OOsterman Research WHITE PAPER - Enhancing Data Protection in Microsoft Office 365
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Osterman Research
WHITE PAPER
White Paper by Osterman Research
Published June 2019
Sponsored by Commvault
Enhancing Data Protection
in Microsoft Office 365Enhancing Data Protection in Microsoft Office 365
Executive Summary
When decision makers consider moving their users to Office 365, a critical issue that
faces them is:
• Will the platform be a complete replacement for all on-premises Microsoft servers
and capabilities, or
• Will it merely be an addition to current on-premises capabilities?
Our research, as well as that of many others, indicates that most organizations are
largely opting for the former: Office 365 is replacing on-premises deployments of
Microsoft Exchange and other on-premises email platforms. While many other
platforms will continue to be used, particularly in larger organizations, Office 365 is
becoming the leading business email and collaboration tool in the workplace.
While Microsoft offers a solid platform of useful features and functions with Office
365, no platform can be all things to all users, and so decision makers must perform
due diligence and determine what Office 365 does well and in which areas
supplementary or replacement solutions from third parties will be required. Moreover,
there is also the issue of whether the native capabilities in Office 365 provide
adequate support for non-Microsoft content sources. Osterman Research holds the
view that Office 365 is a solid and robust platform, but that in most cases
Retention
organizations will want and need to deploy additional solutions to offer better Policies by
performance or functionality, or to provide necessary functionality for solutions not
offered by Microsoft. Plus, as discussed in this paper, the use of third-party solutions
themselves do
can be useful in helping to drive down the cost of an Office 365 deployment. not protect
What follows is a discussion of the limitations within the Office 365 platform that against a rogue
decision makers will want to consider as they decide how to deploy Office 365 in their administrator
environment.
unless
ABOUT THIS WHITE PAPER Retention Lock
This white paper was sponsored by Commvault. Information about the company is
provided at the end of this paper. is added.
However, this
feature cannot
Data Protection Within Office 365 be disabled
Osterman Research has identified some limitations in Office 365’s data protection
approach:
once it is
turned on.
• Use of the Recycle Bin is essential for accidental deletion protection, but content
from the Recycle Bin can be accidentally or maliciously cleared, and so it does
not offer a true data protection option in and of itself.
• The use of Retention Policies can result in an increase in storage use within
OneDrive and SharePoint, potentially resulting in having to pay for extra storage
beyond what is included in a given plan once the storage allocation has been
reached. Extra storage is priced at $0.20 per gigabyte per month, meaning that
an additional 50 gigabytes of storage per user in a 1,000-user company will cost
$10,000 monthly.
• Moreover, Retention Policies by themselves do not protect against a rogue
administrator unless Retention Lock is added. However, this feature cannot be
disabled once it is turned on, and so organizations that experience a major
increase in storage will not be able to rectify that problem by disabling Retention
Lock. This can also be an issue for organizations that are obligated to delete
data, such as from a “right-to-be-forgotten” demand under GDPR.
©2019 Osterman Research, Inc. 1Enhancing Data Protection in Microsoft Office 365
BACKING UP OFFICE 365
The best practice of having three copies of data – two on different platforms and one
in a remote location – is a well-established practice for data protection. However,
within Office 365 the native capabilities to protect data use the platform itself to
provide data protection, a violation of this best practice. The use of an external
service or platform to protect Office 365 data is more in line with sound data
protection – even Microsoft itself recommends doing this in its service agreement.
There are some capabilities within Office 365 for recovering corrupted data. For
example, Files Restore will return OneDrive to a specific point in time from the past
30 days. It reverts all basic file and folder operations that transpired during the
selected time period, but it does not support a selective restoration. For selective
restoration – such as to recover a file or folder that was deleted accidentally rather
than being subject to a ransomware attack – OneDrive offers access to the Recycle
Bin and/or Version History for each file to roll back to a previous version. The ability
to restore files, folders, and subfolders is a standard feature in third party backup
tools.
Similarly, SharePoint sites and subsites can be restored, but this can be accomplished
by Microsoft support, and there are some limitations with this process, including the
fact that there is no SLA for it. If a site collection must be restored, Microsoft can
restore only the entire site in place, but any data created after the latest backup will
be lost. The process of restoring subsites to alternate locations is possible, but
Microsoft says this process is more complicated and error-prone than a full site
collection restore.
Customers are
LONG-TERM ARCHIVAL OF DATA
Data from Office 365 will be retained for three years and then deleted afterwards, responsible for
and deleted emails will be moved into an archive folder and held there for three access and
years, after which they will be deleted. It is important to note that the total retention
period will be three years, not three years in mainline storage and an additional three control of their
years in an archive folder. There are some other issues to consider:
data that
• The import process can corrupt a mailbox resides in the
Importing data can accidentally corrupt a mailbox in some circumstances. For
example, if a .PST file has been imported into a mailbox, it is not possible to
Office 365
remove only the imported emails or to do a point-in-time restore to a point prior infrastructure.
to the .PST import. A user in an online forum posted this exact scenario,
including the difficulty in cleaning it up without the ability to do a point-in-time
restore.
• Users who are on legal hold
When a user is on legal hold, their deleted email is not automatically migrated to
an archive folder, but is instead put into the “dumpster”. If the dumpster
exceeds 100 gigabytes, it must be manually moved to an archive folder or a
separate retention policy must be established to manage it.
Other Issues to Consider
WHO PROTECTS WHAT?
Office 365 is a robust offering and Microsoft has gone to significant lengths to ensure
that the platform stays up and running. However, there are some important issues
for any current or prospective Office 365 customer to consider:
• Office 365 uses what it calls the “shared responsibility model”. This model
dictates that Microsoft is responsible for its global infrastructure and ensuring
that the Office 365 remains up and running; while customers are responsible for
access and control of their data that resides in the Office 365 infrastructure.
©2019 Osterman Research, Inc. 2Enhancing Data Protection in Microsoft Office 365
• While Office 365 is a fairly reliable system on a worldwide basis (it achieved
99.97 percent reliability during the first quarter of 2019i), it suffers from
somewhat frequent outages on a more localized, regional basis. For example, it
suffered from four such outages in April 2019 and five in May 2019ii. These
outages can result in data loss.
• Microsoft states that “point in time restoration of mailbox items is out of scope
for the Exchange Online service.iii” That means that if an organization suffers an
account takeover, ransomware attack, or data deletion from a malicious insider,
among other potential problems, there is no guarantee of being able to restore
lost data.
In short, this means that Office 365 customers are responsible for their own data,
just as if they were managing their own email and collaboration solution on-premises.
Consequently, organizations that deploy Office 365 will still need to maintain robust
data protection capabilities to protect against data loss.
THE NEED FOR AN EMAIL JOURNAL
Journaling is a useful tool in helping organizations to satisfy their regulatory, legal and
best practice compliance requirements, since it records all inbound and outbound
email communications that occur within an environment. Journaling is useful in the
context of satisfying compliance requirements that exist in the financial services,
healthcare and various other industries.
Office 365 email (Exchange Online) does not have a conventional email journal, but
Microsoft has changed its Office 365 model to achieve the same “compliance
outcome” of a journal service. By putting all relevant mailboxes on In-Place Hold, all
emails sent and received will be retained indefinitely and cannot be deleted by users.
Inactive mailboxes within the environment (e.g., those belonging to ex-employees)
may also be placed on Indefinite Hold. Office 365
For organizations that have an existing journal that must be migrated to Office 365, customers are
one of the following will be necessary:
responsible for
• The existing journal must be moved to a third-party journal service and content their own data.
will continue to be written to the journal from Office 365, or
• All of the existing journal content must be migrated to Office 365.
The first option will require that two locations be maintained and searched in order to
satisfy an organization’s information governance and eDiscovery requirements, and it
may result in a less expensive and more practical solution, particularly if an
organization must retain large volumes of information.
The second option is possible through the use of specialist migration software, but
Microsoft’s guidance on where to migrate journal content is not clear. Plus, there exist
some limitations on how mailboxes in Office 365 can be used to retain email
belonging to multiple users.
THIRD-PARTY ENCRYPTION SOLUTIONS OFFER BETTER
PERFORMANCE
The first version of Office 365 Message Encryption had some weaknesses, such as
lack of robust reporting and a less-than-optimal user interface for recipients of
encrypted messages. The newer version, Office 365 Message Encryption Version 2
(OMEv2) offered some significant improvements, but still has some limitations
compared to some third-party solutions. For example:
• Some customers of Office 365 have noted the inability to send encrypted
messages to other Office 365 tenants under various conditions, specific and
frequently changing version requirements for Outlook (along with some
©2019 Osterman Research, Inc. 3Enhancing Data Protection in Microsoft Office 365
noteworthy bugs), and the non-disclosure by Microsoft of tenant-level settings in
Office 365 that prevent encryption from working in some cases.
• Some customers found the Do Not Forward encryption setting that Microsoft
released with OMEv2 undesirable because it imposed both encryption and rights
management settings on the message and any attachments that were
considered by some to be too restrictive. While a new release removed right
management after delivery of encrypted messages, some consider OMEv2 not to
be a reliable option in both Outlook for Windows and the Mac. Microsoft has had
to introduce new tenant-level settings to address post-delivery problems where
recipients were not able to read encrypted attachments. The new setting
removes the encryption applied to attachments for certain recipients under
certain conditions.
• Encrypted messages that are sent to recipients using Google Gmail and Yahoo!
Mail can employ their respective identities to decrypt the message in the viewing
portal. While this is a transparent and convenient process for recipients, it also
means that if the sender sends the encrypted email to the wrong recipient, that
individual will be able to access the encrypted message using only their Google
or Yahoo! credentials. The sender cannot require additional identity verification
to assure that the message has been received by the correct recipient, such as
multi-factor authentication. Similarly, if a user's Google or Yahoo! account is
compromised, a bad actor will be able to use the transparent decryption process
to access encrypted messages. Moreover, if a recipient's Google or Yahoo!
account is compromised, the bad actor can send encrypted replies to the original
sender and other recipients, opening an avenue for phishing attempts that seem
more credible and may be more difficult to detect.
• The requirement for links within encrypted messages to recipients who are not Users cannot
using Outlook will result in some encrypted messages looking like phishing
messages, particularly because they request a username and password to login. automatically
Some email services, such as Gmail, can classify OMEv2 messages as phishing
because of this request and will warn recipients not to click the link. In short, the
encrypt all
reliance on links in OMEv2 messages can make them look like phishing messages sent
messages.
through
• Users cannot automatically encrypt all messages sent through Outlook. Outlook.
• Because OMEv2 does not encrypt the subject line of the message, senders of
encrypted messages must be careful not to include sensitive or confidential
information in the subject line.
• OMEv2 does not offer insights or reporting capabilities for the sender of the
message after it has been delivered. While the Office 365 Security & Compliance
Center offers reporting on encrypted messages for Office 365 administrators, this
information is not available to end users, and does not report on any post-
delivery actions by recipients. Moreover, the sender cannot change the
encryption status or rights after the message has been sent, a message cannot
be revoked once it has been sent from Outlook or Outlook on the web (although
administrators can do so for senders using PowerShell, but only for all
recipients), and senders have no way of knowing in-band that his or her
message was not delivered as expected if it ends up being classified as spam.
• Office 365 supports encryption primarily for Microsoft file types. For example,
while PDF files can be encrypted in transit, they will not be encrypted once the
message is received.
©2019 Osterman Research, Inc. 4Enhancing Data Protection in Microsoft Office 365
ARCHIVING ISSUES TO CONSIDER
Archiving, a best practice distinct from backup, is essential to ensure that all relevant
business records are retained for the appropriate length of time as required by
regulations, legal obligation or corporate best proactive.
Microsoft has included archiving capabilities within Office 365, but not for all file
types. For example, while archiving is not provided for the content generated by
third-party applications, it also is not provided even for some Microsoft file types,
such as Skype for Businessiv or SharePoint. For example:
• It is not possible to archive SharePoint content that is no longer current to
alternative and less expensive storage systems as is possible with many third-
party archiving solutions. Although Office 365 customers can add unlimited
SharePoint storage capacity, it is not inexpensive. Organizations that maintain
large volumes of SharePoint data will end up paying more if they need to keep
their live SharePoint content minimized without incurring additional long-term
storage fees, or that want to archive content away from SharePoint Online.
• No native archiving service for Skype for Business Online is availablev. Instead,
archiving for Skype for Business Online relies on Exchange Online for archiving
content if specific conditions are met. While Skype instant messaging transcripts
are retained in the Conversation History folder in each user's Exchange Online
mailbox, unless the mailbox is on legal or litigation hold, a user is able to delete
their instant messaging transcripts at will. That can result in spoliation of
evidence or an inability to fully regulatory obligations. A legal hold is required to
force the retention of Skype messages, meaning that all Exchange Online
mailboxes must be on hold at all times for this to work.
Microsoft has
• Office 365 offers SMS/text messaging archiving capabilities for BlackBerry
devices, but not for iOS or Android devicesvi. included
archiving
• The content from some third-party collaboration, messaging, social media and
other content sources can be archived into Exchange Online in Office 365, but capabilities
only as converted email messages if agreements are in place with a third-party within Office
data partner. Messages are stored in the Exchange Online mailbox belonging to
the specific user, and for content that cannot be tracked to a named individual, a 365, but not for
catch-all mailbox is used. The conversion of third-party content in this way
removes key elements of context, and makes it difficult to re-create a historically
all file types.
valid chain of events in some cases.
THE IMPORTANCE OF eDISCOVERY
The process of electronic discovery (eDiscovery) is key for any email and
collaboration because of the need to produce information in support of litigation
efforts, and because a large part of the typical organization’s data is stored in their
email and collaboration databases. Office 365 offers some important eDiscovery
capabilities, but there are some limitations to consider. For example:
• There is no Service Level Agreement (SLA) for a Content Search or eDiscovery
search, but Microsoft claims that 100 mailboxes can be searched in 30 seconds
and 10,000 mailboxes in four minutes. Based on user feedback, Osterman
Research has found that this goal is not met consistently.
• Individual retention, preservation and disposition policies cannot be created for a
user’s mailbox and their Online Archive. Some third-party solutions allow
different policies to be created for each.
• Office 365 offers an advanced eDiscovery capability for Office 365 applications,
but it is not “in-place” and they are not integrated directly into the data sources.
Consequently, the effort is a two-step process, requiring a search and export for
©2019 Osterman Research, Inc. 5Enhancing Data Protection in Microsoft Office 365
data using the Security & Compliance Center capabilities, and then selecting the
advanced eDiscovery center as a destination before running the advanced tools
• The European Union’s General Data Protection Regulation (GDPR) ushered in a
shift to privacy regulations beyond traditional data security mandates. The
GDPR and other regulations include the expectation of being able to handle
robust search capabilities for subject access requests, as well as good discovery
and deletion capabilities to support the “right to be forgotten”. Office 365
includes basic functionality to support these requirements, but the burden is still
on IT to carry them out through IT-centric processes and admin interfaces. With
GDPR and the new California Consumer Privacy Act (CCPA), these requests will
continue to increase. As a result, organizations need to be prepared to have IT
disrupted by a potentially significant number of requests that should really be
delegated to line-of-business owners. Third-party solutions are available to
address this compliance requirement and prevent it from becoming an IT
bottleneck.
Office 365 includes a range of eDiscovery capabilities for searching for responsive
material, plus a more advanced eDiscovery service called Advanced eDiscovery that
adds text analytics, machine learning, and relevance and predictive coding for early
case assessment. Advanced eDiscovery is available in the premium Enterprise E5
plan, and as an additional cost add-on to the much less expensive Enterprise E3 plan.
However:
• Office 365 includes minimal workflow or project tracking for an eDiscovery case,
such as the status of the case (apart from Active and Closed), the individuals
who are involved, and the current state of tasks assigned to the case. Office 365
• eDiscovery case administrators have no ability to send legal hold notification
includes
alerts, reminders or escalations within the Office 365 Security & Compliance minimal
Center and so must be handled out-of-band.
workflow or
• Cases consist of holds and searches and no two searches within any eDiscovery project
case across the organization can have exactly the same name. Office 365 will
permit a given name to be used only once in eDiscovery cases across the entire tracking for an
tenant. eDiscovery
• eDiscovery cases within Office 365 are created and managed in an ad-hoc way case.
and a compliance officer is responsible for entering ad-hoc search terms. It is not
possible to create a case template for repeatability and auditing, with standard
search queries and locations, key actions and requirements to complete, and an
audit trail of what has and has not been completed. This can be an issue for
organizations that are not doing eDiscovery on a regular basis, since the ad-hoc
approach means that previous knowledge and techniques are likely to be
forgotten and overlooked in a current eDiscovery case, possibly exposing an
organization to sanction for insufficient production of evidence.
• Configuration of a more limited search scope for eDiscovery managers searching
OneDrive, SharePoint Online repositories, and Exchange mailboxes is not
possible. For example, any eDiscovery manager can search any OneDrive folder,
SharePoint Online site, or Exchange mailbox anywhere in the world and no
controls currently exist to restrict access by country or region.
• Signature blocks cannot be excluded from the search scope on email messages,
so if a keyword appears in an email signature it can generate a high rate of false
positives.
• The eDiscovery capabilities in the Office 365 Security & Compliance Center allow
content to be searched in user and group mailboxes in Exchange Online, sites in
SharePoint and OneDrive, and Exchange public folders. Workloads that store
content in these containers can be searched, but other workloads that do not are
©2019 Osterman Research, Inc. 6Enhancing Data Protection in Microsoft Office 365
excluded (such as Yammer, Microsoft Stream, and Microsoft Planner). Further, an
eDiscovery case created in the Security & Compliance Center cannot search for
responsive content in content repositories outside of Office 365, such as those
maintained on-premises or in other cloud services. This limited approach means
that any organization with content outside of Office 365 – including SharePoint
2013 and 2016 on-premises – will need multiple eDiscovery tools, in addition to
having to start, conduct, and coordinate multiple eDiscovery cases in each
separate tool.
• When generating search results for Exchange Online, SharePoint Online and
OneDrive, these must be exported from Office 365 to facilitate the review
process; the Exchange content as one or more .PST files, and the SharePoint and
OneDrive content as individual files (with an option for all versions). This creates
several challenges: 1) a duplicate content set apart from Office 365 needs to be
protected, 2) there is no reporting on actions taken on the exported content in
the eDiscovery case because Office 365 is blind to post-export actions, 3) if the
search is run again then another export is required along with integration of
multiple sets of data, and 4) there is no connection between what was collected
and the coding decisions made to that content in order to inform future cases
and reduce the volume of potentially responsive content in Office 365.
• The exports from Office 365 content stores are not protected and so are at risk
of alteration and spoliation. The output is a raw native export and not in a
preservation format, such as forensic image format, which many third-party
eDiscovery collection tools offer.
OFFICE 365 DOES NOT INDEX ALL KEY FILE TYPES There are some
Microsoft indexes 58 file types, most of which are focused on types generated by
Microsoft applications. When undertaking an eDiscovery search and performing an limitations in
early case assessment, any file that is not included in these 58 will be flagged as Office 365 in
unprocessed. When applying DLP rules, file types not included will not trigger the
capture rules. The implication is the need for a manual review of these non- the context of
supported file types by a compliance officer or legal counsel, adding to the cost of
processing the data. Moreover, keyword searches might also miss relevant content
looking for
due to the use of a “best-effort” index. If an organization makes regular use of non- sensitive data
supported file types, it should look at third-party tools that will index additional file
types.
in email
messages.
SENSITIVE DATA
There are some limitations in Office 365 in the context of looking for sensitive data in
email messages:
• When analyzing content for sensitive data there is a reliance on either the
Sensitive Information Types provided by Microsoft, or a custom-definition created
by the customer itself. Sensitive data matching is fairly easy to bypass to
exfiltrate data; the matching algorithms look for exact matches and are easy to
trick. For example, matching a credit card number can be circumvented by
changing any one of the 16 digits into the equivalent word (e.g., writing the last
four digits as “997nine”, which will not match against the credit card regex); or
matching a SWIFT code by changing a digit to a word or a letter to the alphabet
equivalent (e.g., writing the SWIFT code WPHBVZ4W as WPHBVZed4W.)
• In situation where there is no attempt to deliberately obfuscate the presence of
Sensitive Information, messages that contain sensitive information can be missed
by DLP policies if explanatory metadata is missing from the email. For example,
an email that contains a Social Security Number, but not the explanatory phrase
“Social Security Number” will not trigger a DLP policy looking for them.
©2019 Osterman Research, Inc. 7Enhancing Data Protection in Microsoft Office 365
In short, matching sensitive data requires more or less perfection in how sensitive
data is formed in a message, and does not use a balanced evaluation for the
presence of sensitive data.
STORING AUDIT LOGS FOR COMPLIANCE
By default, the Office 365 Audit Log will retain audit events only for 90 days for Office
365 subscribers with Enterprise E3 or below and there is no way to increase this
period. This means that the Audit Log won’t be useful when trying to track down an
issue or problem that occurred beyond the past three months. However, the
exception is audit log entries within Exchange Online, where an administrator can
change the default from 90 days for Exchange audit log entries. For customers with
Office 365 E5 and Microsoft 365, audit log entries can be retained for up to one year.
This change was introduced to public preview in October 2018, but applies only to
audit log records generated after the longer duration comes into effect. Existing log
entries are unaffected by the longer retention duration.
Within Azure Active Directory, the free and basic editions retain activity and security
audit items for only seven days. Gaining insight into account compromise, for
example, is generally not possible unless it is identified almost immediately – given
that dwell times can be several months longer, seven days is not adequate. With a
subscription to Azure AD Premium P2, this can be increased to a maximum of 30 days
for activity items and 90 days for security items.
Any organization that needs longer-term access to their audit report items – such as
seven years’ worth of data under some compliance regulations – should be aware of
the limitations of the Office 365 Audit Log service.
eDISCOVERY ACROSS EX-EMPLOYEE DATA Consider using
Complete eDiscovery must include data generated by ex-employees. To date,
Microsoft’s inactive mailbox facility has enabled the mailboxes of those who have left
third-party
the organization to be retained indefinitely without charge, although in October 2017 solutions to
the intent to charge US$3.00 per mailbox per month was suggested. However, after
receiving pushback from customers and MVPs, Microsoft revoked the introduction of
meet the
this cost until further notice. challenges of a
Given that the average employee, at least in the United States, changes jobs about hybrid
every four years, Osterman Research predicts the exponential growth of ex-employee environment.
data will make it almost inevitable that inactive mailboxes will attract new licensing
terms during 2019 or 2020. This is likely to drive enterprises to seek lower-cost
strategies for hosting ex-employee data.
THE NEED TO MANAGE HYBRID ENVIRONMENTS
Hybrid environments in Office 365 – whether on-premises Exchange, other on-
premises systems or other cloud solutions – create their own challenges. For
example, Office 365 hybrid deployments introduce a number of interfaces on-
premises and in the cloud that make day-to-day management and automation more
difficult, partly because they are not connected. Moreover, the synchronization of
identities from on-premises to cloud-enabled rules can make it difficult to make
changes without complex scripts and privileged accounts. Consequently, tasks that
the help desk could perform before can no longer be accomplished in hybrid
environments, with the result that the increased administrative burden can negate
much of the perceived benefit that Office 365 provides.
In hybrid environments, organizations should consider using third-party solutions to
meet the challenges that will be posed by these environments. This is especially true
for larger organizations that will have a higher proportion of on-premises users and
applications even after migrating to Office 365.
©2019 Osterman Research, Inc. 8Enhancing Data Protection in Microsoft Office 365
AUTHENTICATION WITH AZURE ACTIVE DIRECTORY
Disruptions in one region with Azure AD can have cascading effects to other data
centers and regions. While Microsoft’s intent is that Azure AD is globally resilient, the
architecture for Azure has not yet delivered a completely fail-safe, cloud-based
authentication service. As one example, a lightning strike in Texas on September 4,
2018 disrupted the cooling systems at the US South Central data center in San
Antonio. This had a significant impact on both Office 365 and Azure services, with
customers outside of the US South Central region experiencing Azure AD
authentication problems.
Microsoft's implementation of multi-factor authentication (MFA) in Azure and Office
365 delivers a single point of failure. If MFA is experiencing downtime, affected users
cannot log in – this happened two times during November 2018. Some customers
using third-party MFA services with Office 365 claimed to be unaffected by the
outages, such as those using Duo and Okta.
SUPERVISORY REVIEW FOR FINRA COMPLIANCE
Some industry regulations, especially those enforced by the Financial Industry
Regulatory Authority (FINRA), necessitate the capture and review of communications
between various individual, such as broker-dealers and registered investment
advisors with their clients. Office 365 previously offered a Supervisory Review
capability that could work with Exchange Online messages, but it had some issues.
Supervision
works only
Microsoft replaced the legacy Supervisory Review capability in May 2017 with a new
Supervision tool that requires the Enterprise E5 plan or the Advanced Compliance
with Exchange
add-on. Administrators with the appropriate access permissions can set up one or Online in Office
more supervision policies. For example:
365, but does
• Every individual who must be covered by a Supervision policy needs an not address
Enterprise E5 license or the Advanced Compliance add-on. This is a per-user
licensing requirement, not an organizational-level option. Microsoft's
other commun-
• Supervision works only with Exchange Online in Office 365, but does not address
Microsoft's other communication tools, such as Yammer and Skype for ication tools,
Business/Microsoft Teams. This is a problem for users who employ these tools
and need to have their communications supervised.
such as
Yammer and
• Once a supervision policy has been established, a private shared mailbox is
provisioned for receiving the messages that have been captured. Supervisory
Skype for
reviewers must connect to the shared mailbox to review and assess each Business/
message.
Microsoft
• Built-in workflow is not available to alert reviewers of a new supervision policy Teams.
that provides them the ability to review messages. Advising reviewers must be
handled out-of-band by the person who set up the supervision policy.
• A single individual can be both the person to put under supervisory review and
the reviewer of a given policy.
• Sensitive information types does not work in Supervision policies.
• When adding conditions to the supervision policy, words or phrases must match
exactly, and so a misspelt variant will not trigger the supervisory rule. It would
be useful if Office 365 offered the ability to use fuzzy matching.
• Outlook’s filter options challenge supervision goals. There is no ability to sort and
filter messages based on content or metadata relevant to the supervision policy.
• Deleting all messages in a supervision mailbox is not audit logged against the
messages.
©2019 Osterman Research, Inc. 9Enhancing Data Protection in Microsoft Office 365
• A supervisor can reply to or forward a message from within the supervision
mailbox, but cannot audit or review what messages have been sent from the
supervision mailbox.
• An individual who reviews multiple Supervision mailboxes must go through each
supervision mailbox one-at-a-time. There is no ability to gain a unified view
across multiple supervision policies.
• At present, there is no migration support between the old Supervisory Review
feature and the new Supervision feature. Policies from the previous approach
have to be deleted; they cannot be migrated and updated, and they are not
automatically updated.
• Messages are captured for post-delivery or after-the-fact review, but there is no
ability to quarantine an offending message and have it routed for approval
before it is released.
• The audit log in Office 365 is blind to supervision policies: actions like creating,
editing, and deleting supervision policies are not audit logged.
MISCELLANEOUS ISSUES TO CONSIDER
• Passphrases are not supported within Office 365. These are generally longer
phrases that contain multiple natural language words that are easier to
remember than a password with a difficult pattern. For example, a passphrase
could be "I wrecked the car while driving Sherry to the prom." This is a 50-
character “password” that is simultaneously easy-to-remember for the end user
but, due to its length, harder for an attacker to guess or crack. Office 365 does Any decision
not support passphrases because Azure AD accounts do not support the use of
spaces, and are limited to a maximum of 16 characters.
maker
considering the
• New reports on access and authentication cannot be created by administrators.
deployment of
Office 365
Next Steps would be well-
Any decision maker considering the deployment of Office 365 would be well-advised advised to do
to do so – it’s a solid platform that will provide robust benefits. But they must also
consider limitations in the platform to determine how it will fit into their existing so.
environment and what third-party solutions should also be considered to improve the
overall deployment.
DO YOUR HOMEWORK FIRST
The decision to migrate to Office 365 is often top-down: the CIO, CEO or others in
senior management will decide that their organization will move to the platform and
the architects, security teams and others are charged with making it happen. The
problem is that some existing processes, on-premises solutions, various applications,
etc. won’t play well with Office 365. The problem is compounded by the fact that
those charged with making Office 365 work often don’t know the platform all that
well, and so they are learning it as they implement it. The process of learning the
minutiae of Office 365 can be tedious and, because Microsoft frequently updates
features and functions in the platform, it’s hard to keep up. Consequently, we highly
recommend doing as much due diligence on Office 365 as is possible before the
decision is made to move to the platform.
UNDERSTAND THE COSTS OF OFFICE 365
Decision makers should conduct a thorough cost analysis of Office 365 over time.
While some Office 365 customers will opt for Enterprise Plan E5 (with a current list
price in the United States of $35 per seat per month) others may choose to stay with
Enterprise Plan E3 and use add-on solutions to improve its eDiscovery, archiving,
security and other functionality. Osterman Research has determined that the use of
©2019 Osterman Research, Inc. 10Enhancing Data Protection in Microsoft Office 365
third-party solutions alongside a less expensive Office 365 plan (e.g., Enterprise Plan
E3 with a current list price in the United States of $20 per seat per month) will offer
improved capabilities than Plan E5 and at a reduced total cost per month. The more
important capabilities for which third-party solutions should be considered include:
• Data protection, which should include storage of Office 365 data on a non-
Microsoft platform; as well as capabilities to recover individual files and corrupted
data.
• Protection of corporate data that permits organizations to delete individual
records from their Office 365 accounts in order to comply with requirements like
GDPR’s Right-to-be-Forgotten.
• Archiving of various content types that contain business records, including
SharePoint and OneDrive data.
• The ability to conduct supervision for users in more heavily regulated
organizations, such as financial services.
• Robust eDiscovery capabilities that provide good workflow and project tracking
capabilities, more granular eDiscovery, and SLA for search.
Summary and Conclusions
Organizations that opt to deploy Office 365 will generally be well-served: it’s a solid Osterman
platform that will satisfy a number of business requirements for archiving, security, Research
data protection, encryption and other key business processes.
recommends
However, Osterman Research recommends that Office 365 deployments include an
accompanying, robust data protection solution. Office 365 does not yet include
that Office 365
adequate controls to protect against data deletion by rogue administrators in all deployments
cases, so essential corporate data can be cleared maliciously or even accidentally,
storage costs for retention can end up growing quickly, and backup capabilities in the
include an
platform violate the well-established “3-2-1 Rule”. Osterman Research recommends accompanying,
the use of a third-party solution that will address Office 365 data protection
holistically, offering support for Exchange Online, OneDrive, SharePoint, Teams and
robust data
other capabilities in the Office 365 platform. protection
solution.
About Commvault
Commvault is the recognized leader in data backup and recovery. Through a single
interface, Commvault provides data protection for on-premises and cloud-based data
workloads. Commvault provides a comprehensive data management platform for
managing data across files, applications, databases, hypervisors, and clouds.
Commvault includes data backup, recovery, management and e-discovery,
capabilities that are tightly integrated with today’s leading cloud providers.
Commvault data protection extends to Office 365, providing backup and restore for
Exchange Online, SharePoint Online and OneDrive for Business. With Commvault,
enterprises can quickly and efficiently complete migration of on-premises Exchange
Mailboxes to Office 365 through the archiving of redundant, outdated, and trivial
data, allowing you to migrate only recent and business-critical data.
©2019 Osterman Research, Inc. 11Enhancing Data Protection in Microsoft Office 365
© 2019 Osterman Research, Inc. All rights reserved.
No part of this document may be reproduced in any form by any means, nor may it be distributed
without the permission of Osterman Research, Inc., nor may it be resold or distributed by any
entity other than Osterman Research, Inc., without prior written authorization of Osterman
Research, Inc.
Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes
legal advice, nor shall this document or any software product or other offering referenced herein
serve as a substitute for the reader’s compliance with any laws (including but not limited to any
act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent
legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no
representation or warranty regarding the completeness or accuracy of the information contained
in this document.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR
IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE
ILLEGAL.
REFERENCES
i
https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-
description/service-health-and-continuity
ii
https://istheservicedown.com/problems/office-365/history
iii
https://docs.microsoft.com/en-us/exchange/back-up-email
iv
Skype for Business is being integrated with Microsoft Teams and the former is being
eliminated as a separate offering.
v
Skype for Business is being end-of-lifed and replaced with Microsoft Teams, but the
underlying issues around archiving remain the same.
vi
https://docs.microsoft.com/en-us/office365/securitycompliance/archiving-third-party-data
©2019 Osterman Research, Inc. 12You can also read
