In May 2018, the Crown Commercial Service announced a new Digital Transformation Agreement, developed in collaboration with Microsoft, to promote and achieve a Cloud-first vision for the UK Public Sector and enable greater access and discounts to Microsoft Cloud technologies.
Key to supporting Public Sector organisations achieving a cost-effective, secure and productive Cloud-first strategy is promoting and supporting the move to Microsoft 365.
So, what is Microsoft 365 and how can it benefit the UK Public Sector?
What is Microsoft 365?
Microsoft 365 is an intelligent solution available in a few different bundles, which combines Windows 10, Office 365, Enterprise and Mobility Security (EMS), as well as leveraging services in Azure which integrate seamlessly to deliver a complete, productive and secure solution for your workplace.
It is sold on a subscription basis, with Enterprise customers having a choice of E3 or E5, with E5 possessing more advanced security features and several additional applications.
By combining Windows 10, Office 365 and EMS, organisations can enjoy an integrated, secure and productive IT experience, which takes advantage of the benefits of Cloud computing while proactively combatting a range of security threats, with extensive granularity to control permissions and controls around data, user authentication, detection and remediation.
These features cover key aspects of security, including Identity and Access Management, Information Protection, Threat Protection and Compliance. Various features and services are built in to Microsoft 365, as well as leveraging services within Azure, Active Directory, advanced Microsoft Intune features and the Intelligent Security Graph.
Providing Office 365 Advanced Threat Protection (ATP), Office 365 Advanced Compliance, Windows Defender ATP (E5) and Enterprise Mobility + Security (EMS) E5, the SCP enables compliance with various industry specific regulations without the cost of an E5 agreement.
Public Sector organisations on E3 will have access to features such as Office 365 Advanced Threat Protection (ATP), Office 365 Advanced Compliance, Windows Defender ATP (E5) and Enterprise Mobility + Security (EMS) E5, which is being looked at by many public sector organisations to support with various industry specific regulations such as PSN, CESG / NCSC and GDPR compliance.
Public Sector organisations licenced for Microsoft 365 E3 but who require the security and compliance features available on E5, can take advantage of the Security and Compliance package (SCP), which sits between E3 and E5 in pricing but licenses the advanced security features of E5.
Why do you need it?
Public Sector organisations are as much a target for cybersecurity attacks as their Private Sector counterparts. An additional challenge for the Public Sector is balancing significant budget constraints with finding the necessary investment and expertise to stay ahead of ever-changing, sophisticated and intensified security threats.
The Cloud has changed the way we consume computing services and therefore how we work, so it must also inform and advance the way we perceive and approach security. Traditional on-premise systems would utilise the likes of firewalls, proxy and other forms of perimeter security to keep threats out, representing a largely reactive policy unsuitable for the realities of a Cloud based, mobile and open world. Furthermore, changes in data protection regulations, such as GDPR, impacts upon the obligations and processes that organisations must fulfil.
Users are now spread across the globe, in transit or in remote locations, but still in need of secure and reliable access to networks and data from a variety of devices. There has therefore been a shift toward securing each users identity and constantly monitoring their access to systems and platforms, as well as more detailed analysis of device and user behaviour.
While this is an opportunity to create unprecedented connectivity and collaboration, when neglected or done badly it is a huge opportunity for hackers to breach a system. Securing identity is therefore the new perimeter in the age of Cloud consumption of computing services.
Microsoft 365 E5 comes with a host of advanced features that have been built in to Windows 10, Office 365 and Azure, as opposed to being built on. Increasing vigilance and proactivity to your IT security by acknowledging the new reality of security in the age of Cloud, Microsoft 365 offers an integrated group of services built upon getting the identity question right.
Security must be proactive, analytical, responsive and intuitive, to hunt for threats and find them before they strike. When a threat is identified, features such as Advanced Threat Detection and the Microsoft Intelligent Security Graph do not just identify and report, but can act to neutralise the threat automatically by sharing it with the connected community in the Cloud.
Many organisations use multiple security vendors to meet their security requirements. Microsoft 365 gains its strength from its integration, with the services, features and applications built to communicate and secure your system from the ground up. In addition, deployment and integration is simplified as third-party platforms, applications and services can also be secured by Microsoft 365 E5.
Microsoft operate over 200 services globally, which together equate to 350 billion daily authentications, scan billions of URLs and analyse over 400 Billion emails every month, plus much more. These signals and telemetry are captured and fed back to Microsoft’s Intelligent Security Graph, analysing identities, location, device and behaviour in one place and is put to work to proactively identify and remediate threats.
Each identity in the Intelligent Security Graph is assigned a risk score based on how that identity is used, with user and device behaviour being fed back and impacting upon the risk score. Policies can be defined to use this information to block certain identities manually when the risk score increases, or by setting automated access controls to automatically block users or devices if risk score is increased.
As mentioned earlier, the Cloud first vision for the UK Public Sector is supported by a collaboration with Microsoft, to provide a clear and manageable adoption of Cloud computing. Microsoft 365 reduces the need for multiple vendors to supply key services by providing an integrated solution. The pricing of the new Security and Compliance Package makes the advanced security features of Microsoft 365 E5 more affordable, while long-term Microsoft partners such as Core can provide much needed Managed Service support to maintain Microsoft 365 end to end, including security.
Microsoft 365 E5 strikes a crucial coalescence between advanced security and productivity, integrating modern enterprise security within its platforms, services and applications to protect, detect and remediate threats in Cloud-based computing, without exhausting the user and risking shortcuts or bad processes.
While the Cloud has delivered significant opportunities and a range of benefits, it also necessitates an alteration to our approach to security.
Microsoft 365 not only acknowledges this reality, but provides an integrated solution to combat it, while harnessing the data produced by Microsoft’s global services, programs and applications to protect all identities and users in the Intelligent Security Graph.
How can Core help?
Core are a highly accredited Microsoft Gold Partner, specialising in driving quick consumption of Microsoft 365 with IP Co-Sell solutions and Managed Services. Core currently manage areas of IT for Central and Local Government organisations, including complex identity and access management solutions, Cloud based environments and connectivity. More than 30,000 users in 57 countries already use Core’s Azure hosted services every day.
With the Digital Transformation Agreement setting a clear route towards Microsoft Cloud technologies for the Public Sector, Core can act as a single vendor to support organisations with this transition and the ongoing management of these services to ensure a productive, modern and secure IT enterprise.
Our Managed Services can support all aspects of Microsoft 365 E5, taking the administrative pain away from IT and allowing organisations to consume IT as a service. This releases internal resources to focus on innovation and achieving business critical goals, while Core focus on optimising your IT and driving value from technology investments.
Microsoft 365 comes with features and services which require consistent and expert management and support, necessitating a range of specialisms that some Public Sector organisations may not have internally. Furthermore, some organisations may simply be unable to dedicate internal resources to solely focus on securing their IT environment, risking a lack of attention on key security considerations that the sector is facing.
Furthermore, threats can strike 24 hours a day, 365 days of the year. Monitoring a system to this extent would take significant resources, while training, maintaining and replacing a team to perform this function can be a time-consuming and expensive exercise. Core operate a 24/7×365 service desk, which utilises ISO 20000 best practices, is ISO 27001 compliant and operated by BPSS certified staff, who are provided with ITIL Service Management best practice, while some are SC Cleared.
By outsourcing aspects of your IT to Core, internal resources can focus on innovation, growth and other business critical tasks, with responsibility and risk for security, compliance and any breaches that may occur outsourced to a supplier with the expertise and resources to meet demands.