OOsterman Research WHITE PAPER - Enhancing Data Protection in Microsoft Office 365

Page created by Sylvia Marsh
 
CONTINUE READING
OOsterman Research WHITE PAPER - Enhancing Data Protection in Microsoft Office 365
Osterman Research
                                 WHITE PAPER

White Paper by Osterman Research
Published June 2019
Sponsored by Commvault

Enhancing Data Protection
in Microsoft Office 365
Enhancing Data Protection in Microsoft Office 365

Executive Summary
When decision makers consider moving their users to Office 365, a critical issue that
faces them is:

•   Will the platform be a complete replacement for all on-premises Microsoft servers
    and capabilities, or

•   Will it merely be an addition to current on-premises capabilities?

Our research, as well as that of many others, indicates that most organizations are
largely opting for the former: Office 365 is replacing on-premises deployments of
Microsoft Exchange and other on-premises email platforms. While many other
platforms will continue to be used, particularly in larger organizations, Office 365 is
becoming the leading business email and collaboration tool in the workplace.

While Microsoft offers a solid platform of useful features and functions with Office
365, no platform can be all things to all users, and so decision makers must perform
due diligence and determine what Office 365 does well and in which areas
supplementary or replacement solutions from third parties will be required. Moreover,
there is also the issue of whether the native capabilities in Office 365 provide
adequate support for non-Microsoft content sources. Osterman Research holds the
view that Office 365 is a solid and robust platform, but that in most cases
                                                                                           Retention
organizations will want and need to deploy additional solutions to offer better            Policies by
performance or functionality, or to provide necessary functionality for solutions not
offered by Microsoft. Plus, as discussed in this paper, the use of third-party solutions
                                                                                           themselves do
can be useful in helping to drive down the cost of an Office 365 deployment.               not protect
What follows is a discussion of the limitations within the Office 365 platform that        against a rogue
decision makers will want to consider as they decide how to deploy Office 365 in their     administrator
environment.
                                                                                           unless
ABOUT THIS WHITE PAPER                                                                     Retention Lock
This white paper was sponsored by Commvault. Information about the company is
provided at the end of this paper.                                                         is added.
                                                                                           However, this
                                                                                           feature cannot
Data Protection Within Office 365                                                          be disabled
Osterman Research has identified some limitations in Office 365’s data protection
approach:
                                                                                           once it is
                                                                                           turned on.
•   Use of the Recycle Bin is essential for accidental deletion protection, but content
    from the Recycle Bin can be accidentally or maliciously cleared, and so it does
    not offer a true data protection option in and of itself.

•   The use of Retention Policies can result in an increase in storage use within
    OneDrive and SharePoint, potentially resulting in having to pay for extra storage
    beyond what is included in a given plan once the storage allocation has been
    reached. Extra storage is priced at $0.20 per gigabyte per month, meaning that
    an additional 50 gigabytes of storage per user in a 1,000-user company will cost
    $10,000 monthly.

•   Moreover, Retention Policies by themselves do not protect against a rogue
    administrator unless Retention Lock is added. However, this feature cannot be
    disabled once it is turned on, and so organizations that experience a major
    increase in storage will not be able to rectify that problem by disabling Retention
    Lock. This can also be an issue for organizations that are obligated to delete
    data, such as from a “right-to-be-forgotten” demand under GDPR.

©2019 Osterman Research, Inc.                                                                        1
Enhancing Data Protection in Microsoft Office 365

BACKING UP OFFICE 365
The best practice of having three copies of data – two on different platforms and one
in a remote location – is a well-established practice for data protection. However,
within Office 365 the native capabilities to protect data use the platform itself to
provide data protection, a violation of this best practice. The use of an external
service or platform to protect Office 365 data is more in line with sound data
protection – even Microsoft itself recommends doing this in its service agreement.

There are some capabilities within Office 365 for recovering corrupted data. For
example, Files Restore will return OneDrive to a specific point in time from the past
30 days. It reverts all basic file and folder operations that transpired during the
selected time period, but it does not support a selective restoration. For selective
restoration – such as to recover a file or folder that was deleted accidentally rather
than being subject to a ransomware attack – OneDrive offers access to the Recycle
Bin and/or Version History for each file to roll back to a previous version. The ability
to restore files, folders, and subfolders is a standard feature in third party backup
tools.

Similarly, SharePoint sites and subsites can be restored, but this can be accomplished
by Microsoft support, and there are some limitations with this process, including the
fact that there is no SLA for it. If a site collection must be restored, Microsoft can
restore only the entire site in place, but any data created after the latest backup will
be lost. The process of restoring subsites to alternate locations is possible, but
Microsoft says this process is more complicated and error-prone than a full site
collection restore.
                                                                                            Customers are
LONG-TERM ARCHIVAL OF DATA
Data from Office 365 will be retained for three years and then deleted afterwards,          responsible for
and deleted emails will be moved into an archive folder and held there for three            access and
years, after which they will be deleted. It is important to note that the total retention
period will be three years, not three years in mainline storage and an additional three     control of their
years in an archive folder. There are some other issues to consider:
                                                                                            data that
•   The import process can corrupt a mailbox                                                resides in the
    Importing data can accidentally corrupt a mailbox in some circumstances. For
    example, if a .PST file has been imported into a mailbox, it is not possible to
                                                                                            Office 365
    remove only the imported emails or to do a point-in-time restore to a point prior       infrastructure.
    to the .PST import. A user in an online forum posted this exact scenario,
    including the difficulty in cleaning it up without the ability to do a point-in-time
    restore.

•   Users who are on legal hold
    When a user is on legal hold, their deleted email is not automatically migrated to
    an archive folder, but is instead put into the “dumpster”. If the dumpster
    exceeds 100 gigabytes, it must be manually moved to an archive folder or a
    separate retention policy must be established to manage it.

Other Issues to Consider
WHO PROTECTS WHAT?
Office 365 is a robust offering and Microsoft has gone to significant lengths to ensure
that the platform stays up and running. However, there are some important issues
for any current or prospective Office 365 customer to consider:

•   Office 365 uses what it calls the “shared responsibility model”. This model
    dictates that Microsoft is responsible for its global infrastructure and ensuring
    that the Office 365 remains up and running; while customers are responsible for
    access and control of their data that resides in the Office 365 infrastructure.

©2019 Osterman Research, Inc.                                                                           2
Enhancing Data Protection in Microsoft Office 365

•   While Office 365 is a fairly reliable system on a worldwide basis (it achieved
    99.97 percent reliability during the first quarter of 2019i), it suffers from
    somewhat frequent outages on a more localized, regional basis. For example, it
    suffered from four such outages in April 2019 and five in May 2019ii. These
    outages can result in data loss.

•   Microsoft states that “point in time restoration of mailbox items is out of scope
    for the Exchange Online service.iii” That means that if an organization suffers an
    account takeover, ransomware attack, or data deletion from a malicious insider,
    among other potential problems, there is no guarantee of being able to restore
    lost data.

In short, this means that Office 365 customers are responsible for their own data,
just as if they were managing their own email and collaboration solution on-premises.
Consequently, organizations that deploy Office 365 will still need to maintain robust
data protection capabilities to protect against data loss.

THE NEED FOR AN EMAIL JOURNAL
Journaling is a useful tool in helping organizations to satisfy their regulatory, legal and
best practice compliance requirements, since it records all inbound and outbound
email communications that occur within an environment. Journaling is useful in the
context of satisfying compliance requirements that exist in the financial services,
healthcare and various other industries.

Office 365 email (Exchange Online) does not have a conventional email journal, but
Microsoft has changed its Office 365 model to achieve the same “compliance
outcome” of a journal service. By putting all relevant mailboxes on In-Place Hold, all
emails sent and received will be retained indefinitely and cannot be deleted by users.
Inactive mailboxes within the environment (e.g., those belonging to ex-employees)
may also be placed on Indefinite Hold.                                                        Office 365
For organizations that have an existing journal that must be migrated to Office 365,          customers are
one of the following will be necessary:
                                                                                              responsible for
•   The existing journal must be moved to a third-party journal service and content           their own data.
    will continue to be written to the journal from Office 365, or

•   All of the existing journal content must be migrated to Office 365.

The first option will require that two locations be maintained and searched in order to
satisfy an organization’s information governance and eDiscovery requirements, and it
may result in a less expensive and more practical solution, particularly if an
organization must retain large volumes of information.

The second option is possible through the use of specialist migration software, but
Microsoft’s guidance on where to migrate journal content is not clear. Plus, there exist
some limitations on how mailboxes in Office 365 can be used to retain email
belonging to multiple users.

THIRD-PARTY ENCRYPTION SOLUTIONS OFFER BETTER
PERFORMANCE
The first version of Office 365 Message Encryption had some weaknesses, such as
lack of robust reporting and a less-than-optimal user interface for recipients of
encrypted messages. The newer version, Office 365 Message Encryption Version 2
(OMEv2) offered some significant improvements, but still has some limitations
compared to some third-party solutions. For example:

•   Some customers of Office 365 have noted the inability to send encrypted
    messages to other Office 365 tenants under various conditions, specific and
    frequently changing version requirements for Outlook (along with some

©2019 Osterman Research, Inc.                                                                            3
Enhancing Data Protection in Microsoft Office 365

    noteworthy bugs), and the non-disclosure by Microsoft of tenant-level settings in
    Office 365 that prevent encryption from working in some cases.

•   Some customers found the Do Not Forward encryption setting that Microsoft
    released with OMEv2 undesirable because it imposed both encryption and rights
    management settings on the message and any attachments that were
    considered by some to be too restrictive. While a new release removed right
    management after delivery of encrypted messages, some consider OMEv2 not to
    be a reliable option in both Outlook for Windows and the Mac. Microsoft has had
    to introduce new tenant-level settings to address post-delivery problems where
    recipients were not able to read encrypted attachments. The new setting
    removes the encryption applied to attachments for certain recipients under
    certain conditions.

•   Encrypted messages that are sent to recipients using Google Gmail and Yahoo!
    Mail can employ their respective identities to decrypt the message in the viewing
    portal. While this is a transparent and convenient process for recipients, it also
    means that if the sender sends the encrypted email to the wrong recipient, that
    individual will be able to access the encrypted message using only their Google
    or Yahoo! credentials. The sender cannot require additional identity verification
    to assure that the message has been received by the correct recipient, such as
    multi-factor authentication. Similarly, if a user's Google or Yahoo! account is
    compromised, a bad actor will be able to use the transparent decryption process
    to access encrypted messages. Moreover, if a recipient's Google or Yahoo!
    account is compromised, the bad actor can send encrypted replies to the original
    sender and other recipients, opening an avenue for phishing attempts that seem
    more credible and may be more difficult to detect.

•   The requirement for links within encrypted messages to recipients who are not           Users cannot
    using Outlook will result in some encrypted messages looking like phishing
    messages, particularly because they request a username and password to login.           automatically
    Some email services, such as Gmail, can classify OMEv2 messages as phishing
    because of this request and will warn recipients not to click the link. In short, the
                                                                                            encrypt all
    reliance on links in OMEv2 messages can make them look like phishing                    messages sent
    messages.
                                                                                            through
•   Users cannot automatically encrypt all messages sent through Outlook.                   Outlook.
•   Because OMEv2 does not encrypt the subject line of the message, senders of
    encrypted messages must be careful not to include sensitive or confidential
    information in the subject line.

•   OMEv2 does not offer insights or reporting capabilities for the sender of the
    message after it has been delivered. While the Office 365 Security & Compliance
    Center offers reporting on encrypted messages for Office 365 administrators, this
    information is not available to end users, and does not report on any post-
    delivery actions by recipients. Moreover, the sender cannot change the
    encryption status or rights after the message has been sent, a message cannot
    be revoked once it has been sent from Outlook or Outlook on the web (although
    administrators can do so for senders using PowerShell, but only for all
    recipients), and senders have no way of knowing in-band that his or her
    message was not delivered as expected if it ends up being classified as spam.

•   Office 365 supports encryption primarily for Microsoft file types. For example,
    while PDF files can be encrypted in transit, they will not be encrypted once the
    message is received.

©2019 Osterman Research, Inc.                                                                        4
Enhancing Data Protection in Microsoft Office 365

ARCHIVING ISSUES TO CONSIDER
Archiving, a best practice distinct from backup, is essential to ensure that all relevant
business records are retained for the appropriate length of time as required by
regulations, legal obligation or corporate best proactive.

Microsoft has included archiving capabilities within Office 365, but not for all file
types. For example, while archiving is not provided for the content generated by
third-party applications, it also is not provided even for some Microsoft file types,
such as Skype for Businessiv or SharePoint. For example:

•   It is not possible to archive SharePoint content that is no longer current to
    alternative and less expensive storage systems as is possible with many third-
    party archiving solutions. Although Office 365 customers can add unlimited
    SharePoint storage capacity, it is not inexpensive. Organizations that maintain
    large volumes of SharePoint data will end up paying more if they need to keep
    their live SharePoint content minimized without incurring additional long-term
    storage fees, or that want to archive content away from SharePoint Online.

•   No native archiving service for Skype for Business Online is availablev. Instead,
    archiving for Skype for Business Online relies on Exchange Online for archiving
    content if specific conditions are met. While Skype instant messaging transcripts
    are retained in the Conversation History folder in each user's Exchange Online
    mailbox, unless the mailbox is on legal or litigation hold, a user is able to delete
    their instant messaging transcripts at will. That can result in spoliation of
    evidence or an inability to fully regulatory obligations. A legal hold is required to
    force the retention of Skype messages, meaning that all Exchange Online
    mailboxes must be on hold at all times for this to work.
                                                                                            Microsoft has
•   Office 365 offers SMS/text messaging archiving capabilities for BlackBerry
    devices, but not for iOS or Android devicesvi.                                          included
                                                                                            archiving
•   The content from some third-party collaboration, messaging, social media and
    other content sources can be archived into Exchange Online in Office 365, but           capabilities
    only as converted email messages if agreements are in place with a third-party          within Office
    data partner. Messages are stored in the Exchange Online mailbox belonging to
    the specific user, and for content that cannot be tracked to a named individual, a      365, but not for
    catch-all mailbox is used. The conversion of third-party content in this way
    removes key elements of context, and makes it difficult to re-create a historically
                                                                                            all file types.
    valid chain of events in some cases.

THE IMPORTANCE OF eDISCOVERY
The process of electronic discovery (eDiscovery) is key for any email and
collaboration because of the need to produce information in support of litigation
efforts, and because a large part of the typical organization’s data is stored in their
email and collaboration databases. Office 365 offers some important eDiscovery
capabilities, but there are some limitations to consider. For example:

•   There is no Service Level Agreement (SLA) for a Content Search or eDiscovery
    search, but Microsoft claims that 100 mailboxes can be searched in 30 seconds
    and 10,000 mailboxes in four minutes. Based on user feedback, Osterman
    Research has found that this goal is not met consistently.

•   Individual retention, preservation and disposition policies cannot be created for a
    user’s mailbox and their Online Archive. Some third-party solutions allow
    different policies to be created for each.

•   Office 365 offers an advanced eDiscovery capability for Office 365 applications,
    but it is not “in-place” and they are not integrated directly into the data sources.
    Consequently, the effort is a two-step process, requiring a search and export for

©2019 Osterman Research, Inc.                                                                          5
Enhancing Data Protection in Microsoft Office 365

    data using the Security & Compliance Center capabilities, and then selecting the
    advanced eDiscovery center as a destination before running the advanced tools

•   The European Union’s General Data Protection Regulation (GDPR) ushered in a
    shift to privacy regulations beyond traditional data security mandates. The
    GDPR and other regulations include the expectation of being able to handle
    robust search capabilities for subject access requests, as well as good discovery
    and deletion capabilities to support the “right to be forgotten”. Office 365
    includes basic functionality to support these requirements, but the burden is still
    on IT to carry them out through IT-centric processes and admin interfaces. With
    GDPR and the new California Consumer Privacy Act (CCPA), these requests will
    continue to increase. As a result, organizations need to be prepared to have IT
    disrupted by a potentially significant number of requests that should really be
    delegated to line-of-business owners. Third-party solutions are available to
    address this compliance requirement and prevent it from becoming an IT
    bottleneck.

Office 365 includes a range of eDiscovery capabilities for searching for responsive
material, plus a more advanced eDiscovery service called Advanced eDiscovery that
adds text analytics, machine learning, and relevance and predictive coding for early
case assessment. Advanced eDiscovery is available in the premium Enterprise E5
plan, and as an additional cost add-on to the much less expensive Enterprise E3 plan.
However:

•   Office 365 includes minimal workflow or project tracking for an eDiscovery case,
    such as the status of the case (apart from Active and Closed), the individuals
    who are involved, and the current state of tasks assigned to the case.                Office 365
•   eDiscovery case administrators have no ability to send legal hold notification
                                                                                          includes
    alerts, reminders or escalations within the Office 365 Security & Compliance          minimal
    Center and so must be handled out-of-band.
                                                                                          workflow or
•   Cases consist of holds and searches and no two searches within any eDiscovery         project
    case across the organization can have exactly the same name. Office 365 will
    permit a given name to be used only once in eDiscovery cases across the entire        tracking for an
    tenant.                                                                               eDiscovery
•   eDiscovery cases within Office 365 are created and managed in an ad-hoc way           case.
    and a compliance officer is responsible for entering ad-hoc search terms. It is not
    possible to create a case template for repeatability and auditing, with standard
    search queries and locations, key actions and requirements to complete, and an
    audit trail of what has and has not been completed. This can be an issue for
    organizations that are not doing eDiscovery on a regular basis, since the ad-hoc
    approach means that previous knowledge and techniques are likely to be
    forgotten and overlooked in a current eDiscovery case, possibly exposing an
    organization to sanction for insufficient production of evidence.

•   Configuration of a more limited search scope for eDiscovery managers searching
    OneDrive, SharePoint Online repositories, and Exchange mailboxes is not
    possible. For example, any eDiscovery manager can search any OneDrive folder,
    SharePoint Online site, or Exchange mailbox anywhere in the world and no
    controls currently exist to restrict access by country or region.

•   Signature blocks cannot be excluded from the search scope on email messages,
    so if a keyword appears in an email signature it can generate a high rate of false
    positives.

•   The eDiscovery capabilities in the Office 365 Security & Compliance Center allow
    content to be searched in user and group mailboxes in Exchange Online, sites in
    SharePoint and OneDrive, and Exchange public folders. Workloads that store
    content in these containers can be searched, but other workloads that do not are

©2019 Osterman Research, Inc.                                                                        6
Enhancing Data Protection in Microsoft Office 365

    excluded (such as Yammer, Microsoft Stream, and Microsoft Planner). Further, an
    eDiscovery case created in the Security & Compliance Center cannot search for
    responsive content in content repositories outside of Office 365, such as those
    maintained on-premises or in other cloud services. This limited approach means
    that any organization with content outside of Office 365 – including SharePoint
    2013 and 2016 on-premises – will need multiple eDiscovery tools, in addition to
    having to start, conduct, and coordinate multiple eDiscovery cases in each
    separate tool.

•   When generating search results for Exchange Online, SharePoint Online and
    OneDrive, these must be exported from Office 365 to facilitate the review
    process; the Exchange content as one or more .PST files, and the SharePoint and
    OneDrive content as individual files (with an option for all versions). This creates
    several challenges: 1) a duplicate content set apart from Office 365 needs to be
    protected, 2) there is no reporting on actions taken on the exported content in
    the eDiscovery case because Office 365 is blind to post-export actions, 3) if the
    search is run again then another export is required along with integration of
    multiple sets of data, and 4) there is no connection between what was collected
    and the coding decisions made to that content in order to inform future cases
    and reduce the volume of potentially responsive content in Office 365.

•   The exports from Office 365 content stores are not protected and so are at risk
    of alteration and spoliation. The output is a raw native export and not in a
    preservation format, such as forensic image format, which many third-party
    eDiscovery collection tools offer.

OFFICE 365 DOES NOT INDEX ALL KEY FILE TYPES                                                There are some
Microsoft indexes 58 file types, most of which are focused on types generated by
Microsoft applications. When undertaking an eDiscovery search and performing an             limitations in
early case assessment, any file that is not included in these 58 will be flagged as         Office 365 in
unprocessed. When applying DLP rules, file types not included will not trigger the
capture rules. The implication is the need for a manual review of these non-                the context of
supported file types by a compliance officer or legal counsel, adding to the cost of
processing the data. Moreover, keyword searches might also miss relevant content
                                                                                            looking for
due to the use of a “best-effort” index. If an organization makes regular use of non-       sensitive data
supported file types, it should look at third-party tools that will index additional file
types.
                                                                                            in email
                                                                                            messages.
SENSITIVE DATA
There are some limitations in Office 365 in the context of looking for sensitive data in
email messages:

•   When analyzing content for sensitive data there is a reliance on either the
    Sensitive Information Types provided by Microsoft, or a custom-definition created
    by the customer itself. Sensitive data matching is fairly easy to bypass to
    exfiltrate data; the matching algorithms look for exact matches and are easy to
    trick. For example, matching a credit card number can be circumvented by
    changing any one of the 16 digits into the equivalent word (e.g., writing the last
    four digits as “997nine”, which will not match against the credit card regex); or
    matching a SWIFT code by changing a digit to a word or a letter to the alphabet
    equivalent (e.g., writing the SWIFT code WPHBVZ4W as WPHBVZed4W.)

•   In situation where there is no attempt to deliberately obfuscate the presence of
    Sensitive Information, messages that contain sensitive information can be missed
    by DLP policies if explanatory metadata is missing from the email. For example,
    an email that contains a Social Security Number, but not the explanatory phrase
    “Social Security Number” will not trigger a DLP policy looking for them.

©2019 Osterman Research, Inc.                                                                         7
Enhancing Data Protection in Microsoft Office 365

In short, matching sensitive data requires more or less perfection in how sensitive
data is formed in a message, and does not use a balanced evaluation for the
presence of sensitive data.

STORING AUDIT LOGS FOR COMPLIANCE
By default, the Office 365 Audit Log will retain audit events only for 90 days for Office
365 subscribers with Enterprise E3 or below and there is no way to increase this
period. This means that the Audit Log won’t be useful when trying to track down an
issue or problem that occurred beyond the past three months. However, the
exception is audit log entries within Exchange Online, where an administrator can
change the default from 90 days for Exchange audit log entries. For customers with
Office 365 E5 and Microsoft 365, audit log entries can be retained for up to one year.
This change was introduced to public preview in October 2018, but applies only to
audit log records generated after the longer duration comes into effect. Existing log
entries are unaffected by the longer retention duration.

Within Azure Active Directory, the free and basic editions retain activity and security
audit items for only seven days. Gaining insight into account compromise, for
example, is generally not possible unless it is identified almost immediately – given
that dwell times can be several months longer, seven days is not adequate. With a
subscription to Azure AD Premium P2, this can be increased to a maximum of 30 days
for activity items and 90 days for security items.

Any organization that needs longer-term access to their audit report items – such as
seven years’ worth of data under some compliance regulations – should be aware of
the limitations of the Office 365 Audit Log service.

eDISCOVERY ACROSS EX-EMPLOYEE DATA                                                          Consider using
Complete eDiscovery must include data generated by ex-employees. To date,
Microsoft’s inactive mailbox facility has enabled the mailboxes of those who have left
                                                                                            third-party
the organization to be retained indefinitely without charge, although in October 2017       solutions to
the intent to charge US$3.00 per mailbox per month was suggested. However, after
receiving pushback from customers and MVPs, Microsoft revoked the introduction of
                                                                                            meet the
this cost until further notice.                                                             challenges of a
Given that the average employee, at least in the United States, changes jobs about          hybrid
every four years, Osterman Research predicts the exponential growth of ex-employee          environment.
data will make it almost inevitable that inactive mailboxes will attract new licensing
terms during 2019 or 2020. This is likely to drive enterprises to seek lower-cost
strategies for hosting ex-employee data.

THE NEED TO MANAGE HYBRID ENVIRONMENTS
Hybrid environments in Office 365 – whether on-premises Exchange, other on-
premises systems or other cloud solutions – create their own challenges. For
example, Office 365 hybrid deployments introduce a number of interfaces on-
premises and in the cloud that make day-to-day management and automation more
difficult, partly because they are not connected. Moreover, the synchronization of
identities from on-premises to cloud-enabled rules can make it difficult to make
changes without complex scripts and privileged accounts. Consequently, tasks that
the help desk could perform before can no longer be accomplished in hybrid
environments, with the result that the increased administrative burden can negate
much of the perceived benefit that Office 365 provides.

In hybrid environments, organizations should consider using third-party solutions to
meet the challenges that will be posed by these environments. This is especially true
for larger organizations that will have a higher proportion of on-premises users and
applications even after migrating to Office 365.

©2019 Osterman Research, Inc.                                                                          8
Enhancing Data Protection in Microsoft Office 365

AUTHENTICATION WITH AZURE ACTIVE DIRECTORY
Disruptions in one region with Azure AD can have cascading effects to other data
centers and regions. While Microsoft’s intent is that Azure AD is globally resilient, the
architecture for Azure has not yet delivered a completely fail-safe, cloud-based
authentication service. As one example, a lightning strike in Texas on September 4,
2018 disrupted the cooling systems at the US South Central data center in San
Antonio. This had a significant impact on both Office 365 and Azure services, with
customers outside of the US South Central region experiencing Azure AD
authentication problems.

Microsoft's implementation of multi-factor authentication (MFA) in Azure and Office
365 delivers a single point of failure. If MFA is experiencing downtime, affected users
cannot log in – this happened two times during November 2018. Some customers
using third-party MFA services with Office 365 claimed to be unaffected by the
outages, such as those using Duo and Okta.

SUPERVISORY REVIEW FOR FINRA COMPLIANCE
Some industry regulations, especially those enforced by the Financial Industry
Regulatory Authority (FINRA), necessitate the capture and review of communications
between various individual, such as broker-dealers and registered investment
advisors with their clients. Office 365 previously offered a Supervisory Review
capability that could work with Exchange Online messages, but it had some issues.
                                                                                            Supervision
                                                                                            works only
Microsoft replaced the legacy Supervisory Review capability in May 2017 with a new
Supervision tool that requires the Enterprise E5 plan or the Advanced Compliance
                                                                                            with Exchange
add-on. Administrators with the appropriate access permissions can set up one or            Online in Office
more supervision policies. For example:
                                                                                            365, but does
•   Every individual who must be covered by a Supervision policy needs an                   not address
    Enterprise E5 license or the Advanced Compliance add-on. This is a per-user
    licensing requirement, not an organizational-level option.                              Microsoft's
                                                                                            other commun-
•   Supervision works only with Exchange Online in Office 365, but does not address
    Microsoft's other communication tools, such as Yammer and Skype for                     ication tools,
    Business/Microsoft Teams. This is a problem for users who employ these tools
    and need to have their communications supervised.
                                                                                            such as
                                                                                            Yammer and
•   Once a supervision policy has been established, a private shared mailbox is
    provisioned for receiving the messages that have been captured. Supervisory
                                                                                            Skype for
    reviewers must connect to the shared mailbox to review and assess each                  Business/
    message.
                                                                                            Microsoft
•   Built-in workflow is not available to alert reviewers of a new supervision policy       Teams.
    that provides them the ability to review messages. Advising reviewers must be
    handled out-of-band by the person who set up the supervision policy.

•   A single individual can be both the person to put under supervisory review and
    the reviewer of a given policy.

•   Sensitive information types does not work in Supervision policies.

•   When adding conditions to the supervision policy, words or phrases must match
    exactly, and so a misspelt variant will not trigger the supervisory rule. It would
    be useful if Office 365 offered the ability to use fuzzy matching.

•   Outlook’s filter options challenge supervision goals. There is no ability to sort and
    filter messages based on content or metadata relevant to the supervision policy.

•   Deleting all messages in a supervision mailbox is not audit logged against the
    messages.

©2019 Osterman Research, Inc.                                                                          9
Enhancing Data Protection in Microsoft Office 365

•   A supervisor can reply to or forward a message from within the supervision
    mailbox, but cannot audit or review what messages have been sent from the
    supervision mailbox.

•   An individual who reviews multiple Supervision mailboxes must go through each
    supervision mailbox one-at-a-time. There is no ability to gain a unified view
    across multiple supervision policies.

•   At present, there is no migration support between the old Supervisory Review
    feature and the new Supervision feature. Policies from the previous approach
    have to be deleted; they cannot be migrated and updated, and they are not
    automatically updated.

•   Messages are captured for post-delivery or after-the-fact review, but there is no
    ability to quarantine an offending message and have it routed for approval
    before it is released.

•   The audit log in Office 365 is blind to supervision policies: actions like creating,
    editing, and deleting supervision policies are not audit logged.

MISCELLANEOUS ISSUES TO CONSIDER
•   Passphrases are not supported within Office 365. These are generally longer
    phrases that contain multiple natural language words that are easier to
    remember than a password with a difficult pattern. For example, a passphrase
    could be "I wrecked the car while driving Sherry to the prom." This is a 50-
    character “password” that is simultaneously easy-to-remember for the end user
    but, due to its length, harder for an attacker to guess or crack. Office 365 does      Any decision
    not support passphrases because Azure AD accounts do not support the use of
    spaces, and are limited to a maximum of 16 characters.
                                                                                           maker
                                                                                           considering the
•   New reports on access and authentication cannot be created by administrators.
                                                                                           deployment of
                                                                                           Office 365
Next Steps                                                                                 would be well-
Any decision maker considering the deployment of Office 365 would be well-advised          advised to do
to do so – it’s a solid platform that will provide robust benefits. But they must also
consider limitations in the platform to determine how it will fit into their existing      so.
environment and what third-party solutions should also be considered to improve the
overall deployment.

DO YOUR HOMEWORK FIRST
The decision to migrate to Office 365 is often top-down: the CIO, CEO or others in
senior management will decide that their organization will move to the platform and
the architects, security teams and others are charged with making it happen. The
problem is that some existing processes, on-premises solutions, various applications,
etc. won’t play well with Office 365. The problem is compounded by the fact that
those charged with making Office 365 work often don’t know the platform all that
well, and so they are learning it as they implement it. The process of learning the
minutiae of Office 365 can be tedious and, because Microsoft frequently updates
features and functions in the platform, it’s hard to keep up. Consequently, we highly
recommend doing as much due diligence on Office 365 as is possible before the
decision is made to move to the platform.

UNDERSTAND THE COSTS OF OFFICE 365
Decision makers should conduct a thorough cost analysis of Office 365 over time.
While some Office 365 customers will opt for Enterprise Plan E5 (with a current list
price in the United States of $35 per seat per month) others may choose to stay with
Enterprise Plan E3 and use add-on solutions to improve its eDiscovery, archiving,
security and other functionality. Osterman Research has determined that the use of

©2019 Osterman Research, Inc.                                                                        10
Enhancing Data Protection in Microsoft Office 365

third-party solutions alongside a less expensive Office 365 plan (e.g., Enterprise Plan
E3 with a current list price in the United States of $20 per seat per month) will offer
improved capabilities than Plan E5 and at a reduced total cost per month. The more
important capabilities for which third-party solutions should be considered include:

•   Data protection, which should include storage of Office 365 data on a non-
    Microsoft platform; as well as capabilities to recover individual files and corrupted
    data.

•   Protection of corporate data that permits organizations to delete individual
    records from their Office 365 accounts in order to comply with requirements like
    GDPR’s Right-to-be-Forgotten.

•   Archiving of various content types that contain business records, including
    SharePoint and OneDrive data.

•   The ability to conduct supervision for users in more heavily regulated
    organizations, such as financial services.

•   Robust eDiscovery capabilities that provide good workflow and project tracking
    capabilities, more granular eDiscovery, and SLA for search.

Summary and Conclusions
Organizations that opt to deploy Office 365 will generally be well-served: it’s a solid     Osterman
platform that will satisfy a number of business requirements for archiving, security,       Research
data protection, encryption and other key business processes.
                                                                                            recommends
However, Osterman Research recommends that Office 365 deployments include an
accompanying, robust data protection solution. Office 365 does not yet include
                                                                                            that Office 365
adequate controls to protect against data deletion by rogue administrators in all           deployments
cases, so essential corporate data can be cleared maliciously or even accidentally,
storage costs for retention can end up growing quickly, and backup capabilities in the
                                                                                            include an
platform violate the well-established “3-2-1 Rule”. Osterman Research recommends            accompanying,
the use of a third-party solution that will address Office 365 data protection
holistically, offering support for Exchange Online, OneDrive, SharePoint, Teams and
                                                                                            robust data
other capabilities in the Office 365 platform.                                              protection
                                                                                            solution.
About Commvault
Commvault is the recognized leader in data backup and recovery. Through a single
interface, Commvault provides data protection for on-premises and cloud-based data
workloads. Commvault provides a comprehensive data management platform for
managing data across files, applications, databases, hypervisors, and clouds.
Commvault includes data backup, recovery, management and e-discovery,
capabilities that are tightly integrated with today’s leading cloud providers.

Commvault data protection extends to Office 365, providing backup and restore for
Exchange Online, SharePoint Online and OneDrive for Business. With Commvault,
enterprises can quickly and efficiently complete migration of on-premises Exchange
Mailboxes to Office 365 through the archiving of redundant, outdated, and trivial
data, allowing you to migrate only recent and business-critical data.

©2019 Osterman Research, Inc.                                                                         11
Enhancing Data Protection in Microsoft Office 365

© 2019 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be distributed
without the permission of Osterman Research, Inc., nor may it be resold or distributed by any
entity other than Osterman Research, Inc., without prior written authorization of Osterman
Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes
legal advice, nor shall this document or any software product or other offering referenced herein
serve as a substitute for the reader’s compliance with any laws (including but not limited to any
act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent
legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no
representation or warranty regarding the completeness or accuracy of the information contained
in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR
IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE
ILLEGAL.

REFERENCES
i
      https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-
      description/service-health-and-continuity
ii
      https://istheservicedown.com/problems/office-365/history
iii
      https://docs.microsoft.com/en-us/exchange/back-up-email
iv
      Skype for Business is being integrated with Microsoft Teams and the former is being
      eliminated as a separate offering.
v
      Skype for Business is being end-of-lifed and replaced with Microsoft Teams, but the
      underlying issues around archiving remain the same.
vi
      https://docs.microsoft.com/en-us/office365/securitycompliance/archiving-third-party-data

©2019 Osterman Research, Inc.                                                                           12
You can also read