Guide to Microsoft's Security and Compliance Rebranding
Many people might stare with wide eye confusion at the naming conventions Microsoft has used in rebranding. Some of the services used in the government and by government contractors have a new moniker.
Yet when you think about the changes the logic makes sense in terms of keeping compliance and security engines purring.
Microsoft has a long established partnership with the Cybersecurity Maturity Model Certification community.
In fact for the last five years, going back to when the System Security Plans (SSP) did not have their trustworthiness verified by a third party, the Seattle based company has retooled much of their information architecture to help the Government transition to the cloud and away from on-premises and boundary based protections.
Microsoft has also created new tools to help with security and compliance. These efforts have lead to a rebranding of services companies will use for CMMC. Microsoft wanted to make a distinction between services for security and those for compliance.
When you consider the Risk Management Framework (NIST-SP-800-37 and 39) that form the backbone of the 171 security requirements we think about a business at three levels:
- Level One: Governance and Organization
- Level Two: Business Processes
- Level Three: Technical and Business Systems
At each of the three level different assets, which include people, will have privileged and non-privileged roles. This means a user can access something at a specific tier other users can not access.
In terms of the IA (information architecture) a company deploys they need to consider the Microsoft tools they choose for compliance and those they choose for security.
Microsoft Azure and Microsoft 365
The compliance and security services that Microsoft offers will cut across two different cloud platforms that people often confuse, Microsoft Azure and Microsoft 365. They each have different security and compliance needs and impact what controls a customer inherits from Microsoft or more like a Managed Service Provider. Microsoft 365 is a Service as a Software cloud (SaaS). This means all of your tools like Microsoft Office, Microsoft PowerPoint, and Visio. An organization seeking certification has limited responsibility with SaaS tools. You need to control access and training but Microsoft handles almost all the other security requirements.
Microsoft Azure is more an Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) depending on how an organization seeking certification deploys the service. Usually with IaaS a company does not control all their hardware or need to purchase the hardware. PaaS get used when you establish hybrid environments or create an enclave, for Controlled Unclassified Information, for example.
Azure also gets used when Managed Service Providers, or security providers build apps in the cloud. For the end user the tool is a SaaS cloud model , outside of Microsoft, but for the company designing the tool they use Azure as a PaaS.
As Microsoft focused on improving their services for CMMC they identified assets in both Microsoft 365 and Azure that an organization may use for security and those tools that will get used for compliance. These tools were rebranded and sorted into two different buckets.
Security and Compliance
When working on services that provide security to a Microsoft cloud deployment companies will work with the Microsoft 365 Defender portal. As part of a cloud first approach Microsoft has stopped the level of bifurcation between branding of their services. Azure Security Center is now Microsoft Defender for Cloud and Microsoft 365 Security Center is now Microsoft 365 Defender
When working on services that provide governance, risk management, compliance (GRC)services, a cloud user will access the Microsoft Purview Compliance portal.
| Current name |
New name |
|---|---|
| Azure Purview |
Microsoft Purview |
| Azure Purview portal |
Microsoft Purview governance portal |
| Microsoft 365 compliance |
Microsoft Purview |
| Microsoft 365 compliance center |
Microsoft Purview compliance portal |
| Azure Purview Data Catalog |
Microsoft Purview Data Catalog |
| Azure Purview Data Insights |
Microsoft Purview Data Estate Insights |
| Azure Purview Data Map |
Microsoft Purview Data Map |
| Azure Purview Data Sharing |
Microsoft Purview Data Sharing |
| Azure Purview Data Use Management |
Microsoft Purview Data Use Management |
| Microsoft 365 Advanced Audit |
Microsoft Purview Audit (Premium) |
| Microsoft 365 Basic Audit |
Microsoft Purview Audit (Standard) |
| Office 365 Advanced eDiscovery |
Microsoft Purview eDiscovery (Premium) |
| Office 365 Core eDiscovery |
Microsoft Purview eDiscovery (Standard) |
| Microsoft 365 Communication Compliance |
Microsoft Purview Communication Compliance |
| Microsoft Compliance Manager |
Microsoft Purview Compliance Manager |
| Customer Key for Office 365 |
Microsoft Purview Customer Key |
| Double Key Encryption for Office 365 |
Microsoft Purview Double Key Encryption |
| Office 365 Customer Lockbox |
Microsoft Purview Customer Lockbox |
| Office 365 Data loss prevention |
Microsoft Purview Data Loss Prevention |
| Microsoft 365 Information Barriers |
Microsoft Purview Information Barriers |
| Microsoft Information Protection |
Microsoft Purview Information Protection |
| Microsoft Information Governance |
Microsoft Purview Data Lifecycle Management |
| Microsoft 365 Insider Risk Management |
Microsoft Purview Insider Risk Management |
| Privileged Access Management in Microsoft 365 |
Microsoft Purview Privileged Access Management |
| Records Management in Microsoft 365 |
Microsoft Purview Records Management |
Do not let new naming conventions confuse you. The rebranded services from Microsoft provide the same catnip we have all come to love when dealing with Cybersecurity Maturity Model Certification.
Img credit: Confused flickr photo by slava shared under a Creative Commons (BY) license