Many people might stare with wide eye confusion at the naming conventions Microsoft has used in rebranding. Some of the services used in the government and by government contractors have a new moniker.

Yet when you think about the changes the logic makes sense in terms of keeping compliance and security engines purring.

Microsoft has a long established partnership with the Cybersecurity Maturity Model Certification community.

In fact for the last five years, going back to when the System Security Plans (SSP) did not have their trustworthiness verified by a third party, the Seattle based company has retooled much of their information architecture to help the Government transition to the cloud and away from on-premises and boundary based protections.

Microsoft has also created new tools to help with security and compliance. These efforts have lead to a rebranding of services companies will use for CMMC. Microsoft wanted to make a distinction between services for security and those for compliance.

When you consider the Risk Management Framework (NIST-SP-800-37 and 39) that form the backbone of the 171 security requirements we think about a business at three levels:

  • Level One: Governance and Organization
  • Level Two: Business Processes
  • Level Three: Technical and Business Systems

At each of the three level different assets, which include people, will have privileged and non-privileged roles. This means a user can access something at a specific tier other users can not access.

In terms of the IA (information architecture) a company deploys they need to consider the Microsoft tools they choose for compliance and those they choose for security.

Microsoft Azure and Microsoft 365

The compliance and security services that Microsoft offers will cut across two different cloud platforms that people often confuse, Microsoft Azure and Microsoft 365. They each have different security and compliance needs and impact what controls a customer inherits from Microsoft or more like a Managed Service Provider. Microsoft 365 is a Service as a Software cloud (SaaS). This means all of your tools like Microsoft Office, Microsoft PowerPoint, and Visio. An organization seeking certification has limited responsibility with SaaS tools. You need to control access and training but Microsoft handles almost all the other security requirements.

Microsoft Azure is more an Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) depending on how an organization seeking certification deploys the service. Usually with IaaS a company does not control all their hardware or need to purchase the hardware. PaaS get used when you establish hybrid environments or create an enclave, for Controlled Unclassified Information, for example.

Azure also gets used when Managed Service Providers, or security providers build apps in the cloud. For the end user the tool is a SaaS cloud model , outside of Microsoft, but for the company designing the tool they use Azure as a PaaS.

As Microsoft focused on improving their services for CMMC they identified assets in both Microsoft 365 and Azure that an organization may use for security and those tools that will get used for compliance. These tools were rebranded and sorted into two different buckets.

Security and Compliance

When working on services that provide security to a Microsoft cloud deployment companies will work with the Microsoft 365 Defender portal. As part of a cloud first approach Microsoft has stopped the level of bifurcation between branding of their services. Azure Security Center is now Microsoft Defender for Cloud and Microsoft 365 Security Center is now Microsoft 365 Defender

When working on services that provide governance, risk management, compliance (GRC)services, a cloud user will access the Microsoft Purview Compliance portal.

Current name

New name

Azure Purview

Microsoft Purview

Azure Purview portal

Microsoft Purview governance portal

Microsoft 365 compliance

Microsoft Purview

Microsoft 365 compliance center

Microsoft Purview compliance portal

Azure Purview Data Catalog

Microsoft Purview Data Catalog

Azure Purview Data Insights

Microsoft Purview Data Estate Insights

Azure Purview Data Map

Microsoft Purview Data Map

Azure Purview Data Sharing

Microsoft Purview Data Sharing

Azure Purview Data Use Management

Microsoft Purview Data Use Management

Microsoft 365 Advanced Audit

Microsoft Purview Audit (Premium)

Microsoft 365 Basic Audit

Microsoft Purview Audit (Standard)

Office 365 Advanced eDiscovery

Microsoft Purview eDiscovery (Premium)

Office 365 Core eDiscovery

Microsoft Purview eDiscovery (Standard)

Microsoft 365 Communication Compliance

Microsoft Purview Communication Compliance

Microsoft Compliance Manager

Microsoft Purview Compliance Manager

Customer Key for Office 365

Microsoft Purview Customer Key

Double Key Encryption for Office 365

Microsoft Purview Double Key Encryption

Office 365 Customer Lockbox

Microsoft Purview Customer Lockbox

Office 365 Data loss prevention

Microsoft Purview Data Loss Prevention

Microsoft 365 Information Barriers

Microsoft Purview Information Barriers

Microsoft Information Protection

Microsoft Purview Information Protection

Microsoft Information Governance

Microsoft Purview Data Lifecycle Management

Microsoft 365 Insider Risk Management

Microsoft Purview Insider Risk Management

Privileged Access Management in Microsoft 365

Microsoft Purview Privileged Access Management

Records Management in Microsoft 365

Microsoft Purview Records Management

Do not let new naming conventions confuse you. The rebranded services from Microsoft provide the same catnip we have all come to love when dealing with Cybersecurity Maturity Model Certification.

Img credit: Confused flickr photo by slava shared under a Creative Commons (BY) license