Data Resiliency and Governance in Microsoft 365
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Data Resiliency and
Governance in Microsoft 365
Authors
Maha AbuRumman - Compliance Technical Specialist
Graham Hosking - Compliance Technical SpecialistIntroduction discovery. And the growing sophistication
of cyberthreats as well as the high reliance
In the bygone era of on-premises IT, many on data in our digital world has brought
organisations held and maintained laser focus on the issue of data resiliency.
hardware, software and updates to their
systems. Part of the standard IT operations As the provider of one of the most
included business continuity activities that ubiquitously utilized productivity suites in
occasionally required fully or partially the world, and the store for the majority of
redundant systems, intensive data backup data created, shared and stored by
processes, and data storage procedures. individuals and businesses, Microsoft is
keenly aware of the importance of the role
It is still common today to incorporate all we play in supporting the resiliency of our
systems into a centralised backup on- customers’ data.
premises, where data can be archived off to
cheaper storage forms like tape. However, The threats of the digital world, combined
the growing complexity of data regulation with our modern operations mean we must
and governance make these processes revamp our resiliency strategies, and
more difficult to manage. recognize that resiliency is no longer the
sole responsibility of the data owner, but
Fast forward to the world today, where the joint responsibility of data owners and
businesses are embarking on service providers.
transformative journeys, with digital
services being decentralised. Organisations In the next few pages, we will describe how
are collaborating with third parties to Microsoft’s M365 suite supports your data
provide internal and external services built resilience needs in the available
on digital products that help them compete productivity tools, and how you can use the
in their markets and achieve better financial available compliance solutions to extend
results. This includes IaaS and PaaS the protection and governance of that data
platforms that enable them to develop as befits your business needs.
products faster, collaborate with partners
to co build solutions and reduce the time for
delivery by reducing reliance on hardware
being delivered to the data centre. It’s in the
SaaS subscriptions for services integral to
the business such as email, data
management, sharing of information and
communications to promote productivity.
A major consideration for subscribing to a
cloud service is the resiliency of that service.
The move to the cloud has changed the
landscape of business resiliency and dataData Resiliency and
Governance in Microsoft 365
Shared Responsibility attacks, such as malware, phishing
campaigns, and others.
Microsoft’s responsibility
These built-in resiliency controls take the
As the service provider, Microsoft partners burden away from your organization of
with you to establish the baseline of having to establish resiliency controls and
resiliency for your data and services across tools to maintain data backups and perform
our M365 offering. M365’s business restoration tests. Reducing the cost and
continuity strategy leverages hardware, management burden on your IT operations
network, and datacentre redundancy. Data teams and enabling you to focus those
replication between data centres provides resources on more fruitful efforts.
high availability and reliability in the case of
a catastrophic incident. It also increases It remains then for your BCM planners and
resilience to mundane incidents such as teams to validate and assess the suitability
isolated hardware failure or data of the committed SLAs to your BC and DR
corruption. plans and business needs. These
provisions, however, are not the end of the
Microsoft 365 achieves service resilience line for your planning and commitments.
through redundant architecture, data
replication and automated integrity
checking.
• Redundant architecture involves
deploying multiple instances of a service
on geographically and physically
separate hardware, providing increased
fault-tolerance for M365 services. Customer Responsibility
• Data replication ensures there are
always multiple copies of customer data Depending on where your organization
in different fault-zones, allowing critical operates, which industries you operate in,
customer data to be recovered if what services you offer and what data you
corrupted, lost or even accidentally process, your business might be subject to
deleted by the customer. various laws, regulations and industry
• Automated integrity checking increases standards that might dictate data
data availability by automatically governance rules and controls that you
restoring data impacted by many kinds must implement and apply to some or all of
of physical or logical corruption. the data in your organization.
In addition to the above, Microsoft also Microsoft is not able to manage these
employs cyber defence tooling to protect responsibilities for you but makes available
customer data from cyber threats and to you tools that would help you manage
these across your data estate.Data Resiliency and
Governance in Microsoft 365
Before you start using these tools, here are services we provide (SharePoint, OneDrive,
some things to consider: Windows devices, Email, Teams chats, etc.).
• Where does your organization operate? By pattern matching the scanned data
In which geographies, countries, or against predefined patterns, or data
jurisdictions? expressions we have documented, we can
• What laws, regulations and industry help you quickly determine if your
standards are you subject to? organization is holding and processing
• What types of data do you collect, personal information, financial information,
process and share? or other predefined sensitive information
• Do the mandates for data protection expressions.
and governance vary by location, data
types, or other factors? Why does this matter in the context of
• What threats put your data at risk? resilience?
• In your organization, is data resiliency a
regulatory requirement, a cyber threat Well, to start, it falls on your organization to
mitigation or both? determine the level of protection that must
be applied to the data that resides in your
It is essential that these questions are M365 services. For example, must it be
answered in cooperation with your legal, encrypted? Can it be freely shared
risk and compliance teams. Though IT and externally or internally? And must it be
information security might be given the retained for a specific period?
responsibility of applying appropriate
controls and protection against that data, The intent is to enable your employees to be
these controls must be aligned to the productive with minimal friction, but to
organization’s responsibilities and protect your data from accidental or
contractual obligations. malicious accidents. To achieve this,
classification labels can be applied to
Once you have your answers to these documents, and repositories denoting the
questions, and an understanding of the sensitivity of the data. This serves two
obligations well defined, you can apply the purposes; it informs end users of the files
appropriate controls to your data and sensitivity ensuring awareness is spread of
repositories. the classification, and it applies the relevant
control to protect against accidents and
Information protection misbehaviour.
Many organisations today face the dilemma Common examples include employees
of knowing what data they actually have sharing files and data with partners that
and where. M365 helps you solve this might contain sensitive IP that the
challenge by indexing and crawling through organization deems confidential. Though
your data repositories to identify where the partners might be involved with the
sensitive information might live within the project, it might not be acceptable to shareData Resiliency and
Governance in Microsoft 365
certain IP information outside the end of life. To enable you to achieve these
organization. Encryption that was applied to requirements M365 offers retention and
this document through the “confidential” data disposition capabilities that enable you
classification label travels with the file, and to retain the data without having to move it
the external users would not be able to out to a different location.
decrypt it.
Commonly, organisations setup a default
Other scenarios are around sharing of retention policy of 7 years. This would cover
financial data, like credit card information. any data that resides in the core
Say a customer sale or support agent repositories of Exchange and SharePoint.
collects credit card information and is Teams will continue to retain data
sharing with a colleague to complete a sale, indefinitely unless a policy is set to mandate
this can be prevented from occurring on deletion.
unsanctioned work channels, and the users
would be notified of the breach of policy. After the default policy is setup, it is
Ensuring user awareness continues to build important for the business to determine
and protecting the organization from legal what regulations or standards affect the
or regulatory liability. data the organization holds and processes.
A file plan must be documented detailing
Information protection capabilities can be the applicable retention requirements to
extended to on-premises data as well with the relevant data. This is where the previous
the Azure Information Protection Scanner exercise of knowing what data is held where
(AIP Scanner). becomes invaluable again. Knowing what
data the organization holds in which
Retention and Disposition locations, the organization can define
retention and disposition policies to be
Microsoft services have some built in applied depending on data type being held
retention capabilities for data being deleted in the files and documents.
by end users. On a high level, Exchange
emails are retained for 14 days in a The policies can be setup to retain the data
recoverable items folder after users delete for a period and then automatically purge it
them. SharePoint Online retains files for a or send the data through a disposition
period of 93 days in multistage recycle bins. review cycle before it is permanently
In both cases, Microsoft Teams data is purged. If a file is subject to multiple
retained forever. This includes chat retention policies, then there is an order of
messages in public and private channels as priority that it will fall under.
well as files shared in teams.
However, many organisations are subject to
regulations, contractual requirements and
laws that require them to retain certain data
for longer periods of time and purge it uponData Resiliency and
Governance in Microsoft 365
or receipt of service and are retained as
evidence of action.
1. Retention wins over deletion.
With M365, our records management
if conflicts remain
solution enables you to declare files and
2. Longest retention period wins. data as records or regulatory records, this
if conflicts remain has the effect of locking the file to maintain
an original document or file in an
3. Explicit wins over implicit for deletions. immutable state.
if conflicts remain
A retention schedule, depending on the
4. Shortest deletion period wins. type of data would be defined that would
specify the retention period as well as the
record state. Once the policy is applied, the
initial file that was declared as a record is
This order of precedence is designed to
held in an immutable form and as a
minimise the risk to the organization from a
separate version of all subsequent copies
compliance perspective. Ensuring data is
which are stored in place.
not deleted before its due date, and it isn’t
maintained for longer than it should be.
This is essential for organisations that might
be subject to records management and
Records Management archival requirements by law, like in many
public sector and health care organisations.
Retention of data is one requirement many And is critical for corporations that are
organisations are subject to whether by subject to regulatory standards such as the
external mandate or by internal policy. Sarbanes Oxley and others that must
However, some organization might have maintain immutable records of their
additional retention requirements known business transactions. Additionally, it is
as records management. useful for organisations seeking to
implement a records management system
Records are information and data created in
to their contractual obligations and
the normal course of business activity that
maintain these records for potential
organisations must maintain as potential
defensibility and legal purposes.
evidence in case legal need. They represent
activities that were carried out in the normal
business operations, such as: banking
transactions, contractual agreements,
invoices and other documents.
Not all documents would be classified as
records. As records would comprise
evidence of activity performed for deliveryData Resiliency and
Governance in Microsoft 365
All these capabilities enable our customers preserve documents for the tax year
to enhance their data resiliency capabilities related to them and 6 years following
in M365, and fully manage the life cycle of that.
data being created in the various
documents and files by employees and Microsoft provides tools to help customers
users. on their way to meeting these types of
requirements, one of which is Compliance
Businesses in various industries are subject manager which provides a dashboard that
to regulations and laws that mandate indicates your compliance score in relation
retention and preservation of records. to your data protection and compliance
Compliance Officers are burdened with the posture. This includes recommendations to
tasks of measuring compliance against further improve data protection and export
various industry standards and regulations. the evidence to a regulator if required.
They track their compliance efforts against
multiple requirements, many of which are Conclusion
duplicated and sometimes even conflicting,
and must report on them internally and If your organization is subject to laws and
externally. Some examples include: regulations that require you to implement
controls to manage the data lifecycle, then
• HMRC – Record Keeping (VAT Notice you can trial the capabilities in M365 today
z00/21): requires businesses to maintain by accessing purchase services in your
all business and VAT records for at least M365 tenant and subscribing to the
6 years. relevant trial. Alternatively, you can sign up
• Regulation 12, The reporting of Injuries, for an E5 trial at: https://aka.ms/e5trial
Diseases and Dangerous occurrences
Regulations 2013: requires any incident You can learn more about our capabilities
information to be kept for at least 3 for information protection and governance
years. by watching these sessions:
• Article 49 of the regulation (EC) No
1272/2008 of the European Parliament • MyIgnite - Manage risk and secure
and of the council: This regulation information across your environment
governs the movement of substances, (microsoft.com)
mixtures and articles deemed • MyIgnite - Information risks keeping you
up at night? Deploy intelligent
hazardous to humans and the
information protection and data loss
environment. It requires that suppliers
prevention (microsoft.com)
maintain and keep all information for a
• Data retention capabilities – Microsoft
period of at least 10 years after the
official documentation
substances or mixture is last supplied by • Trigger retention policies with Events in
them. Advanced Data Governance
• The Registered Pension Schemes • Compliance Manager and Compliance
(Provision of Information) Regulations Score
2006: requires pension providers to© 2021 Microsoft Corporation. All rights reserved.
Authors
Graham Hosking - Compliance Technical Specialist
Maha AbuRumman -Compliance Technical Specialist
Illustrations
s
Becky Cholerton – Security & Compliance Technical SpecialistYou can also read
