How to Use Office 365 and Maintain Compliance
Office 365 is a welcome upgrade from the Business Productivity Online Standard Suite (BPOS) for Microsoft's customers. But while suitable for the needs of many businesses, cloud services can provide some challenges for organizations that need to go beyond regulatory codes.
Office 365 Architecture and Industry Standards
Office 365 is a multitenant public cloud service, which means services for all customers are run on the same physical infrastructure in the data center, but Microsoft uses specially designed technology to segregate data storage and processing. One exception is Office 365 for Government, which uses a separate infrastructure for U.S. government customers.
Services delivered via Office 365 are ISO 27001 certified — a common standard for information security management systems. Other standards supported are SAS 70 Type II, EU Safe Harbor, EU Model Clauses, the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA) and the Federal Information Security Management Act (FISMA).
Compliance with E-mail Archiving
The E1 and E2 plans have a combined quota limit of 25GB for a user’s mailbox and personal archive. The E3 and E4 plans also have a 25GB limit on mailboxes but offer unlimited space for personal archives, although the default quota limit can be increased to 100GB by contacting support. Office 365 enterprise plans allow Exchange users to have an archive enabled for their primary mailbox, and personal archives are included in multiple-mailbox searches to facilitate discovery.
Although it’s possible for organizations to use locally stored personal folders (.PST files) for archiving purposes in Outlook, system administrators will be only too aware of the disadvantages with this strategy, including the challenges involved in making sure archives get backed up and in searching e-mail when it’s not stored on a server.
Mailboxes can be put on litigation hold in the E3 and E4 enterprise plans, including personal archives, if enabled. Bear in mind that users can delete items from their personal archive, and the default recovery period for deleted items is 14 days, after which any items moved to the trash are automatically purged. The maximum recovery period is 30 days, but users can contact support and have the recovery period for deleted items extended.
The Office 365 management portal lets administrators configure retention tags so that rules can be created for archiving. For instance, you can set up a rule that automatically applies tags to e-mails so that they’re moved to an archive after one year or deleted after five years.
Exchange Journaling
Journaling differs from personal archives, in that all mail passing through an Exchange organization can be matched against one or more journaling rules. If an e-mail matches a rule, it can be sent as an attachment to a designated mailbox, sometimes called “envelope journaling,” or a copy can be sent in its entirety.
Journal recipients, the people whose mail is included in a journal rule, can be a small group or everyone in an organization. The scope of a journal rule can be restricted, for example, to external mail only, helping to limit the size of the journal mailbox. It’s possible to have more than one journal mailbox and multiple journal rules.
Security and Storage Limits in Office 365
Microsoft’s data centers provide defense-in-depth physical and logical security, while the Forefront Protection Suite of enterprise-grade security products provides antispam and antivirus for Exchange and SharePoint in the cloud.
The 128-bit SSL/TLS encryption between SharePoint Online and a corporate intranet, or computers, is only provided in enterprise plans, which could lead to sensitive information being transmitted over the public Internet in cleartext. Data transmitted to and from Outlook Web Access is encrypted over the wire in all plans. There’s no archiving capability in SharePoint Online; however, Microsoft has recently increased the maximum storage limit from 5TB to 25TB.
If an extra layer of security beyond basic SharePoint permissions is needed, Office 365 supports Information Rights Management for restricting access to documents and what actions can be performed. This extends to e-mails and voicemail messages. Office 365 Exchange and Outlook also support Secure/Multipurpose Internet Mail Extensions (S/MIME) for public key encryption and digital signatures.
Office 365's Single Sign-On
Organizations can use single sign-on to synchronize accounts held in an on-premises Active Directory (AD) domain with Office 365 so that security policies have to be managed in only one place. A common user account and password for both AD and Office 365 improves security and reduces help-desk calls. If single sign-on is enabled, two-factor authentication is also supported for stronger security, which means a user must provide something physical, such as a smart card, in addition to a password.
Businesses wishing to deploy single sign-on must have Windows Server 2003 (or later) Active Directory running on premises. Active Directory Federation Services (ADFS) version 2 must also be deployed on premises and installed on Windows 2008 or later. If users need access to Office 365 using single sign-on from outside the corporate firewall, an ADFS proxy server must also be deployed.
Privacy in the Cloud
The administration console in Office 365 allows organizations to customize security and access for documents stored in the cloud so that specific regulatory requirements can be met. For businesses that can’t put their most valuable assets in the hands of a public cloud provider, a public/private cloud could be the answer, hosting the most sensitive data on premises and everything else online.
Consider whether data that’s subject to regulatory compliance should be placed in the cloud. Start by creating an internal data-classification policy to help identify exactly what information is subject to regulation; doing so will allow you to determine whether Office 365 can provide the necessary tools to protect that data.
