Office 365 has successfully moved mountains of email from on-site servers to the cloud. But, does Office 365 really meet the criteria for archiving compliance, e-discovery, and legal holds? Should businesses consider and use a third-party email archiving solutions?
Join us as we explore these questions and their answers.
Office 365 and Email Compliance
Tools provided by Office 365 often fall short of what enterprises are already using. Search, email retention, and access are all limited in scope, creating a difficult situation for those who need to perform investigations, audits, and e-discovery.
HIPAA and HI-TECH Compliance
Office 365 offers a HIPAA Business Associate Agreement, which allows a covered entity to enter into an agreement with Microsoft to use its various services. What this means is that covered entities can use Microsoft services to handle Personal Health Information (PHI) so long as a BAA exists between that covered entity and those Microsoft services.
Third-party archiving service providers are HIPAA compliant and are capable of entering into BAAs with covered entities.
SEC/FINRA Compliance
While Office 365 is stating that it is SEC/FINRA compliant, Microsoft also presents a disclaimer that warns it cannot prevent a user from intentionally or inadvertently deleting an email. This suggests that, in practice, Office 365 may not actually meet the SEC requirement that email must be stored in an immutable repository that cannot be modified by any means.
Archiving services provide immutable email archiving for SEC/FINRA compliance along with audit logs for email subject to SEC/FINRA regulatory compliance.
Business Governance Compliance
Integration of business governance into email archives is not currently offered in Office 365. Customers who need this kind of service have to hire third-party vendors that offer tools for integrating governance rules into how email is transported and archived.
Third-party archiving services have stepped up, providing the tools to seamlessly integrate business governance into email archiving strategies.
European Union General Data Protection Regulation (GDPR)
In this April 17, 2017 post, Microsoft outlines how it will be compliant with the GDPR when it goes into effect on May 25, 2018. Microsoft says,
“Our contractual commitments guarantee that you can:
- Respond to requests to correct, amend or delete personal data.
- Detect and report personal data breaches.
- Demonstrate your compliance with the GDPR.”
The GDPR is a complex body of laws that govern the collection, hosting, and analysis of personal data originating from EU residents. Some of the limitations and shortcomings of Office 365 might make its compliance claim a bit difficult to truly stick.
Usability Controls
Search
The search tool can perform only relatively simple search queries, making information searches difficult, tedious, and time consuming.
Email archiving services provide tools and options that make performing searches quick and easy by providing support for complex search queries and multiple concurrent searches that have minimal impact on system performance.
Furthermore, searches can be conducted on an unlimited number of email boxes, with few if any limitations on search export size.
Access Control
Office 365 manages access based on a person’s login and what Office 365 services they are trying to access. Users who are seeking access to Office 365 services can create a custom App-ID for secure Office 365 logins.
Access control based on these two criteria may not meet minimum regulatory compliance for safeguarding of data.
Third-party email archiving services complement the Office 365 Access Control by providing more granular control over how access is granted (or denied).
Archive Access Logging
This feature in Office 365, like so many others, is directly tied to having an Exchange Online account for each user. This presents difficulties of its own, especially for businesses that may still have legacy on-site Exchange servers.
Aside from that, the mailbox auditing tool is limited to pre-configured options that may not be all that helpful for businesses.
A good third-party email archiving service will provide and archive audit tool that has the options and flexibility a company needs in order to ensure full regulatory and governance compliance.
User Permissions
Common business functions are mapped to the various admin roles in Office 365, effectively removing the ability to apply custom configurations to each admin role. This makes the setting of appropriate user permissions difficult, if not outright impossible.
Flexibility is key for organizations, and email archiving solutions realize this.
User permissions are highly configurable, allowing the global admin to create and configure user permissions based on user role and minimum level of access necessary to perform their work.
Email Retention
Office 365 claims to have support email retention policies, but the implementation is difficult at best. According to Microsoft documentation, only Exchange Online mailboxes can be included in a retention policy.
Each mailbox must be assigned to an Exchange Online Plan 2 license. Exchange Plan 1 mailboxes must be assigned to a separate Exchange Online Archiving license in order to be included in the retention policy.
This is unnecessarily complex and difficult to manage. Email retention policy options are so limited that even Microsoft provides a disclaimer of sorts stating that – even with an Office 365 retention policy in place – there is no way to prevent a user from deleting email managed by a retention policy.
This falls far short of regulatory compliance and business governance requirements for most businesses.
Third-party archiving services provide email retention tools that allow the administrator to set email retention policies that are tailored to legal compliance and business governance needs.
Furthermore, all email is stored in an immutable repository that prevents unauthorized or inadvertent deletion of email covered by the organization’s retention policy.
eDiscovery
Timely e-discovery is a must for nearly every type of organization. Audit requests, legal discovery, and other information requests must be fulfilled in a limited amount of time. Office 365 has made some inroads here, but its tools still lack the power and flexibility they need.
An email archiving service provides the tools needed to quickly fulfill eDiscovery requests that are compliant, both legally and in terms of governance.
In Conclusion
Office 365 has a lot to offer its enterprise end users. However, enterprise-class, compliant email archive management with Office 365 is difficult, patchy, and inadequate for most business use cases.
Third-party archiving services that offer compliant, easy to manage email archiving solutions make the perfect complement to Office 365.