Do you need a VPN connection from a laptop to access GCCH? Is it recommended? What’s the cheapest VPN service to use for connecting to GCCH? Is OpenVPN acceptable/compliant?
Is the physical device users are joining from part of your CUI environment?
No, there is already encryption when accessing M365 services.
“With Microsoft 365, your data is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPSec), and Advanced Encryption Standard (AES).”
Don’t forget the element of scoping, even if it is already encrypted… you CAN and most likely will bring CUI down to the endpoint when you make a direct connection to GCCH, which can lead to the endpoint’s subnet and surroundings being in scope. Without the use of virtual desktops, in most cases, the endpoint will be in scope and boundaries around that CUI will become important.
No ZTNA is a thing now. The full tunnel vpn requirement is dumb today.
You “could” setup an always on vpn to your enterprise firewall. But why? It’s about the endpoint today. Control everything there.
Remember that ZScaler must be a gov or fedramp version since your data is going thru it. If OpenVPN is hosted by you and is FIPS validated then it will work, if hosted by third-party then you need to look at scoping and ESP/CSP inclusion.
Thanks…that’s what I thought, but someone brought it up as being necessary. I just saw a 4-yr old Reddit post asking essentially the same thing. Sounds like the answer hasn’t changed.
Is this sufficient for meeting Level 2 requirements? I’ve seen this encryption claim too but have also been told it’s not FIPS compliant. I too have been recommended Zscaler, but like others have said it’s pricey. I’ve been looking at Global Secure Access as an alternative ands it looks promising.
I’ve somewhat agonized over this point. We plan on having dedicated laptops for connections into GCCH. These will be on-site in a locked room for the very occasional CUI access. For non-dedicated laptop connections into GCCH, they can have browser-only access preventing downloads and cut-n-paste. They must use the browser-based apps. No mobile connections allowed. The rest is handled via written policy. Do you think this would pass audit?
There’s no requirement for a full tunnel, just no split tunnels. You don’t HAVE to use a VPN. Zero trust addresses the risks.
Any ZTNA products you recommend? Does your scoping require this to be FIPS compliant?
Not necessary at all. Whoever is saying that is either confused or being misunderstood. Or they’re just outright wrong.
After some Google searching it seems that the GCC/GCCH environments do use FIPS validated cryptography for their services.
Edit:
"Microsoft online services that include components, which have been FIPS 140-2 validated include, among others:
- Azure and Azure Government
- Dynamics 365 and Dynamics 365 Government
- Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense"
It might pass an audit, but what do you actually do with the CUI? How do you use the data from those laptops that are connecting into GCCH.
Aside from those laptops do they sit on the same network as other computers? If so, what other end points can reach them? Are those laptops allowed to print? What printers are used?
The system has to be usable for the program that you run. The harder it is to use the less likely users are to actually use that system.
If you view it in a browser it is already to late and the devise is now in-scope. The browser can’t view something it hasn’t downloaded. The use of browser based apps does not change that since it is being processed on the local machine in the browser.
To access the GCC-H and keep your local machine out of scope you are looking at some type of VDI. And locking the machine out of all direct connections to the CUI
Will see how assessors come down on this but my
Expectation is that if you are accessing your high side environment through a browser you run the risk of that endpoint being in scope and it would be unmanaged.
It would have to be a combination of policy and instrumentation to validate that there no cui being pulled down. If it’s used sparingly might be better off with W365 and ZTA principles to descope the physical endpoint.
Zero trust is kinda like split tunnel vpn. It’s splitting hairs.
Cloudflare Zero Trust is the bomb
Take a look at Zscaler
In the data centers for sure, but I can’t find anything concrete that says data in transit is protected at approved levels though. This is why we were looking at Zscaler, but the GSA option is enticing because it is cheaper and ties in so seamlessly.
EDIT: I didn’t see your edit before replying. I’ll check out that link.