaries within the interior of the environment.

Licensing Impact: The firstline worker licenses (F3) can be deployed to achieve access, but additional services may be required to maintain CUI system boundaries, especially at the workspace level.

Example #4 – Firstline Worker CUI Access

In this scenario, employees have access to the full suite of collaboration services (e-mail, OneDrive, Teams, SharePoint) and are authorized to access CUI data.[2]  This allows the organization to maintain the system boundaries at the perimeter of the system and significantly eases the administrative burden of regulating the flow of CUI within the environment.

Benefits: Significant reduction of administrative burden allows the focus to be on managing and protecting the entire environment.

Drawbacks: More expensive from a licensing perspective.

Licensing impact: Beyond the standard Microsoft F3 license, additional licenses are required to bring capability to the security and compliance equivalence of G5.

Bonus! Example #5: Teams Only

As the collaborative side of Microsoft Teams gains adoption, many work roles and use-cases can evolve from e-mail into chat-based communications.  Teams offers the advantage of persistent chat as well as expanded capabilities such as file access, Planner and more.

With this approach, companies must adjust policies around workplace communications and make sure they are compliant with all HR-related requirements.  However, this approach brings the organization into today’s preferred communication methods for the younger generation and can enhance productivity.

Benefits: Teams becomes the go-to source for broadcast, one-to-many, and one-to-one communications with employees.  With a “modern” approach to work, companies can foster collaboration and achieve greater productivity improvements, especially with younger workers.

Drawbacks: This approach requires a cultural shift away from dependence on e-mail for communications.  Changing culture is hard.  Depending on whether these users have access to CUI data, there will either be governance challenges or licensing costs.

Licensing Impact – No CUI:  If users are not authorized to access CUI, then the F1 license is a starting point.  However, this will present system boundary and governance challenges to ensure that workers cannot access CUI.  Note: auditors will want to see proof that these users cannot access CUI.

Licensing Impact – CUI Authorized: If the user is authorized to access CUI, there will be an additional license cost to augment the F1 license and add the capabilities required to achieve a compliant profile.

Not every employee needs a full Microsoft 365 G5 license.  However, the more you restrict access to data with the goal of reducing licensing costs, the more you will increase the administrative burden to enforce policies, and/or progressively limit the employees access to corporate resources.

Finding the right balance between security, compliance, and licensing starts with evaluating the data users can and need to access.  Combined with the appetite and ability to enforce system boundaries within the Microsoft 365 environment, the right licensing strategy can be deployed to achieve that balance.

Our team at C3 Integrated Solutions has worked with over 100 defense industry clients to help meet this challenge. We can help you design the right licensing strategy for all your employees.  Contact us today at info@c3isit.com to learn how we can help you build the right strategy.

[1] Employees may still access CUI-related content such as drawings, technical specifications, etc. from file shares or other sources.

[2] While users may not need access to CUI regularly, they are protected in the event they are exposed to CUI.

Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.

POSTED ON:
2:39 pm
Call Us: (571) 384-7950