Hey All,

Need your input on a situation I have with a small business. I was hired to help the company initially become CMMC Level 2 compliant. They have not had many dealings with the DOD, but they may want to do it in the future. Upon doing my research I realize the business is missing key devices and protocols. The first issue is making sure the office is secure. The second is monitoring and giving least privileges to the remote access users and then monitoring and logging access. I will try my best to explain the current architecture and what I want to propose.

Current infrastructure:

First off, they are a small business approx. 80 users most of which are outside the US. These users use a third-party remote access application the company bought to log in.

Some have laptops sent by the organization. Others use their own laptops and there is no on prem or cloud-based AD solution for authentication.

In the office itself, we get internet access through our ISP. From our ISP we have a router connected (which is discontinued but we can still use it) with a firewall built in.

From that router they have the wireless AP and two passive switches connected, also the router connects to a patch panel that feeds ethernet ports in the office.

They also have a Synology DS920+ and a high-powered Desktop connected to one passive switch, and multiple high-powered desktops connected to the second switch.

They use Microsoft 365 Standard to carry out the day to day operations so it is still configurable, but it is basic.

My proposal

Get a firewall device for the office. It would be connected between the ISP device and the router to provide extra security.

Since they use Microsoft 365 my recommendation is to move up to Microsoft 365 Business Premium. With this they will have the following:

Microsoft Entra ID for authentication and user monitoring, Microsoft Intune, Exchange that would have more security, Microsoft purview and Microsoft Defender.

I am also going to propose Microsoft Sentinel to pull all logs into one location, but they may think it is too expensive.

From a previous blog I was recommended PreVeil which I am considering.

What are your thoughts? I am going to go back to IT to talk more about what they currently have configured. One thing that confuses me is Entra ID. From what I have research it is not really Active Directory services but a connector correct?