Ep #113: Microsoft 365 GCC, GCC High, or Commercial?

March 14, 2023

Microsoft 365 was launched in 2011 in hopes of revolutionizing cloud-powered productivity platforms. Since then, Microsoft 365 has grown to the point where it is now one of the largest cloud-powered productivity platforms on the market, competing with the likes of Google and more.

To give organizations a clear picture of their Microsoft 365 options, your host John Verry sits down with Conrad Agramont, CEO of Agile IT, a top Microsoft Cloud Service Provider focusing on Microsoft 365, to discuss Microsoft Government Community Cloud (GCC), GCC High, and more.

In this episode, Join us as we discuss the following:

How the three Microsoft 365 clouds differ in terms of key security capabilities
The importance of communicating with your government program office about the cybersecurity requirements in your contract
What migration from commercial Microsoft 365 to a “gov cloud” can look like in terms of time, cost, and effort
The two most challenging aspects of any Microsoft 365 migration
Pros and cons of a “hybrid approach” involving multiple Microsoft 365 environments.

To hear this episode and many more like it, we encourage you to subscribe to the Virtual CISO Podcast. Just search for The Virtual CISO Podcast in your favorite podcast player or watch the Podcast on YouTube here.

To stay updated with the newest podcast releases, follow us on LinkedIn here.

See below for the complete transcription of this episode!

John Verry (00:00):

Uh, hey there, and welcome to yet another episode of the Virtual CISO podcast with you as always, John Very, your host, uh, with me today. Maybe some construction people upstairs, banging and drilling and song. And I hope not. That’s why I’m sitting in my basement right now instead of in the office. Uh, and also with me, uh, is Conrad Amont, uh, Conrad. Good afternoon. Happy Friday.

Conrad Agramont (00:24):

Happy Friday. Happy sir. Uh, let me, let me, uh, come on board.

John Verry (00:28):

Well, yeah, listen, I’m looking forward to this because, uh, you know, this topic is an interesting one and one that, uh, increasingly in today’s, uh, dib driven world, uh, is, uh, is an important one. Um, always like to start simple. Uh, tell us a little bit about who you are and what is it that you do every day.

Conrad Agramont (00:45):

So, cond Agman, I’m the CEO here at Agile it, and we’re based here in, in San Diego primarily, all we focus on is it cloud services that are based off the Microsoft Cloud platform. Uh, I’ve been doing it for a number of years and it’s been, maybe we really picked the right horse. They just keep adding more and more things. So it’s been a, been a fun ride.

John Verry (01:04):

Uh, yeah, micro, I, the only, I, you know, in your greatest strength always lies your greatest weakness. And Microsoft, to me is exactly that, because, you know, you go in like, it is, it’s an amazing bargain. What you get with Microsoft 365, it’s a bargain, but every time you go in there, there’s something new. And like, you, you almost need, and I can see why your business is probably booming, is cuz you almost need a full-time person to just stay on top of the advances at Microsoft. It’s crazy.

Conrad Agramont (01:30):

Yeah. It, it’s, uh, now part of my history is, and, and it’s, there’s two interesting parts, and I, that’s my history, but I’ll just jump in, is, uh, you know, when I was young, my, my father was in the Marine Corps and like, I’m never gonna go to the Marine Corps. I go, I joined the Marine Corps, then I get outta the Marine Corps. I don’t wanna go to the Marine Corps anymore. And then, uh, then I go work for Microsoft. I work at hosting, you know, hosted exchange stuff. We take customers out all the time, and then I leave Microsoft and, uh, and then now here I’m at Agile it and I’m working both for military things like the Marine Corps and work with Microsoft Services. It comes full circle. Uh, it’s a crazy story.

John Verry (02:06):

Yeah. Um, so I always like to ask, uh, before we get too far down the business, as you drink your coffee, maybe that’s your answer. Uh, what’s your drink of choice?

Conrad Agramont (02:16):

You know, I’m not really sophisticated when it comes to things like, I like coffee. People are like, oh, what is the best coffee meats? Like, I, whatever one is in the order the size that I want <laugh>, uh, you know, you know, if it, if it’s a beer, I’m not sophisticated, it’s normally attached to the weather. You know, if it’s, if I’m at the beach, just a Corona, if it’s cold, you know, I’ll, I’ll get a beer. Uh, if there’s wine, I’ll take something, take something. So, uh, I’m, I’m more of kind of a social drinker in that aspect. And whatever’s wrong, I don’t like IPAs and the only thing I’m passionate around drinks is go to a restaurant like, can I have a Coke, please? They say, oh, we have Pepsi. Is that okay? It’s not okay. It’s not the same thing. <laugh>. So I guess Coke is my number one, my number one

John Verry (02:52):

Answer. So I’m, I’m, I, I have to say I’m disappointed and I was gonna ask you to invite me to San Diego cuz I’d love San Diego. And one of the reasons I love San Diego is it’s, you know, perhaps the micro brewery capital of mm-hmm. <affirmative>, some of my favorite, you know, stone and Ballas Point and Belching Beaver. I mean, like, there’s some great great, um, breweries there. Um,

Conrad Agramont (03:12):

But I mean, I’ll go for the beer. You,

John Verry (03:14):

You don’t seem to give a crap. I’m like, I want, somebody gets excited with me about the chocolate harvest out at

Conrad Agramont (03:19):

Belgium. I’ll bring my brother. He loves all that stuff.

John Verry (03:21):

All right. So I’ll tell you what. So now you can invite me and me and your brother can go

Conrad Agramont (03:24):

Up. Oh, okay. All

John Verry (03:26):

Right. Sounds good. Before this, before this devolves any further, let’s get down to why we’re really here to chat about. So from my perspective, right, Microsoft 365 has become nearly omnipresent in, in the, in the smb SME space. I mean, and it’s really crazy. I mean, I looked it up in prep for this podcast. It’s only been 2011 July of 2011, really, where they, where they launched it. So you think about it, how much they’ve accomplished and how many organizations on this platform in the last 11 years. Um, you know, I look at it and say, you know, simplicity, you know, just turning stuff on interoperability bundle capabilities, you know, what do you, you know, is that what we attribute the massive success to? Or what do you trip the massive success they’ve had to?

Conrad Agramont (04:10):

Well, I think with Microsoft, one of the things that they’ve just, you know, if you think about their long history and even then, and even now, just their knowledge around enterprise business applications where they started with and having that knowledge and then saying, wait a minute, you know, we’re losing a lot of business to Google right now because they can just do all that stuff on a webpage. And, and now we look old and clunky. Well, the one thing that Microsoft has always been able to do well is understand their customers and they know how to, they know how to make a dollar, right? They know how to make money off of things. And so, you know, taking that approach of, Hey, we’re gonna invest into cloud and SaaS, and, you know, uh, and, and kind of getting that going with the knowledge we already have around these businesses and business models and, and an existing partner channel that was out there, you know, these small and midsize customers, uh, they were getting everything they wanted, which is enterprise business applications in a, in a way that is, doesn’t require me to have a server.

(05:07):

If I have a server, I have a network. If I have a network, I have to have, I have to have a router. If I have a router and a network and the server, then I have to have power supply. Then I have to have batteries, now have to have generators and gas, and to have all of these things just to send email, just to share documents. And so that’s a place where I think they’ve done really, really well, is, is servicing those customers in a way that, that, that appeals to them with less friction. And being able to do it with, uh, a company that understands, you know, you know, receptionists or administrators have to have multiple calendars and other kind of delegated services where, you know, the old Google platform, the other ones that, that were out there were just like, but you just need a simple email account. Just like, you know, like hotmails where AOL fail and time where. So I think that’s what they did really well.

John Verry (05:54):

Yeah. Um, I, I also think that, you know, I, I credit a lot of the success to Satya made. You know, I, I think that, you know, he just recognized that, you know, the, the cloud and online was the future and, you know, it was more about what your data was even than the applications. And then of course they had to lead in the applications anyway. But yeah, I think what they’ve done is remarkable. Um, so, you know, one of the things that they’ve done right and talks about understanding their customers is understanding their customers have different, uh, requirements, you know, security requirements, different compliance requirements. So, you know, we’ve seen that the US government is increasingly focused on protecting controlled unclassified information or what we call CUI or kui, um, that is being shared with non-federal entities. Um, there’s been currently much more aggressive enforcement of those far, far DEFOREST clauses in the dib.

(06:45):

We’re starting to see some aggressive enforcement of FAR clauses which apply to non dib, non-military non-DOD data, right? Cuz the government classifies, uh, there’s 20 classifications of CUI or 19, one of which is defense information. Um, so, uh, and the FARs clause and, and the DEF RS clause both specify conformance with 800, 1 71 and or cmmc. So, question for you, um, you know, if you are an organization that is either dealing currently with the CY requirement or you look down the, down the pipe a little bit and you say, Hey, you know, two years from now I should be planning for this. Um, how do organizations determine whether they should use Microsoft’s commercial or government offerings for Microsoft 365?

Conrad Agramont (07:30):

Yeah, so in, in the Microsoft 365 space, you know, there, to keep it simple and focused on what we’re talking about here, there really is the, the three parts of it, right? There’s the, the regular what called commercial global kind of cloud, you know, go upside up the credit card. You know, my mom can get one, there’s no other paperwork. Um, and the second one is, is the government community cloud, right? And, and for that one, so for gcc that’s, you know, basically a variation of the commercial. It’s still serviced out of commercial, but there, but there is some compliance capabilities there. And by the way, those two are, while they’re related, they are still separate environments. I can’t just move and copy paste, not, not like folders. And then there’s the big daddy one’s not even the big daddy one anymore, but it’s the, the gcc.

(08:17):

So same kind of acronym high. And really the high is normally aligning to Fedra high, just like we say gcc, it’s typically GCC moderate, you know, so there’s a lot of paperwork that goes into, so considering which one you should go into, uh, sometimes it could be challenging. There’s a few that I think are really important to look at. Number one, if you do I T A R, the only answer for you is GCC high, super simple. Because, because one thing is you are in, in all of these places where Microsoft is running it for you, uh, you know, they’re doing their part underneath things. You don’t get to see like they’re employees, the building that’s are in the locks the doors, and they’re gonna participate in an audit. So if you say, I can get away with ITAR underneath, you know, in commercial or GCC high, oh, there’s an audit, Microsoft’s gonna say, we told you no.

(09:06):

You know, so we’re, it’s not safe. So for itar, it’s a really easy answer. The other two parts that, that get a little, that I think are, are good things to look at. One is if you look at the service description for the, again, Microsoft there you have GCC versus GCC High. One of those things that they say is, and when you’re in gcc, we cannot guarantee support of where when you call the support, when you’re in there, they’re gonna say, we can’t guarantee that those people are in the us mm-hmm. <affirmative>. So it, it might be connected into gcc, that’s fine, but the support person you might be talking to is outside the US and I, I, and I might need help, so, but I want to use person. They’re like, they can’t, they can’t guarantee you’re gonna get that on the GCC high side.

(09:49):

They say, not only are you doing that where we can guarantee it’s gonna be a US based person, but they also provide additional background checks that are more DD aligned for gcc. Hi. Mm-hmm. <affirmative>. So, you know, now goes to the second part that’s important. Just like in everything else, you gotta talk to your government program office, wherever has the contracts or contracts you perceive you’re gonna go get, what are their requirements? Cuz they might not say, oh, you have to have pass c cmmc something you not be clear. But they, there might be something in there that says, this level of CY must only be accessible too and supported on, you know, when it’s in the US and background checks. So, you know, that kind of tells you where you know where you gotta go. So I think those, those are really the driving points of when to when to decide to do what.

John Verry (10:36):

So just just to summarize that, make sure that I got it right and you know, if you are, if you’re going to have CUI, then mm-hmm <affirmative>, you should probably be in gcc. And by the way, thank you for, I, I never remembered what the, the second C was. I always call it gov cloud. I, I never remembered that the c other C was community. So I’ll see my, see if I can remember that. And then this. So, so if you have cui, you should be in gcc. Uh, if you have CY specified, you know, that is IAR R then you should be in GCC high Good summary.

Conrad Agramont (11:09):

Yeah. And, and, and everybody asks us all the time, well, which c u i, you know, c i is a large spectrum. It’s about the program or the contract. And, and they’ll also tell you how to then label and market, but you have to ask them.

John Verry (11:23):

Yep, I agree completely. So, um, so let’s show down a bit more. Um, you know, do, do you get involved in, cause we do, right? But do you get, like typically when somebody says to me, okay, well how do I know what type of data that I have? Right? Um, you know, so I don’t know if you guys get involved in those same conversations. Is this cui, is this not cy? You know, can this data go into GCC or do I need to go to GCC High? Um, you know, is it is it is just as simple as making sure that they’re looking at the contracts and talking to their contracting officers.

Conrad Agramont (11:56):

Yeah, I mean our, our specialty is really either getting you to the right part of the cloud, securing it, making sure you get all the data and safeguard, we don’t really specialize at, at understanding, Hey, let’s take a look at that paragraph and the contract and hey, that’s what that thing is. And it’s just not our focus. That’s why we work with you, John.

John Verry (12:13):

I know, I, I, you know, I, you know, it’s funny, we, we’ve never actually, I’ve never asked you that question before or anyone on your team, um mm-hmm. <affirmative> that question before. So, you know, generally speaking, right? It, it, it’s all about, it’s all about the contract, you know? And unfortunately, many of the contracts are not as clearly written or the answers that you get, you know, might not align with it. But I mean, fundamentally, right? If you’ve got a 70 12 a D R 70 12, 70 19, 70 20, or 70 21 clause, you definitively need to be in GCC high. And then the next question is, is that you gotta look at the classification of CUI that you have. And the most, you know, if you see X P T, you know, c I specified with X P T and it’s I T R, you know, then, you know, then you’re gonna find that that’s really what gotta go into that GCC high.

(12:57):

Um, so, so let’s say, you know, and we’re seeing this a lot, you know, a lot of the dib, right? Because many of the DIB are smaller firms, a lot of manufacturing firms and consulting firms and people of that nature are, are already in Microsoft 365 commercial. So now what happens? They have to make a, they have to make that decision. Okay, well, oh crap, I gotta move from Microsoft commercial to Microsoft’s, uh, gcc. Um, what does that process look like to migrate to gcc? If it’s different, what does that process look like to, to migrate to GCC high? And can you provide any ballpark cost for what that would, would, that would cost the typical organization?

Conrad Agramont (13:35):

Well, the, the, when deciding, you know, so the big difference in terms of like a purchasing a migration when you, when you’re looking between GCC and, and GCC high one is that the, the, um, the licensing programs are different. So that’s the first thing, right? I mean the, you could go into gcc, uh, you know, and I’ll call GC C moderator. We do this internally too, just because sometimes we’ll say gcc, but we met hiim. But anyway, so you’re trying to go into gcc, GC, moderate, and uh, you know, it’s, you know, from from that it’s still a separate tenant. Mm-hmm. Right? So we tell these tendencies. So if you’re in a commercial, you’re in a tenant, it’s just commercial tenant. Now you have to decide which of the other two to go into the, now either one of your approaches, you know, the licensing process is different between GCC Modern and what’s the, the, the, the big difference, you know, when you, when you’re gonna do it in gcc, say high, you tend to have to, uh, some providers do it different, but you know, you have to pay the whole thing up front.

(14:35):

It is more expensive. It’s not, you know, click on a button, where’s a portal? Gimme this. There’s a lot of kind of headaches, whoever you license, or we do that and it’s a headache to go do those things. But that’s hard program anyway. So the licensing process is different. Second part is that there are some technical differences between what’s in GCC moderate and GCC high. So, you know, I would say at the, about two years ago there was a big gap. Now it’s much, much smaller. Mm-hmm. So that’s not as bad. And then the third part is around migrating it. Uh, well, when you’re migrating your data, uh, you know, we have a lot of customers who may have already attested that they’re median eye tire, but they wording or attested to something else. And so, you know, you’re not, you’re not tapping into an high tire environment or something and put it to some in someplace else.

(15:20):

A lot of times it’s commercial, the GCC high. So really gotta look at the tools that you use. So if you’re gonna go yourself or through a vendor, you might say, Hey, this looks like a nice migration tool. I think I’ll run. It looks cheap and it’s great. Uh, I don’t know, is that data running through a, uh, uh, a data center? Not in the us. You know, no wonder it’s so cheap, you know, it’s wonderful how cheap people working on it. Cheap things. Okay. But, you know, let’s, let’s keep in mind that, you know, you’re, they’re also gonna, like, how did you get here? Oh, it’s fine. I had, you know, I just routed it through China and Russia. It was, but it’s super cheap. But it, but now it’s in GCC High, so I’m sure it’s fine. I’m sure it’s fine. <laugh>. So, you know, looking at the vendors and their background checks, the applications, people tend to neglect it a little bit. It’s like, oh, it’s just a webpage. You know, you have to ask them questions. And, and, but in terms of the process, because this other thing is that many of the tools that are out there, you know, may work with GCC High because they’re completely different endpoints, right? So, you know, that’s the,

John Verry (16:22):

The endpoints you mean APIs.

Conrad Agramont (16:24):

That’s right. The APIs are completely different many times and in US, or it’s not just ends and.us. They, they change the whole URL to it and it, and it works the same, but then has different tokens. So the other part is when you’re migrating, we often think emails and files sites, it’s true, can be complicated. But you have things like you’ve been using, you know, you bought in and power platform and you’re gonna take those out. Oh, wait, some of those things don’t migrate. You have forms, forms don’t migrate. So there’s other things that you may have to recreate. And that’s part of the process. And, and sometimes it’s not the blame of the GC hi side. Sometimes it’s just the app was never intended to be moved, you know, to some

John Verry (17:04):

Degree. Right? So, so, so there’s massive data migration, it sounds like. That’s gotta be done properly. So you’ve gotta create the new, the new tenant, you’ve gotta kind of build out a similar structure. Then there’s a massive data migration that needs to take place. And then the, as the apps might be a bit different, uh, or, or all of the, all of the settings that you’d applied over here have to be reset over here. But there’s no way to just click a button and do that. You literally have to kind of make,

Conrad Agramont (17:31):

Well, you know, that’s sort of interesting things. Like, well, I have these policies and I want to put ’em over there. Uh, you know, it’s, uh, you know, you may have had a, a closet in your old house, you gonna go to go to a new closet, closet’s done different, it might be smaller or whatever it else. A lot of times you’re can throw away a bunch of junk. It just kind of grew that, but that’s not really why I want,

John Verry (17:50):

You’re doing a cleanup. Yeah. It makes, it would make sense. You’d be doing cleanup at the same time, right?

Conrad Agramont (17:54):

Yeah. I would say the two hardest things in any migration, no matter what is in, in terms of challenging, like moving things, now, you know, that’s, that’s, that’s very straightforward. It’s APIs, the applications you have and your people, your people is the hardest one, right? Because they’re gonna go through a big move and you’re gonna get a lot of people. And normally the execs that, that are gonna say, ah, I don’t want this MFA <laugh>, what, what is all these security hoops? That’s not how it used to be. That’s the hardest.

John Verry (18:22):

Okay. So I can even say that’s funny because, uh, you know, you, I think you’re probably aware of this, we’re a customer of yours, <laugh>. Um, and we’re working here currently, and you guys helped us through an e e three to E five migration. And, um, we’re going through exactly that. Like we, you know, the old authentication, the old MFA was being upgraded to Condi. So like, as we’re doing the migration, we’re actually changing a lot of stuff. You know, we have some legacy authentication in there. We had some legacy servers. So you’re looking at this stuff and going like, we can migrate it, but are you sure you want to, or should we improve it? Should instead of just migrating it, should we improve it at the same time? So those are kind of like similar conversations that you’re having when you’re migrating someone from commercial to government.

Conrad Agramont (19:02):

Yeah, I mean, the, the funny story, I mean, man, the whole podcast could be about this and when the future is, you know, it’s on the CEO here, but I have a partner in the business, majority owner John Gillum, uh, when he brought me on, and he laughs about the story now. It’s funny. He laughs about it now. He wasn’t laughing so much, uh, again, but there was a point, you know, several years ago where I said, why is not everybody on MFA or doing these things? And it was like, well, you know, John, I was like, well, turning it on. He called me like 15 minutes later. I says, what’s this? I said, well, we have to do this. I said, I I don’t like it. I said, tough. You know, if I’m gonna work here and I’m, and, and I’m responsible for doing this, that’s what’s happening. Because as soon as something goes wrong, you are gonna come at me and say, why don’t you force me to do it? So that’s, that’s what I did. And so, because, you know, yeah,

John Verry (19:48):

Yeah, I agree. I couldn’t do you more like if you don’t, especially as a service provider, if you don’t have MMA turned on for everything. Uh, yeah, yeah. I mean, you’re not eating your own dog food, right?

Conrad Agramont (19:59):

Yeah. We went to Passwordless, you know, uh, not too long ago. And so we’re doing those things and it’s like, guys, it’s a little, little, you know, less convenient. But you know, if you want to, you know, if you go into the bank and you want to go get, get to its money and the doors aren’t just wide open, right? There’s, there’s, there’s there’s intentional pain as you go through to, to protect. Yep. That’s be

John Verry (20:19):

So, so the, a migration of that nature, you know, let’s, let’s just use a baseline of a hundred person, you know, company. I mean, um, you know, does that take, uh, a day, a week, a month?

Conrad Agramont (20:30):

Oh, you, if it, it’s, it’s so hard answer, but I’ll give you an answer. Even though it’s, it’s difficult. Well, you

John Verry (20:37):

Guys, we all know there’s always it ends. Is it, is it the answer to start to every answer?

Conrad Agramont (20:42):

Well, you know, I’ll tell you, and I, I do, I’ll say this to customers. I’ll say here on this bond cast, you know, most of the times there’s not much projects that couldn’t take a day to, to five to five days to go do it. Why doesn’t that happen? People, right? Because you gotta communicate them. You gotta check them. You gotta make, I could just hammer that the whole thing if I didn’t, if you said, Hey, con, just move this whole thing. And I don’t care what happens to our people. I don’t care if they, if it takes them, you know, several hours to see what’s going on. Like, the technology’s not the biggest problem. Uh, it’s the people. But the second part is a little bit of the technology. So when you do migrations, it’s, it’s normally around the, the quantity of data. We’ve seen customers that are 15 in size but have 20 terabytes of data.

(21:22):

They’re in the data business, right? So it’s like, Hey, we’re only 15 people. Why is it so expensive? It’s like, cause you have a lot of stuff and it’s gonna take a lot of time and us checking and validating. So that same thing, you have, you know, we’ve had customers that are hundreds of people. It’s like, that’s all the data you have. Well, they, well, they’re only doing it in Google and these other things. And you know, they, they, they have a small company, but they have a lot of money because they, they have a co government contract that builds like, you know, uh, a special utility to take something special off of a special piece of equipment. And so they don’t have a lot of, they have a lot of people, but not a lot of data. Those can go faster, right? So that’s, that’s the, normally the thing is how many people you have, how complex do you have? Where is everything? And the willingness to make decisions. And, uh, that’s number what slows things down.

John Verry (22:07):

All right. Um, thank you. Um, so I know, I know it’s gotten better, but I still think we’re not at a point where there’s full feature parody between 365 commercial and gcc. Um, well, any really significant, uh, deltas that people should be aware of is there, is there thinking through a migration?

Conrad Agramont (22:27):

Well, in terms of the, the feature set, once you get there, uh, the, the, the big ones that, that are there, one is Ron voice. You know, they still don’t provide voice for teams as they do on the other one. You’d have to use another partner. You know, we, we use another partner to do that. And then, um, so voice is, is a key one, one that’s, that’s starting to pick up awareness in the community right now is, is a number of the AI features that are specific to like Syntex, uh, power platform. Uh, and, and sometimes you think, why don’t they just turn that feature on? Well, you gotta think something like AI requires, you know, a whole infrastructure of things that’s probably well bound together and tightly integrated and try to get another one of those things somewhere else and allow data separation.

(23:10):

That’s the problem of voice, right? You know, so AI’s there, but I, but, but they’re gonna solve that, that that problem. Mm-hmm. <affirmative>. Uh, so that, that’s another key one I talked about the support area that that’s there. Uh, one thing that that happens, that one thing that’s completely different out of the box is that normally your MI, Microsoft 365 commercial, uh, you wanna invite people in, you invite us guests in, be a part of your team, uh, other organizations, super simple. Uh, so, you know, that’s not really there out of the box, which you would kind of think makes sense when you’re starting off in a GCC high kind of environment, a little more secure in lockdown. Uh, but even when you, and you want it open up there, takes more steps to allow it, that you have to create a relationship with the other side.

(23:51):

Cross 10 collaboration is what they call it. And then if you want to do free busy, there’s some special things you have to do there cuz there’s different endpoints. You can’t just do it in the ui, I gotta do PowerShell. So there’s some areas that are there, but you just have to be more knowledgeable. And again, it, it’s, it’s something you run into. You’re like, whoa, I came from commercial. I go to GCC High, why is it not working? You know, it’s like there’s gonna be a number of places where you gotta open up the sharing a little bit more, create, you know, create other things. But it, it, I think it’s good cause it makes you, uh, be more intentional. So it more lines to kind of zero trust type of a thing, right? Which is, I should, I should open up things gradually as I need them, not just have it all open and then I have the burden of trying to pull it all back in. So that, that’s the different

John Verry (24:33):

Kind of approach. Right. So I guess one, I guess one of the added advantages doing that migration is that you end up probably in a more secure state and like, I like your line a more intentional state, you know, because I, you know, I think, uh, you know, sometimes we end up in places that we didn’t intend to, you know, just based on kind of the natural evolution of change. Um, sure. So, um, GCC is more expensive by a fair amount right? Than, than, uh, than commercial. You know, like I, I typically hear things like, you know, 50 something dollars versus 90 do, uh, ish dollars. Is that rough order magnitude, 1.5, 1.7, something like that typically? Or is that all kind of all over the map?

Conrad Agramont (25:15):

It it is a little all over the map. It is more expensive. Uh, and it also is, um, you know, like I said, the, on the Microsoft side, you know, you buy the licenses, you like, we’re one of those partners that can do it then. And we have to pay for the whole year. You know, there is no month to month, like, oh, you just turn it

John Verry (25:32):

Off GCC high? Or is that, that’s not moderate GC high,

Conrad Agramont (25:34):

Right? GCC moderate’s a little bit more moderately priced than that one can still be monthly or the, the new kind of, uh, okay, I forgot what they’re call the, the spending plans. But, um, but on the GCC high side it is way more expensive. But, and you’re like, why is it so expensive? Well, you gotta remember they have to pass an audit with you, right? With you, you know, you’re, cuz their auditor’s gonna want so, well let’s see what they have and, and, and they’ll do it. So they have to pass an audit, they have to keep separation, you know, all those things around them providing support that are US based, you know, that’s not cheap. When you’re planning all US people 24 by seven support services that have government background checks, you’re paying for that too. You know, you’re not just paying for the, you know, globally scalable platform That’s commercial. That’s why I’m like, yeah, we, these requirements are so much different. That’s the price you pay. And if I were to compare that to our, I would’ve to do it my own closet, it’s phenomenally cheaper.

John Verry (26:27):

Yeah. And then, and then they have to understand that, you know, the commercial infrastructure is being shared between, you know, probably tens of millions of accounts, the hundreds, millions of accounts, I don’t know what

Conrad Agramont (26:36):

Worldwide.

John Verry (26:38):

Yeah. And right. You know, versus, you know, GCC high is probably hundreds, thousands, right. So it’s just economies of scale is a big part of it as well.

Conrad Agramont (26:46):

Mm-hmm. <affirmative>. Yeah. Absolut. Absolutely. Um,

John Verry (26:49):

Uh, alright, so, um, now when, when it first came out, um, when it first came out, there was, as I recall, and correct me if I’m wrong on any of this, they said Microsoft was recommending against a, and I’m gonna call it a hybrid tenant, where you have some people in your organization on commercial and some people on, uh, and some people in gcc. And then, then at some point they said, you can do that. But, you know, but there’s going to be some limitations. So where are we at with that? You know, what are the pros and cons of a, of a hybrid approach? And, and I guess real quick, the reason why I think some of our clients talk about a hybrid approach is they might be a 300 person organization, but only, let’s say 10 people in one group are processing cui. And the idea of, you know, paying 30, 35, $40 per month per user to be in GCC for everyone just seems like a little extreme.

Conrad Agramont (27:42):

Yeah. It’s, it’s a, it’s a difficult, uh, uh, situation all around because, you know, there’s the, you’re right, we, we have customers. Like I have a thousand tens of thousand people organization, we’re in commercial. To move everybody over there would be absurd. Uh, so could we just put 15 people over there? Mm-hmm. <affirmative> 20, 30 people, 50 people over there. And then, you know, and again, but then there’s this mentality of, that’s the general one, which takes, takes some time to work through. Which is because I, I have a small group of people over there. It should be kind of cheap right? To, to get going. Well, it might be cheaper for you cuz you only have a few people in there. But it’s still expensive because it’s not just a license. You have to set configure operationalized comp, you know, meet compliance for 15 people or 500 people.

(28:30):

It doesn’t matter. Many of the things that we do will deploy policies for customers and, and configure things that you need because you have to have them. And reflecting back what my what the, the, the government has said is, we understand that it’s a burden. And no, you get no, you get no relief in terms of passing an audit and meeting the same controls. If you’re a small business then if you are a mega enterprise, because at the end of the day it makes sense. You’re trying to prevent security attacks on something that’s pretty important. So there’s no way of skimping on it like you would something else.

John Verry (29:05):

Quick, quick, quick question for you. So I think, and, and you, you took this in a direction beyond what I was thinking about. I was really just talking about run rate stuff. You know, you are actually talking about the migration up front, right? So, and I think what you were think about the, well, so let’s talk about this in different stretches, right? Cause you got the migration and I can understand that the migration, the data, data moving part would be less for, for, let’s use the example of 50 out of a thousand people. The, the, the, the data migration part will be much lower, but the configuration of the environment’s gonna cost the same. Cause it really doesn’t matter if you’ve got 50 people in environment or a thousand people in environment. I still gotta go through and, and set up SharePoint. I gotta set up exchange and I gotta set up conditional ation in tune all of mdm all of the stuff that you’re doing.

(29:46):

So there’s really no cost savings for the configuration side of the migration. That’s right. Just the data side. Okay, cool. So, so understood that. Now let’s talk about the, the, the pros and cons of the hybrid approach during operational, right? Because the good news I guess is I’ve saved money on those additional licenses, but I, I hear some funny stories about people not being able to join teams meetings unless they come from one direction to the other. Can you talk about a little bit about those issues? Because I think I’ve heard horror stories where people made the migration, they didn’t ask those questions. The, the, the ag provider, uh, you know, did not inform them and now they’re sitting there unhappy with what they’ve implemented.

Conrad Agramont (30:26):

Mm-hmm. <affirmative>. Yeah. And, and, and uh, and when I talk about this like, I, like the migration is meaningless. I, because you could migrate data. Most customers that have that split, they’re like, I don’t need to migrate anything cuz it’s just, we’re starting something over here. Like, fine. But you’re right that those are the same rules. And this is what it comes down to is, you know, uh, I might have 20 people in this, in this GCC high space mm-hmm. <affirmative>. Um, but you know, in my commercial world, uh, I have a lot of tools and utilities. Like I have this third party IT support team. Uh, how, how could we do both? It’s like, oh, those IT support people are the on the us No. Then, you know, they can, but very, but they can’t support any of the users that have any kind of aspect or touch the CY data.

(31:10):

You can’t give them that control. You don’t want to put somebody who’s in, you know, just say in, in another country with the ability to go into, you know, go into the commercial environment with the ro with the rights on their own to give themselves permission to go do it. You can say, well, oh, but they’re not gonna do it. They’re nice people. Like first off, uh, you know, if you’re in security that you, that’s just a fallacy. Like you, you can’t do it. And because it may not be them, it might be something that’s, you know, acting like them. Uh, but the other thing is, um, the doors open, but I can’t pass a not like that. So some of the systems you have that you want for efficiency, you’re not gonna have, and you’re forced to be to, to look at it differently.

(31:49):

What people can ask can do it. And then you go into other things like, hey, we’re as a company, we’re gonna change what we’re doing for device management. I have to do it in two places, you know, and the device management, I do it in commercial, may not work in government. Now I have to be able to keep track of both cuz they’re still both my companies. So one has strong requirements who gets access. And, and the other thing, last one that make is organizationally, you know, if you have a smaller group of people that are in the government space, you need to give whoever’s controlling that, that, that, uh, that environment, hi, you know, equal or higher access to the person that’s doing the commercial space. And the reason I see this, because commercial people that don’t understand government can make terrible decisions. So they need to have a a you know, it’s like you might have a CIO here and, and you might have the person who’s running your, your your, uh, your government stuff side here. As a ceo, I would, I would say like, I know the report’s up to you, but we’re gonna come equal sets at the table when we do things because when I mess things up on the defense side and the government comes knocking on doors, that’s gonna be a whole lot more than somebody else that just didn’t like something here. The impact is just greater.

John Verry (33:00):

Yeah. I never, I never really thought about the impact of trying to manage two tenants, right? Mm-hmm. <affirmative>. So there’s a, you know, like there’s a significant operational overhead that could come into play there. Uh, and like you said, the, the risk associated with that, with the gov cloud side is, and are there, uh, is is more notable. Are there any, um, there are some, like any other gotchas like, you know, like I I mentioned earlier, I don’t know if they’ve resolved them, but I heard a lot, a lot of complaints about teams, you know, between, you know, the commercial, you know, an org that’s got commercial, uh, commercial users and, um, GCC users. Um, anything else there that people should be aware of?

Conrad Agramont (33:37):

Yeah, so that you can do with cross tenant collaborations, a setting that’s inside of, uh, uh, Azure active directory, something you have to create a relationship with both sides. Uh, and that will open the door for teams communications. Um, okay. You know, back and forth. Uh, you know, there, and you know, the whole thing with the, with, sometimes people run into

John Verry (33:57):

How, but if you do, let me just ask a question. If you do throw that switch, right? If I have a team that has CUI access and I throw that switch, does that imply that now I’ve just broken down that wall and all the commercial people have access into that team? Or they, they control it through team membership individually? So it’s,

Conrad Agramont (34:20):

It’s both, right? Because you can say, I wanna, okay, I wanna open things up. Like, one of the places you may open it up is say, well, I want my GCC high people to be able to access our internal, uh, HR and internal IT places for requests. So, you know, they’re using their credential, they flow in here. That’s why I want, Hey, do I really want to have a commercial person to have access to our GCC high tenant to get the CUI data? Like, no, like you, no. You know, like, and you can prevent all those, those aspects.

John Verry (34:47):

Okay. All right. Cool. Um, so I, I used that term a second ago, uh, and didn’t define it. Um, what is an AOS g uh, provider?

Conrad Agramont (34:58):

Uh, it is an agreement of online, was it AOS agreement of online service for government or something like that? Uh, essentially, uh, it was created because when GCC High was first coming on, it was the only way to buy it was through an enterprise agreement. You know, and to be an enterprise agreement, you have to have at least 500 users in a three year contract with a three year commit. You know, it’s like a, it’s a huge burden. And so all these other customers and partners especially that needed to be in GCC High, uh, they’re, you know, obviously there’s many that are 500 above, but all the other ones 500 below, they had nothing. So Microsoft created this program with a specific group of people where both, we also so agile it as an ag partner, we also had a pass clearance. We also had to, you know, go through a whole process with Microsoft, you know, cuz they wanted to make sure we weren’t just selling a license, we were providing service to our customers and are we doing the right thing?

(35:54):

What’s the programs this really focus for you? And they still continue to, to cultivate that. Uh, and in that program, what allows, uh, us to do is to sell licenses, you know, for 500 and below. So, you know, we, you know, there’s times we sell customers, believe it or not, you know, five 18 seats and that’s their thing. But there are like a, you know, a research division, you know, for something. And so yeah, they’ll cough up, you know, a large amount of money to get it all secured, already migrate nothing. They wanna have a good starting point. And that’s, and then that’s where they reside. So it really is just a licensing, uh, vehicle as a partner to, to go do it. And by the way, we don’t, we, uh, you know, to too much of the chagrin of some, maybe some people in sales and others, uh, we never just sell the license.

(36:42):

Uh, and, and the reason we do that is, you know, again, this goes back to my days of, you know, joining the Marine Corps many years ago, and I felt if I give people a license and without any direction, any guidance, at least setting up basic security things, we have a whole platform of stuff we can add in that we, we should, but at least with the basic things that we’re doing a disservice to them. And I feel like, uh, I wouldn’t feel right doing that, uh, for them. So, so, you know, there’s some deals we lose because of that, but just for licensing and, and not getting them in the right place, they just start then talk about my immigration stuff, talking all the kind of insider risk security stuff that Microsoft can do. Um, so that’s, that’s, that’s, that’s what we do.

John Verry (37:20):

Yeah, look, I mean, it’s one thing, you know, it’s almost like going to Home Depot and buying a bunch of, you know, a bunch of tools and saying, I can now build a deck. You know? I mean if, I mean, if you’re not experienced that, you know, you can actually hurt yourself. And I think, you know, obviously, especially if you’re in the CUI space, um, misconfiguring, something could have grievous impact on your organization. So making sure that you’re working with a provider that at least makes sure that you’ve got the basics set up right. Um, makes total sense to me. Um, yeah, we, we beat this up pretty good. Um, anything we missed? Anything else you wanted to add?

Conrad Agramont (37:55):

Um, from the OSG side and, and G

John Verry (37:58):

No, from, I meant, I meant, I meant just in general our conversation about what environment to be in gcc. Gcc.

Conrad Agramont (38:04):

Oh, okay. You know, I think technically it’s possible. And the, the nice thing to, to, to look at is, you know, like even free busy, that’s a thing. Like yes, you can do some of that, but there’s some special ways. So there’s a lot of these things that, that, that Microsoft is advancing and doing better. So, you know, it’s one thing we can see versus a lot of other vendors, whatever, where it’s kind of like gets there and they kind of let it go stale for a while and maybe get back to it. So they’re committed, uh, you know, including now that they have the DOD cloud and they have a secret cloud, so, you know, this is, this is all part of it, which is nice, but it does go to understand that if you’re gonna go in a split tendencies, you’re gonna go two tenants.

(38:39):

So remember that you are in a multiple tenant environment. It’s not multi-tenant, right? Multi tenants, one tenant with a bunch of people in there, which means you have two different houses. You gotta, you got a house here and you gotta, you got a condo by the beach, right? Just because I clean my house, you know, at my regular house doesn’t mean my condo’s clean. You know, both have tables, but different types of tables, right? You know, I, you know, from my house by the beach, I get special kind of beach chairs for that. I can’t just buy the same, you know, uh, wooden chairs for my house and my beach house because the salt’s gonna kill it and eat it up. Those are the same decisions I think customers have to think about when they’re understanding these two tenants. They’re not the same like tenants, you know, they’re different.

(39:20):

They have different rules, different ways of using it. Hey, we use this backup tool, we love it, we’ve been using it for years. Can we use it the same in GCC High? I’m like, well technically if it works fine, but where’s this backups going to? Oh, our provider do, do they meet Fedra High? No, but we think it’s okay. I’m like, you don’t have to convince me. I, you know, here at S L I, we just tell you like, make sure to think of these things. They’re going John, they’re gonna go John Barry and be like, you’re crazy. You can’t do that. And

John Verry (39:48):

You’re right, you, you’re right. If they’re not fedra high, well, technically, I guess you can argue fedra moderate. Well, it depends if it’s GCC moderate or equivalent is, is the way D R 70 12 is written currently, right? Yeah.

Conrad Agramont (40:00):

But it’s like, maybe it could work. Maybe, maybe it won’t, but I think every IT decision when you’re dealing with that side has to do and you can’t think of, but it’s so much cheaper. You know, if I just throw it in over here, I, I could save money. Well, how good, how much of that savings are you really gonna have if you failed the audit? And then now you don’t have enough time to remediate it and now your contract’s coming, like why the stress? But if you, so if you at least understand that, and again, look, just like you’re saying John, it’s like you could look at the contract and say it’s fine, but you, but now you’ve like written it down and now somebody’s like, yeah, that, that, that’s good. Versus like, I’m sure it’ll be fine. Like let’s just, you know, I just, Hey Buck Conrad, I just spent three year contract on, uh, on Splunk, you know, but can, can I have it, the, the the thing go with Splunk’s?

(40:44):

Like, no, like, I’m sorry. Like, it, it’s not gonna work, but what am I gonna do with it? Well, for me, that’s not my concern. My concern is giving the right guidance on your GCC high stuff. Uh, and we help equip people on commercial. Same thing, you know? So having these two sides is not efficient. Having these two sides is, you know, adds complexity, doesn’t matter. It’s five people or 500 people that you just have to be thorough about. And these are things that we’ve built a lot in our tools to be able to kind of work in two spaces, but kind of stay out of both spaces at the same time.

John Verry (41:17):

Yep. Yeah, the only other thing that I would add that, that is, um, Richard Wakeman at, uh, at Microsoft is an an insanely knowledgeable, he’s the guy, uh, in terms of like understanding these differences. If you follow his blog and you look at the tables that he’s constantly updating, to me that’s, you know, sort of the Bible of when, when I don’t know what to, what to recommend to somebody, or I’m, I’m, I’m looking at something subtle like, you know, CGI data or NERC sit data or something of that nature. I haven’t, I’ve never looked at before. You know, I’ll always go and find his most recent table and I usually get the answer there.

Conrad Agramont (41:50):

Yeah. Uh, you know, uh, for all those, like, they’re good guidelines and anytime somebody’s on the, on the verge in the middle, like, I don’t know, maybe I can get away with it. Like, look, you know, in the future if something happens, are you gonna lose money? Are you gonna wait? You know, are you gonna, are you gonna lose time cuz you’re trying to repair it? Or you know, are you gonna get fine and go to jail? Mm-hmm. <affirmative>. Yeah. You start thinking of those terms sometimes

John Verry (42:12):

With iar, with IAR data. Like, uh, I just had on an IAR specialist, a lawyer, and Yeah, with iar you literally are talking about going to jail.

Conrad Agramont (42:23):

Yeah. To me that’s easy. Like, oh wait, is there a discussion of whether we’re going to jail to which one? Like I’ll choose the one not to jail, whatever that cost is. Exactly. That’s the cost of

John Verry (42:31):

Exactly. You might love, yeah, you might love the company you work for, but, but you know, not enough to say, I’m gonna try to save the company a few bucks and risk spending time in a federal penitentiary. <laugh>.

Conrad Agramont (42:43):

Yeah. If there’s something like that, I mean, I’ll tell the customer like, I, Ty, we can get away. It’s like, look, you’re making a decision whether there’s somebody’s gonna go to jail on your side or not. I’m gonna put an official writing saying I recommend against it for these reasons, because, you know, or don’t take the risk of that business. You know, I’m a CEO for business. I either take the risk for the business, but I can mitigate it to do that because I’m saving like, hey, but I saved two, you know, $2,000. Like, hey, if you’re sitting in a jail cell, what do you be thinking? Like, man, I’m so glad I saved that $2,000. What did I buy with that? You know,

John Verry (43:15):

<laugh>. Yeah. And, and the lawyer bill’s gonna be a lot more than two k, I can tell you that. Yeah. That, that, that buys about about two and a half hours for the, you know, a good attorney that would, that would maybe, maybe save your butt from ending up in that jail cell so you didn’t save any money. All right. So, uh, give me a fictional character or real war person you think would make an amazing or horrible csso in why?

Conrad Agramont (43:37):

Oh, man. Uh, that’s a good question. I was, I was thinking about that and um, I don’t know. You know, I think if I were,

(43:56):

Okay, I’m gonna go, I’m gonna try and go deep on this one. Maybe data from Star Trek would be a, a great place for him to be a CSO because, you know, there’s times, especially when you’re doing in, you know, when you’re, I think sometimes when you’re a, a cio, you know, pardon is not just the, the, the, the the technology problem. But, you know, I think a really good one, it’s trying to inspire what technology can do throughout the business. Uh, when you, when you’re on the security side, uh, you really don’t give a shit about any of that. You know, you don’t care about how productive and beautiful things are. You gotta kind of be robotic. Is it safe? Can we mitigate our risk? You know, is it something that we’re gonna, you know, not meet a contract for how we’re gonna pass an audit?

(44:37):

And it is robotic in many ways. There’s a level of creativity of how to get those things, but not in the way, like we just talked about it. Like, Hey, I’m a good C so I saved us $30,000, but somebody might go to jail, and by the way, the person who signed that was you CEO over here. So like, you’re, you’re, you’re the one, you, you, you signed it, right? We’ve seen over the years where the CEO signs something that maybe they didn’t understand, but they’re the ones that go the jail. So really, who, who signs for it? So maybe that’s my answer is that I think for, to our security really do have to re robotic and how you assess every single thing. Hey, somebody can’t get in here. Well they’re, we just had this too. They were trying to get, we had a customer trying to get access to our tenant cuz we’re sharing them things, and Andre said, no, they’re marked risky on their tenant. Like, we let ’em in. I’m like, no, this is like somebody walking up to my, my house and the front door just got, you know, blood on the thing and chains, like, normally I don’t do this, but it’s been raining. Come on in. Like, no, you don’t get, you don’t get access. So, so,

John Verry (45:34):

So,

Conrad Agramont (45:34):

So that’s my answer. Hopefully I immediately,

John Verry (45:35):

When you started giving me your reason, I wondered why you didn’t choose Spock instead of data. But that will be, that’s the, that don’t answer the question. That’ll be for the next podcast.

Conrad Agramont (45:44):

All right. All right. That’s a good one.

John Verry (45:46):

All right. So, uh, so if, uh, if somebody wants to get in touch with, uh, agile it, are you, what’s the best way to do that?

Conrad Agramont (45:54):

Um, you know, go, always go on our website, fill a form, uh, you know, that’s, uh, uh, agile it.com. Uh, you know, I, I do some, you know, have some things on, on Twitter. I think my, oh man, I don’t remember what it, I think just Conrad Amont, uh, and uh, yep. Really if you just wanna send me an email, um, conrad dot a it.com and you know, say that you got here through the, through the podcast and you have some questions.

John Verry (46:17):

Sounds good, man. Well, listen, have, have an awesome weekend. Uh, thanks for jumping on.

Conrad Agramont (46:21):

Absolutely. You too, John. Yeah, thanks for having me. This was a lot of fun.

John Verry (46:24):

Yeah. Yeah, I agree.

Pivot Point is now part of CBIZ. Click Here for more information.

Ep #113 – Should we be in Microsoft 365 GCC, GCC High, or Commercial?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

ISO 42001, ISO 27001 and ISO 27701: Is This the New “Big 3” for Provably Secure and Compliant AI?

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

How can we help you?

Services

Compliance

Insights

Pivot Point Security