Security in the Government Community Cloud

Case Study

A Major Gaming Commission

Balancing security and productivity for a major Gaming Commission

The Gaming Commission oversees the casino and hospitality operations at the enterprise’s resort and casino. Over the past few years, the commission became very concerned about the security of their data. They needed a better way to ensure the privacy of their customer data and confidential data critical to their operations.

The client’s identity is protected for confidentiality.

Microsoft GCC Security Gaming Commission


The Gaming Commission wanted to heighten the security of their data while balancing accessibility, so they considered the benefits of moving their infrastructure to the Microsoft Azure Government Community Cloud (GCC). The GCC offers a version of Office 365 business applications and adds ‘next level’ security components built specifically for organizations like the Gaming Commission, who works closely with the U.S. government to meet strict compliance and cybersecurity requirements. 

The commission looked to Arctic IT to migrate from the Microsoft Azure Commercial Cloud to the GCC. “We’ve got experience with this type of project,” said Rebecca Riddle, Senior Program Manager at Arctic IT, “so we are able to migrate them utilizing the knowledge base of the team and the right tools to ensure a smooth transition.”

Gaming Commission Security


The game-changer for the Gaming Commission: Security. Microsoft built the Government Cloud with unique security controls in place, enabling Arctic IT to create policies for their tenant that struck an equilibrium between security and accessibility. Policies implemented for this project included:

  • Restricted Data Flow. To prevent leaks of sensitive information, we implemented Data Loss Prevention (DLP) to protect all the types of data they handle, including Personally Identifiable Information (PII). Policies were implemented to monitor sharing of PII, incident reports and other protected data on platforms like Teams chats and Outlook emails. Alerts are generated when protected data is detected in communication flows.
  • Device Management Policy. The team had a need to conduct work while out of the office, so a policy was created to control and protect company data on personal devices (e.g., email and Word or Excel documents accessed on mobile devices).
  • Extended Device Controls. Policies were added to extend DLP requirements by limiting functions such as copying protected data from company documents to personal devices and saving company data to other unsanctioned third- party cloud storage services like Dropbox, iCloud, etc. Other limitations included printing company data from mobile devices and the copying of company data from work documents to personal spaces like Apple Notes/Google Keep, etc.
  • Device Configuration Policy. Configuration profiles were deployed to enforce secure configurations and security controls for all company Windows devices. Compliance policies evaluate each device to see if it meets the required health posture. If the device is not compliant either by an outdated version or missing required patches, it can be blocked from access until the deficiencies are addressed. Also, if the device storage is not encrypted, access to company resources from the device is restricted to avoid exposure of company data to unprotected storage.
  • Continuous Device Security. Suppose a device’s antivirus gets temporarily turned off during a routine process like an update. In that case, security policies were put place to ensure that it gets turned back on after completing the tasks to maintain the endpoint’s security posture.
  • Grace Period. The devices are consistently monitored in a way that provides notification if there are security or health issues. When an issue is identified, an alert is sent to both the employee and the administrator. The grace period puts a hold on rejecting the device for an allotted amount of time, allowing the employee to stay productive until the issue can be resolved.
  • Microsoft Defender for Endpoint. More than an antivirus, this provides IT threat and vulnerability management for the organization’s devices. This service continually checks for vulnerabilities to ensure everything is up to date, highlights what is missing, and prioritizes remediation efforts.


Upon completion of the project, the Gaming Commission struck the balance they desired. They have a more protected environment that allows their team to operate securely as a mobile workforce while also maintaining productivity.

 “It was a pleasure working with each of you and I look forward to a long relationship with Arctic IT as we go forward in partnership with licensing and support,” said the IT Manager for the Gaming Commission.

Government Community Cloud Security Case Study

Ready to secure your organization in the Government Community Cloud?

Let’s start a conversation.

Get in touch with us

[email protected]