Unpacking the Microsoft Security Stack for CMMC

Shel Philips: Hi, everyone. Shel Philips here. It’s great to see you again. As always, I’m on a mission to shed light on the complex world of cybersecurity, particularly focusing on CMMC and compliance methodologies. I’m excited to have one of my good buddies from Covenant Global with me today. He’s the technical yin to my compliance yang, Mike Hughes, our CTO. We often call him “Mike-rosoft Expert,” today, and we will dive into Understanding Microsoft’s Security Stack for CMMC Compliance. Welcome, Mike!

Mike Hughes: Thanks, Shel. Happy to be here.

Shel Philips: Today, we’re diving into cybersecurity stacks. So, Mike, let’s start with the basics. What is a security stack, and why does Covenant Global prefer Microsoft?

Mike Hughes: Great question, Shel. A security stack encompasses all the components that protect your data, applications, user accounts, and devices. It’s essentially about protecting business and customer data that may or may not be sensitive or confidential. At Covenant Global, we’ve focused on the Microsoft security stack because it provides an integrated solution. Over the past 20 years, we’ve evolved from piecing together various components to adopting Microsoft’s comprehensive security stack about five years ago. This shift has simplified training, labor costs, management, and response to security events.

Shel Philips: Interesting. Can you elaborate on the components of this Microsoft security stack?

Mike Hughes: Sure thing.

Key components include:

  1. Identity Management: Tools like Windows Active Directory and Entra ID (Azure Active Directory) help manage user access controls and security groups.
  2. Device Protection: Protecting against vulnerabilities on devices and applications managed by tools like Intune.
  3. Endpoint Management: Ensuring devices are patched and secure is especially important in a mobile workforce.
  4. Data Protection: Classifying and encrypting data, whether on-premises or in the cloud, using Microsoft’s sensitive data indexing and classification tools.
  5. Logging and Telemetry: Tools like Defender for Endpoint provide extensive logging and vulnerability management.

These components are designed to work seamlessly together, providing robust protection across the board.

Shel Philips: That’s a lot of information, Mike. What about licensing? How does one ensure they are properly licensed to meet CMMC requirements?

Mike Hughes: That’s a good question. Licensing can be complex, but for CMMC compliance, we recommend the Microsoft 365 G5 license. This package includes components like Intune, Defender for Endpoint, and advanced identity protection. For frontline workers with lighter needs, the F3 + F5 Security and Compliance licenses are cost-effective. Choosing the right licenses is crucial to ensure proper coverage and compliance.

Shel Philips: Thanks for breaking that down. Can you explain what “hardening” the stack means and how Covenant Global approaches it?

Mike Hughes: Absolutely. Hardening the stack involves configuring your environment to meet compliance requirements, such as those outlined in NIST 800-171. This includes securing user identities, devices, and emails, as well as using tools like Intune and Defender products to enforce security policies. Our approach at Covenant Global involves a comprehensive process we call Fortify, which covers over 600 aspects of Microsoft 365 security. This ensures our clients’ environments are secure and compliant.

Shel Philips: That’s a brimful, Mike! We’re out of time, but I appreciate you sharing your expertise. We’ll need to dive deeper in future sessions.

Mike Hughes: My pleasure, Shel. Looking forward to it.

Shel Philips: Thanks, Mike. And thank you, everyone, for joining us. Subscribe to our YouTube channel for more insights on cybersecurity and compliance. Until next time!

Scroll to Top