WHAT IS NIST? THE COMPLETE GUIDE TO THE NIST CYBERSECURITY FRAMEWORK
Explore this comprehensive guide on how the NIST Cybersecurity Framework can be applied to your organization.
How GOVFTP Cloud Managed File Transfer Compares to Microsoft SharePoint GCC
You might be asking yourself, “why are collaboration platforms competing with Managed File Transfer (MFT)?” Great question. Normally, they don’t, and to be honest -- they shouldn’t. These are not the same. The commonality regarding these two is mainly that files can be stored or sent within MFT and MFT as-a-Service (MFTaaS) platforms, as well as within collaboration platforms. However, as we’ll see later, it’s not without difficulty if you’re trying to use a collaboration tool like Microsoft O365 as a MFTaaS tool.
File Transfer vs. Collaboration Tools
When I began working for FTP Today in February of 2020, I started digging into our competition to understand the differences between us and others. I quickly realized file transfer and file sharing (sometimes labeled Managed File Transfer as a Service [MFTaaS]) is a market with a lot of different platforms and a lot of different features with common challenges every organization needs to solve for. Typically, it’s broken into these two categories:
- File Transfer – Used primarily when “Person A” needs to send a document to “Person B” in a secure, compliant, and efficient way. These platforms have a rich set of security features and management options for the entire site, and also the users. They give an administrator visibility into what’s transpired with a specific file while it’s residing in the transfer system. This includes things like “has it been downloaded and who downloaded it?” or “when was this file deleted and who deleted it?” to name a couple. The FTP Today platform goes much further than this from a logging perspective, but this at least gets you in the right frame of mind.
- Collaboration – Short answer: It helps people collaborate. Long answer: before these platforms, teams used items like sticky notes, white boards, or flip charts to collaborate with each other. Now, many organizations use software like email, or some Microsoft Office/O365 tools which we’ll be discussing here. Email is now used mainly as a tool for 1:1 communication instead of collaboration, while other Microsoft Office tools such as Teams are used for work across many members in a group.
We’re not here to knock Office 365 as a whole. It’s important to note, FTP Today’s entire staff uses Microsoft O365 products, and we don’t have anything against their intended use. Frankly, we like them -- just not for secure, compliant, or efficient file transfer. Round peg -- meet square hole.
With the above as background, I’m going to explain Microsoft’s GCC product line, while also explaining why it’s smart to use a tool like FTP Today’s GOVFTP Cloud or FTP Cloud for its intended use.
What is Microsoft's Government Community Cloud (GCC)?
To start with, we need an understanding of where it came from. Office 365 (O365) non-gov (we’ll call it Commercial) came before many different enterprise grade security features Microsoft has established over the past few years. For instance, the popularity of Azure cloud -- and in turn, Microsoft moving its core O365 platform functions and storage to the cloud -- meant they had to change the ways in which they approach security in terms of a “Cloud Provider.” They became a data-holder, while also becoming responsible for providing Infrastructure (IaaS) and platform (PaaS) security within the O365 apps.
Microsoft added several O365 collaboration tools with the additions of SharePoint, Teams, Power BI, and Stream, to name a few. Of course, these applications cost extra depending on your version. These are great tools, but it means these tools all have compliance requirements for the sharing of documents or data.
If you were to couple this with Microsoft’s investment to support federal government agencies and departments, it made sense for them to finally separate the Commercial “enclave” from the Government (GCC) “enclave.” Let’s take a look at a quick definition for what a data enclave is. Simple enough, although not always plausible:
A data enclave is a secure network through which confidential data, such as identifiable information from census data, can be stored and disseminated. In a virtual data enclave a researcher can access the data from their own computer but cannot download or remove it from the remote server.
What you might not know is that in some cases they have only partially separated these platforms, and this could greatly affect your security posture. To further complicate the picture, Microsoft has divided their “O365 for Government” offering into three different levels, and the Azure instance varies depending on the GCC level you are in:
- Office 365 “GCC” – The Azure instance is tied to the commercial offering which is not compliant for CUI transfer
- Office 365 “GCC High” – Aligns with the accreditation for “FedRAMP High,” but is not the same thing as a ‘high-side environment’ which is designated for classified information. The Azure instance is in the Azure Gov enclave and is compliant for CUI provided you have setup the vast number of Microsoft settings correctly
- Office 365 “DoD” – The Azure instance is in the Azure Gov enclave and is compliant with CUI, but is very expensive, and is a ‘high-side environment’
Data Residency vs. Data Sovereignty in O365 GCC (Data Enclaves)
Because of this break-down in service levels, it’s important to note the differences within the Microsoft Office products and how they meet government compliance standards since it varies widely. For instance, O365 GCC (as opposed to the GCC High and DoD levels) offers data residency as opposed to data sovereignty and is an enclave of Commercial. The key differences between the two:
- Data Sovereignty – not only is the data stored in a designated location, but it is also subject to the legal protections and punishments of the country in which it’s stored.
- Data Residency – The physical location of an organization’s data. This is referring to the datacenter, or infrastructure, specifically.
It’s paramount that you understand data residency with screened US Persons ONLY applies to the Multi-Geo covered workloads (e.g. Exchange, OneDrive, etc.). All other workloads, dozens of them from Azure Active Directory to Yammer, do NOT support data residency nor US Persons.
As Microsoft states:
US Sovereign Directory Services - Unlike Office 365 GCC that is paired with Azure AD in Commercial, Office 365 DoD and GCC High are paired with Azure AD in Azure Gov.
What does this mean? Well, it means GCC alone doesn’t have you covered if you’re using one of the “dozens” of applications.
Microsoft also states the FedRAMP Moderate P-ATO from DHHS is specifically for tenants of O365 GCC. Since O365 GCC is ultimately a data enclave of Commercial, any organization has to ask themselves if they meet all compliance requirements strictly by having a GCC enclave for some tools and not others. The answer is a resounding “no.” If you are working to meet CUI compliance, they recommend only deploying in a single tenant environment unless it’s unavoidable.
Microsoft themselves is stating not to mix and mingle Microsoft products across GCC, GCC High, and DoD to jury-rig a solution. Also, what do you do when you are sharing a document via One Drive with an outside entity, but only your organization is in GCC high? Due to the controls set forth by the Commercial enclave, A GCC individual sharing with non-GCC individual means that compliance is not met. As a customer, are you supposed to check with each outside entity before-hand every single time you want to send a file via One Drive? Is your compliance still even going to be met?
If you’re like me, by reading the above statements you can begin to understand why strictly using Microsoft GCC as your established baseline for all your standards can get complicated and tiresome to manage. With these GCC principles in mind, along with the Commercial principles (Global Network, Global Directory, and Global Support Personnel), it’s the reason many government customers or contractors with stricter regulatory requirements such as DFARS, ITAR, NIST 800-171, or NIST 80-53 rolling up through DFARS do not choose standard GCC, but are instead forced into GCC High or DoD levels. These are fully isolated, very expensive, cloud environments with an Azure Gov enclave instance and only Azure Gov is designed for CUI.
Why Simplicity is Important for File Sharing
Frankly, by using Microsoft for file sharing, particularly external file sharing, you’re making it too complicated. Remember “square peg, round hole?” FTP Today is focused on one product: our File Transfer and File Sharing platform and in making sure we give you the controls to meet compliance. When our clients discuss our GOVFTP Cloud vs O365 GCC with us, the conversations always start the same way. The first thing they ask is about our licensing structure and how easy it is to use, and here’s what we tell them:
- We have plans for unlimited users
- We have unlimited bandwidth
- We have multiple file transfer protocols built into our platform
- Multi-factor Authentication is offered in several ways site wide or per user: text, email, or TOTP application
- We use AES256 for encryption at rest, and TLS 1.2 in transit (meeting requirements for FIPS140-2)
- We offer plans with Single Sign-On (SSO) integration (and multiple SSOs at that)
- We have an intuitive HTTPS interface
- And, finally, we do a great job of logging
- Best of all, we offer flat rate pricing, not per seat license fees! (more on that below)
I’m sure you can guess what organizations are typically most excited about: plans with unlimited users for a flat monthly fee. We made the decision years ago that our customers needed to meet compliance, and in order to do so, one of the best ways is to assign each unique user their own login credentials (username & password) that can follow NIST standards. Sure, we could grow revenue faster if we charged per seat, but we would rather make it simple for an organization to do business with us.
An “unlimited users” feature is great for a couple of reasons: whether an internal user or an external user, both can, and must (for compliance reasons), have their own unique login credentials on GOVFTP without an administrator worrying about a budget for per-user seat licensing. Unlimited-user plans are very popular at FTP Today. A massive headache is removed for an administrator and an organization, because they can very easily create a new customer with the appropriate folder access without being concerned about a common system limitation in the SaaS era.
The Crippling Cost of Microsoft Licensing
The above scenario is impossible with Microsoft. First, all parties to a file transfer must have their own O365 GCC High account in order to stay compliant. There’s no way to guarantee this unless the outside user is also on your system. You’re not going to do this because of the other security concerns regarding information stored in other systems. The Microsoft O365 High licensing cost is normally between $40 and $50 -- PER USER, PER MONTH.
If you were to multiply the individual licensing costs by an entire organization you can see how costs can get out of control very, very quickly. And this is strictly the licensing cost. This doesn’t count the potential cost of professional services for implementation and to make sure you’re going to pass audit. For companies that are part of the Defense Industrial Complex (DIC), it’s a hard pill to swallow. And as regulations continue to be more stringent regarding DFARS and CMMC, the costs will be crippling to small and medium sized organizations while putting a major dent in the earnings of large organizations.
If an organization does go over budget, they have a decision to make: “should we bite the bullet, or should we give an entire department one username and password?” Both are painful and the responses vary, but many times organizations have decided to do the latter. This presents problems for a compliance department because they don’t actually know who is doing what when individuals are sharing credentials. Sharing credentials is a compliance no-no; actually, it’s a violation. It should be avoided entirely, and FTP Today makes it easy for you to do so.
Implementation - Time, Money, and People
Earlier, I mentioned the different levels of Microsoft Azure GCC. There’s a couple of reasons being forced into GCC High for CUI matters, one reason being organizational cost. FTP Today is primarily working with small to medium sized enterprise businesses that don’t have the resources to go through multiple audits, hire outside consultants, or pay exorbitant user fees. Though, large enterprises have been choosing us regularly due to a host of reasons but mainly our cost structure, and the ease of working with us. These small to medium sized businesses can’t sustain the crippling costs associated with Azure GCC High or Azure DoD, and this is strictly the platform. This does not include the hidden costs of file transfer within Microsoft’s product line.
When companies decide they want to use Microsoft’s services for file transfer, they almost always go with SharePoint. The “why” is almost always the same: “well, we’re using O365, so we thought it made sense to just go with another Microsoft product and add it to our suite.” As often as we hear we are competing with Microsoft, we just as often have organizations tell us they tried to go the SharePoint route, it didn’t work out, and now they’re ready to re-evaluate.
Implementing SharePoint - The Unknown Complexity
In a previous life, I was blessed to work with some brilliant SharePoint overlays. One commonality of a customer or prospect’s interest is that there’s no such thing as SharePoint immediately working the way you want. Positive: it’s incredibly customizable. But this also means that SharePoint is often more cumbersome and expensive than it’s cracked up to be. It’s similar to an iceberg, where 90% is underwater and you can’t see it.
As you can imagine, SharePoint implementation can get very expensive when an organization decides to go this route. This doesn’t include the technical limitations such as no SFTP protocol, file size and file quantity limits, and difficulty with tracing subfolders back to the root.
What if, instead of using SharePoint as a tool for file transfer, you put potentially tens of thousands of dollars back in your pocket to re-invest in revenue generating portions of your business? FTP Today gives you the opportunity to do just that. We help organizations quickly and easily get up and running by helping you overcome the issues with Microsoft SharePoint/O365 file transfer:
- Deployment time is hours, and not months
- Support for multiple secure protocols: HTTPS, SFTP, FTPeS, and FTPS
- Easy-to-Access Logging for administrators and auditors
- Windows Explorer styled folder structure with an unlimited number of restricted folders
In our estimation of licensing costs and ease of use, an organization is better off using FTP Today’s GOVFTP platform to share CUI related data with contractors, subcontractors, and government agencies. The FTP Today platform is hosted in the U.S., developed in the U.S., supported in the U.S., and all our employees are U.S. citizens. We have a purpose-built platform, specifically for file transfer that includes all the functionality needed for a company to pass the file transfer/file sharing portions of their audit. As we continue to scale, and add functionality, FTP Today will continue to be in a great place to easily meet your compliance requirements for years to come.
GOVFTP Cloud is your compliant solution for secure exchange. The FTP Today team is here to help in any way we can. If you are interested in a demo or have additional product questions schedule a demo today!
About Brendon Ainsworth
Learner, Researcher, Customer-focused, and the Director of Sales for FTP Today. Brendon has successfully navigated multiple industries and has infrastructure certifications in GCP and AWS. He started his career in Oil & Gas business development and successfully transitioned to Rackspace as a Mid to Large enterprise technology consultant and then as a leader.