Hey y’all, thanks for stopping in for another episode of Dux Quax: The Road to #MSIgnite! For this episode, I’m on Microsoft’s Redmond campus again, this time with my good friend Brian Levenson. Watch, read, or both to hear us chat about all things public sector ahead of Microsoft Ignite 2017. I recommend attending Brian’s sessions for those of you who will be at the conference!
Dux: Hey everyone this is Dux and welcome back to another episode of Dux Quax. I’m still here on campus. I’m very excited to see my buddy Brian.
Brian: Hey, I’m Brian Levenson, Product Marketing Manager for Office 365 U.S. Government and Change Management.
Dux: Brian, it’s been kind of hot the past few days, right?
Brian: Oh goodness, yeah. We’re not used to this in Seattle so most of us don’t actually have air conditioning, we’re sleeping on beds of ice.
Dux: There you go. What’s your choice of drink for the hot weather?
Brian: Oh I’m a mocha guy.
Brian: So the question is just iced or hot.
Dux: I stopped by for lunch at a really cool Malaysian restaurant and they have bubble tea, I haven’t had these in forever.
Brian: Oh, sounds delicious.
Dux: Have you had bubble tea?
Brian: Not in a while, it’s been a long time.
Dux: Yeah, yeah. So it’s good. So listen, I know you do a lot for public sector, so why don’t you tell everybody what you do for Office 365, the customers you work with, and the cool stuff you guys are doing.
Brian: Yeah, absolutely. So my specialty within the Office 365 product marketing division is U.S. Government and that’s state and local, tribal, federal, civilian as well as the Department of Defense. So kind of the full U.S. government where we do have some unique offerings and even special clouds where we have a separate implementation of Office 365 in order to meet some of the more strict regulatory compliance.
Dux: Sure. And maybe a lot of people don’t know, but Microsoft, as far as I know, has the most certifications for any cloud environments worldwide and even in the U.S. right? I mean recently, late last year, you guys got the L5 certification for DOD and that’s huge.
Brian: That’s exactly right. So we’re really, really proud of the accreditations and the authorization that we’ve received, you totally nailed it, under the DOD, Security Requirements Guideline or SRG. We do have offerings that meet us SRG-L5, or level five, controls and requirements and we’re also both software as a service with Office 365 Dynamics, and then with Azure we offer IaaS and PaaS as well, and all deeply integrated meeting these high compliance levels is really a pretty cool thing that we’re quite proud of.
Dux: So for the benefit of those watching who may not be familiar, like how does that work? Right? So we know Office 365, we know all the workloads, but in the United States, like if I work for the government, a civilian, DOD or SLG or tribal nations, like, which one do I pick? How would I know? Can you break down the options that I have?
Brian: Absolutely. So, you know, I’d actually start with a little bit of a history lesson here, you know, history being five years maybe. But going back to the early days of BPOS, the Business Productivity Online Suite, that eventually evolved into Office 365. We had BPOS-D and BPOS-S, S for shared, the multi-tenanted model that we know and love, and BPOS-D for dedicated, which was an early implementation of the cloud. And we took BPOS-D and we ring-fenced these isolated environments with screened personnel. We called it BPOS-F for federal.
Dux: Got it.
Brian: And we made commitments around the compliance there, ITAR requirements for example.
Brian: Over time we evolved and we released Office 365. In the earlier days of Office 365, we then carved out capacity within our CONUS data centers, Continental United States…
Dux: Got it.
Brian: …for Exchange, for SharePoint, later for Lync, which has evolved into Skype, and we called that GCC or Government Community Club. So GCC is part of this global cloud where we commit to United States data residency, and it meets FedRAMP Moderate, it meets Criminal Justice requirements and federal tax requirements.
Dux: Sure. And for those not familiar, FedRAMP is a compliance by the U.S. federal government, essentially, you know, CliffsNotes version, if you decide to go to the cloud, the cloud provider should be FedRAMP Compliant, right?
Brian: Absolutely. And FedRAMP is based on some NIST outlines framework, so a lot of depth we can go into in compliance it’s…I like to tease my friends that the intersection of Microsoft and government is just acronyms pretty much.
Dux: There you go.
Brian: But, you know…
Dux: I’m still waiting for the acronym Run-DMC.
Brian: Exactly. So this was about 2012, we launched this GCC offering, and that’s been in the market since about then. Now, come 2016, we built what we refer to as a sovereign cloud, ground-up separate data center, separate network, separate directory, and this is Azure Government.
Dux: Got it.
Brian: On top of Azure Government, we’ve built a new implementation of Office 365. It’s not more secure but it does meet some of the higher compliance levels under the DOD’s SRG security requirements guidelines, under FedRAMP, so that’s where we have these offerings that are useful for the Department of Defense, for some of the military branches. It’s all non-classified data of course. But, yeah, that’s exactly right.
Dux: So, if I want to distinguish this, right…? So let’s say in the United States for just Office 365 for example, really there are, I would say in general three flavors that what we would call Office 365 public, for everybody else non-government, Office 365 GCC, that’s FedRAMP compliant and then the latest we need to describe Office 365…
Brian: Oh, yes. This new one is, we’ve actually just come up with some new names.
Dux: Okay. What’s the new name?
Brian: So we refer to it as GCC High…
Dux: GCC High?
Brian: …and DOD.
Dux: Got it.
Brian: We’re seeking to simplify, we’ve gone through a few different naming schemes which is why I kind of dumped in there.
Brian: Where GCC, FedRamp Moderate, SIGUS [SP], IRS-2075 for Office 365, for Federal data, Criminal Justice Information, tax data. GCC High is aligned with the controls that are outlined in the security requirements guidelines of level 5. But it is a multi-tenant environment where we do, make it available to federal agencies, to states, should they choose to be there.
Brian: But also to the defense industry…
Brian: …so a large segment of customers and companies in the world that are holding data on behalf of the DOD.
Dux: You know, I got to tell you Brian, when I learned about the pace and how fast government agencies are moving to the cloud, I was actually very, very impressed and encouraged because, you know, there’s this stereotype, right, “Oh, government is always the last to jump on technology,” but working with customers and understanding use cases, boy, they actually see the value of the cloud beyond just the traditional workload. A lot of the advance work load now, especially in Azure with things like cognitive services — AI, ML — people are thinking about that and how they can use this, at the end of the day, to better meet their mission.
Brian: Yeah, you’re exactly right. And it’s really, really cool to see, and it’s happening at all levels of government as well. You know, there’s examples for…like the city of L.A. uses some bots to respond to citizens questions. So if you’re asking a question to the city of L.A. you can reach out to their bot and it will go help parse through these massive data sets to give you information.
Dux: That’s awesome.
Brian: You don’t have to search through all the websites. And then at the federal level, with the recent executive order from President Trump, the American Innovations Council led by Jared Kushner, we’re really seeing a significant motion and movement within Federal Government, Department of Defense and states and cities and counties really truly looking at what can we gain from the Cloud, how can we take advantage of what for a lot of organizations has kind of become commoditized…?
Brian: …and really focusing on those missions, exactly like you said.
Dux: So for people watching, right? Maybe they’ve started their journey or they’re about to start their journey into the cloud, what advice would you give? Like how’s should they think? Because sometimes it maybe too daunting, right? Overall like, “Wow, what should I start with? Do I start moving my e-mail? Or do I do? You know, different workloads based on business needs or organizational needs.” So, what’s a good step by step process for people to consider?
Brian: That’s a good question. And talk about daunting, you’re exactly right. When you’re in an organization that has massive amounts of data and maybe it’s grown organically over years and years, it really can be a daunting task. And, you know, I think about it in a couple of steps and honestly it’s not so different than a large enterprise organization. Fundamentally, the first step is, what do I have? What do I need to retain? And, what is outdated and can be gotten rid of?
Brian: In that preparation and planning as well also comes, what compliance do I require?
Brian: Am I satisfied with FedRAMP Moderate? Which does meet most of the needs of state and local government organizations. Or do I need FedRAMP High, am I going to indefinitely have to keep some content on premises? You know, generally speaking we have found that most organizations can move everything to the Cloud. NGCC with FedRAMP Moderate does meet most of their needs. But the very first step is, what do I have? And, what are my requirements?
Then the second part is really looking hard at an identity model, identity being not only the authentication aspect but also absolutely crucial to security of your data. We think about identity as being, should I have access to this information? So it’s the permissioning, it’s access to infrastructure, it’s absolutely crucial.
Dux: And even the type data, right? So to your first point, when I work with customers obviously there’s a mindset, do I move everything? But I agree with you. I mean, there may be content there that’s past retention already that, fine you can archive it somewhere or get rid of it, but it’s a good exercise.
And then for the information that you want to keep, the other key, I would suggest, activity that you do, is you do a content analysis because you may not know, especially in unstructured data, if there’s controlled workloads in there, information you wanna protect. And I believe that people are malicious and sometimes they’re just there, people didn’t know about it, and make sure you review these classified accordingly before you move it.
Brian: Yeah. That’s exactly the thought process that I tend to go through as well. And, you know, when you start to think about then, what workloads do move? Is it e-mail? Is it sites? Is it storage? I’ve seen different approaches from different agencies, different organizations. But kind of going back to one of the comments that you made that I heard a quote by…he was the former CTO of HUD, the Housing and Urban Development, and what he said was that they, at the time his agency, was really trying to focus on moving from commodity IT to mission IT.
Dux: There you go.
Brian: So they were trying to move and focus on moving to the cloud anything that they considered to be a commodity, email for example. And that’s really a great workflow to start with. First of all, from a user perspective I don’t know where my email is run and I don’t care. I know that to access email I go into Outlook, maybe I go and into Outlook through the browser or on the desktop or my phone. But I don’t care as a user where that’s running. You can cut it over one night, three point to my mailbox and then I don’t even know the difference.
Dux: As long as it works, I’m happy.
Brian: Exactly. The others those kind of similar is storage. So if you think about having massive network shares or tons of data stored on the local computer, moving that up into one drive for business, moving it into the cloud into various solutions that’ll then integrate, really allows you to get out of managing all of that capacity in your data centers, and it also means that that data ends up becoming more discoverable, easier to manage with retention policies, data loss prevention, and so that also is where a lot of organizations start.
We’ve seen some start with one drive then moving these network shares, we’ve seen most honestly probably start with email right. And then once you’ve got email and storage in the cloud you start to get really cool integration scenarios, things like modern attachments where you attach a document to your email that looks and acts like an attachment but it’s actually just a link back and that’s awesome for business. And then you start to get adoption of these cross workloads and these true experiences and scenarios that become really powerful and start taking the cloud to levels where you couldn’t get before.
Dux: I mean simple things, right? Like presence.
Dux: So just in email I can see if Brian’s available or not. Or coauthoring. I mean, it’s funny, we take it for granted, but when I work with customers and I talk about coauthoring they’re like, “What? Multiple people can jump on a document and work at the same time? Not worry about emailing files back and forth?” I go, “Yep.”
Brian: Yeah. It’s incredible. We have, I believe, addressed Document fragmentation. When I send an email to 10 people with a document attached…
Brian: …normally I’d say, “Hey, give me some feedback.” I’ve sent it to 10 people, we now have 15 versions, they’re are numbered 1 through 20 somehow, we’re trying to merge them, we’re overwriting each other. But with the modern attachments and with coauthoring we really all 10 of us can be literally writing the document at one single time.
Dux: It’s a one source of truth. Right.
Brian: It’s amazing.
Dux: Now, and the cool thing is, once customers move to the cloud, to officers 365 environment, moving forward you guys have invested a lot in insuring protecting data and governing data. The innovations around compliance center that provides data loss prevention, and extending capabilities in Azure, for example, EMS, Azure information protection to do auto classification, auto tagging, those are huge. And you know, for me at the end of the day the mantra I have is, how do you make it easy for users to do the right thing?
Brian: That’s exactly right.
Dux: Because you can throw every kind of policy in governance and document, and I won’t remember, right?
Dux: If we provide a way for automate governance, enforce policies, I think that moving towards that model will make it easier and provides less risk frankly to any type of exposure.
Brian: I think you’re exactly right. And, you know, it always sticks to me with this kind of this principle that Steve Jobs used to espouse, which is that if you have to go read the manual, you’ve made too difficult of a product. And I think of that is the same way as similar with the compliance documentation and data governance policy.
Brian: If I as a user have to go out of my way to try to remember these policies, not only is that a little bit of a hassle when people try to find shortcuts, not being malicious just trying to be productive, and also make mistakes. I should not be able to accidentally send an email with a list of Social Security numbers to the wrong person or accidentally forward a confidential email out of my organization.
Brian: So when you apply rights management or data loss prevention rules that automatically lock it down to only within the org, that type of thing make it really difficult to make a mistake, and a malicious act is very different.
Dux: But here’s the other benefit, right? Because Office 365 being a whole platform, I can define the policy one time in Compliance Center for example and say, “Okay, apply it on email, or on OneDrive, or on SharePoint.” In the past on Prim, I may have to have a bespoke solution for email, a different dlp solution for file storage and the effort, resources and time and maintenance, that’s just all gone.
Brian: Right. Exactly. And you’ve got consistent policies, you’re not getting policy drift in one direction or another. You’re absolutely right and it’s really, really a powerful technology that makes it easy as a user to not make mistakes.
Dux: So if customers, especially in a government agency would like to try it and see, what’s the best way for them to check it out?
Brian: So when you go on Bing or should you prefer Google, I know they also make a search engine.
Brian: You search “Office 365 U.S. Government,” you’ll find…there’s a products page out on the web.
Dux: Got it.
Brian: You can sign up for a free trial. So one of the things that we actually do commit to with our government offerings is that the community is restricted to only U.S. government entities or contractors who have formally sponsored to hold data. So we actually we do look to your ITAR registration form, redacted numbers and all the good stuff. But we ask to prove that you’re sponsored by the government to hold government data.
Dux: So, I Dux, can’t just sign up and trial.
Brian: Unfortunately not.
Dux: There you go. No, it’s all good.
Brian: Good for good for the community. Unfortunate for Dux.
Dux: Yeah but this is a good point, right? Let’s say somebody outside the U.S. wants to try it out, they can, right, because of the rules of data sovereignty and all that comes with that.
Brian: Exactly. Exactly right. And so for government agencies it’s actually a very simple process. You write in from a dot-gov email address, that’s about all it takes. We work through our validation process to really just make sure it’s all set. But then we’ll hand off a trial tenant, you and get to play around, kick the tires, have some fun with it, and that’s really the best way to get started.
Dux: Right. Man, this has been so helpful. I’m sure a lot of people have been wondering about this, they wanna try it but they don’t know where to go. But truly, hopefully I can get you back in and talk more about this in the future.
Brian: Yeah, it’d be a pleasure. And we’ve got a government cloud forum coming up in October 17th in Washington DC.
Dux: That’s right.
Brian: Hope to see you folks there, would love to continue the conversation.
Dux: Absolutely. And I know regularly too out in D.C. they have Azure gov meet-up for government customers and I’m grateful that I’ll be speaking in one of the upcoming events as well.
Dux: I’ll talk about how to do better citizen engagement with the cloud. So, no, this has been great Brian. Thank you so much.
Brian: My pleasure. Thanks man.
Dux: And I, you know, I always enjoy coming out here.
Dux: And when you’re in D.C. we’ll do this drive again.
Brian: Sounds good.
Dux: All right.
Brian: A little less smoke around.
Dux: There you go. Well, thanks everybody, until the next episode. Bye.