Enhancing Data Protection in Office 365.Pages

Osterman Research WHITE PAPER

White Paper by Osterman Research Published June 2019 Sponsored by Commvault

Enhancing Data Protection in MicrosoftO Ofﬁce 365 Enhancing Data Protection in Microsoft Office 365

Executive Summary When decision makers consider moving their users to Office 365, a critical issue that faces them is:

• Will the platform be a complete replacement for all on-premises Microsoft servers and capabilities, or

• Will it merely be an addition to current on-premises capabilities?

Our research, as well as that of many others, indicates that most organizations are largely opting for the former: Office 365 is replacing on-premises deployments of Microsoft Exchange and other on-premises email platforms. While many other platforms will continue to be used, particularly in larger organizations, Office 365 is becoming the leading business email and collaboration tool in the workplace.

While Microsoft offers a solid platform of useful features and functions with Office 365, no platform can be all things to all users, and so decision makers must perform due diligence and determine what Office 365 does well and in which areas supplementary or replacement solutions from third parties will be required. Moreover, there is also the issue of whether the native capabilities in Office 365 provide adequate support for non-Microsoft content sources. Osterman Research holds the Retention view that Office 365 is a solid and robust platform, but that in most cases organizations will want and need to deploy additional solutions to offer better Policies by performance or functionality, or to provide necessary functionality for solutions not offered by Microsoft. Plus, as discussed in this paper, the use of third-party solutions themselves do can be useful in helping to drive down the cost of an Office 365 deployment. not protect

What follows is a discussion of the limitations within the Office 365 platform that against a rogue decision makers will want to consider as they decide how to deploy Office 365 in their administrator environment. unless ABOUT THIS WHITE PAPER Retention Lock This white paper was sponsored by Commvault. Information about the company is provided at the end of this paper. is added. However, this feature cannot Data Protection Within Office 365 be disabled Osterman Research has identified some limitations in Office 365’s data protection approach: once it is turned on. • Use of the Recycle Bin is essential for accidental deletion protection, but content from the Recycle Bin can be accidentally or maliciously cleared, and so it does not offer a true data protection option in and of itself.

• The use of Retention Policies can result in an increase in storage use within OneDrive and SharePoint, potentially resulting in having to pay for extra storage beyond what is included in a given plan once the storage allocation has been reached. Extra storage is priced at $0.20 per gigabyte per month, meaning that an additional 50 gigabytes of storage per user in a 1,000-user company will cost $10,000 monthly.

• Moreover, Retention Policies by themselves do not protect against a rogue administrator unless Retention Lock is added. However, this feature cannot be disabled once it is turned on, and so organizations that experience a major increase in storage will not be able to rectify that problem by disabling Retention Lock. This can also be an issue for organizations that are obligated to delete data, such as from a “right-to-be-forgotten” demand under GDPR.

BACKING UP OFFICE 365 The best practice of having three copies of data – two on different platforms and one in a remote location – is a well-established practice for data protection. However, within Office 365 the native capabilities to protect data use the platform itself to provide data protection, a violation of this best practice. The use of an external service or platform to protect Office 365 data is more in line with sound data protection – even Microsoft itself recommends doing this in its service agreement.

There are some capabilities within Office 365 for recovering corrupted data. For example, Files Restore will return OneDrive to a specific point in time from the past 30 days. It reverts all basic file and folder operations that transpired during the selected time period, but it does not support a selective restoration. For selective restoration – such as to recover a file or folder that was deleted accidentally rather than being subject to a ransomware attack – OneDrive offers access to the Recycle Bin and/or Version History for each file to roll back to a previous version. The ability to restore files, folders, and subfolders is a standard feature in third party backup tools.

Similarly, SharePoint sites and subsites can be restored, but this can be accomplished by Microsoft support, and there are some limitations with this process, including the fact that there is no SLA for it. If a site collection must be restored, Microsoft can restore only the entire site in place, but any data created after the latest backup will be lost. The process of restoring subsites to alternate locations is possible, but Microsoft says this process is more complicated and error-prone than a full site collection restore. Customers are LONG-TERM ARCHIVAL OF DATA Data from Office 365 will be retained for three years and then deleted afterwards, responsible for and deleted emails will be moved into an archive folder and held there for three access and years, after which they will be deleted. It is important to note that the total retention period will be three years, not three years in mainline storage and an additional three control of their years in an archive folder. There are some other issues to consider: data that

• The import process can corrupt a mailbox resides in the Importing data can accidentally corrupt a mailbox in some circumstances. For example, if a .PST file has been imported into a mailbox, it is not possible to Office 365 remove only the imported emails or to do a point-in-time restore to a point prior infrastructure. to the .PST import. A user in an online forum posted this exact scenario, including the difficulty in cleaning it up without the ability to do a point-in-time restore.

• Users who are on legal hold When a user is on legal hold, their deleted email is not automatically migrated to an archive folder, but is instead put into the “dumpster”. If the dumpster exceeds 100 gigabytes, it must be manually moved to an archive folder or a separate retention policy must be established to manage it.

Other Issues to Consider WHO PROTECTS WHAT? Office 365 is a robust offering and Microsoft has gone to significant lengths to ensure that the platform stays up and running. However, there are some important issues for any current or prospective Office 365 customer to consider:

• Office 365 uses what it calls the “shared responsibility model”. This model dictates that Microsoft is responsible for its global infrastructure and ensuring that the Office 365 remains up and running; while customers are responsible for access and control of their data that resides in the Office 365 infrastructure.

• While Office 365 is a fairly reliable system on a worldwide basis (it achieved 99.97 percent reliability during the first quarter of 2019i), it suffers from somewhat frequent outages on a more localized, regional basis. For example, it suffered from four such outages in April 2019 and five in May 2019ii. These outages can result in data loss.

• Microsoft states that “point in time restoration of mailbox items is out of scope for the Exchange Online service.iii” That means that if an organization suffers an account takeover, ransomware attack, or data deletion from a malicious insider, among other potential problems, there is no guarantee of being able to restore lost data.

In short, this means that Office 365 customers are responsible for their own data, just as if they were managing their own email and collaboration solution on-premises. Consequently, organizations that deploy Office 365 will still need to maintain robust data protection capabilities to protect against data loss.

THE NEED FOR AN EMAIL JOURNAL Journaling is a useful tool in helping organizations to satisfy their regulatory, legal and best practice compliance requirements, since it records all inbound and outbound email communications that occur within an environment. Journaling is useful in the context of satisfying compliance requirements that exist in the financial services, healthcare and various other industries.

Office 365 email (Exchange Online) does not have a conventional email journal, but Microsoft has changed its Office 365 model to achieve the same “compliance outcome” of a journal service. By putting all relevant mailboxes on In-Place Hold, all emails sent and received will be retained indefinitely and cannot be deleted by users. Inactive mailboxes within the environment (e.g., those belonging to ex-employees) may also be placed on Indefinite Hold. Office 365

For organizations that have an existing journal that must be migrated to Office 365, customers are one of the following will be necessary: responsible for

• The existing journal must be moved to a third-party journal service and content their own data. will continue to be written to the journal from Office 365, or

• All of the existing journal content must be migrated to Office 365.

The first option will require that two locations be maintained and searched in order to satisfy an organization’s information governance and eDiscovery requirements, and it may result in a less expensive and more practical solution, particularly if an organization must retain large volumes of information.

The second option is possible through the use of specialist migration software, but Microsoft’s guidance on where to migrate journal content is not clear. Plus, there exist some limitations on how mailboxes in Office 365 can be used to retain email belonging to multiple users.

THIRD-PARTY ENCRYPTION SOLUTIONS OFFER BETTER PERFORMANCE The first version of Office 365 Message Encryption had some weaknesses, such as lack of robust reporting and a less-than-optimal user interface for recipients of encrypted messages. The newer version, Office 365 Message Encryption Version 2 (OMEv2) offered some significant improvements, but still has some limitations compared to some third-party solutions. For example:

• Some customers of Office 365 have noted the inability to send encrypted messages to other Office 365 tenants under various conditions, specific and frequently changing version requirements for Outlook (along with some

noteworthy bugs), and the non-disclosure by Microsoft of tenant-level settings in Office 365 that prevent encryption from working in some cases.

• Some customers found the Do Not Forward encryption setting that Microsoft released with OMEv2 undesirable because it imposed both encryption and rights management settings on the message and any attachments that were considered by some to be too restrictive. While a new release removed right management after delivery of encrypted messages, some consider OMEv2 not to be a reliable option in both Outlook for Windows and the Mac. Microsoft has had to introduce new tenant-level settings to address post-delivery problems where recipients were not able to read encrypted attachments. The new setting removes the encryption applied to attachments for certain recipients under certain conditions.

• Encrypted messages that are sent to recipients using Google Gmail and Yahoo! Mail can employ their respective identities to decrypt the message in the viewing portal. While this is a transparent and convenient process for recipients, it also means that if the sender sends the encrypted email to the wrong recipient, that individual will be able to access the encrypted message using only their Google or Yahoo! credentials. The sender cannot require additional identity verification to assure that the message has been received by the correct recipient, such as multi-factor authentication. Similarly, if a user's Google or Yahoo! account is compromised, a bad actor will be able to use the transparent decryption process to access encrypted messages. Moreover, if a recipient's Google or Yahoo! account is compromised, the bad actor can send encrypted replies to the original sender and other recipients, opening an avenue for phishing attempts that seem more credible and may be more difficult to detect.

• The requirement for links within encrypted messages to recipients who are not Users cannot using Outlook will result in some encrypted messages looking like phishing messages, particularly because they request a username and password to login. automatically Some email services, such as Gmail, can classify OMEv2 messages as phishing encrypt all because of this request and will warn recipients not to click the link. In short, the reliance on links in OMEv2 messages can make them look like phishing messages sent messages. through • Users cannot automatically encrypt all messages sent through Outlook. Outlook.

• Because OMEv2 does not encrypt the subject line of the message, senders of encrypted messages must be careful not to include sensitive or confidential information in the subject line.

• OMEv2 does not offer insights or reporting capabilities for the sender of the message after it has been delivered. While the Office 365 Security & Compliance Center offers reporting on encrypted messages for Office 365 administrators, this information is not available to end users, and does not report on any post- delivery actions by recipients. Moreover, the sender cannot change the encryption status or rights after the message has been sent, a message cannot be revoked once it has been sent from Outlook or Outlook on the web (although administrators can do so for senders using PowerShell, but only for all recipients), and senders have no way of knowing in-band that his or her message was not delivered as expected if it ends up being classified as spam.

• Office 365 supports encryption primarily for Microsoft file types. For example, while PDF files can be encrypted in transit, they will not be encrypted once the message is received.

ARCHIVING ISSUES TO CONSIDER Archiving, a best practice distinct from backup, is essential to ensure that all relevant business records are retained for the appropriate length of time as required by regulations, legal obligation or corporate best proactive.

Microsoft has included archiving capabilities within Office 365, but not for all file types. For example, while archiving is not provided for the content generated by third-party applications, it also is not provided even for some Microsoft file types, such as Skype for Businessiv or SharePoint. For example:

• It is not possible to archive SharePoint content that is no longer current to alternative and less expensive storage systems as is possible with many third- party archiving solutions. Although Office 365 customers can add unlimited SharePoint storage capacity, it is not inexpensive. Organizations that maintain large volumes of SharePoint data will end up paying more if they need to keep their live SharePoint content minimized without incurring additional long-term storage fees, or that want to archive content away from SharePoint Online.

• No native archiving service for Skype for Business Online is availablev. Instead, archiving for Skype for Business Online relies on Exchange Online for archiving content if specific conditions are met. While Skype instant messaging transcripts are retained in the Conversation History folder in each user's Exchange Online mailbox, unless the mailbox is on legal or litigation hold, a user is able to delete their instant messaging transcripts at will. That can result in spoliation of evidence or an inability to fully regulatory obligations. A legal hold is required to force the retention of Skype messages, meaning that all Exchange Online mailboxes must be on hold at all times for this to work. Microsoft has • Office 365 offers SMS/text messaging archiving capabilities for BlackBerry devices, but not for iOS or Android devicesvi. included archiving • The content from some third-party collaboration, messaging, social media and other content sources can be archived into Exchange Online in Office 365, but capabilities only as converted email messages if agreements are in place with a third-party within Office data partner. Messages are stored in the Exchange Online mailbox belonging to the specific user, and for content that cannot be tracked to a named individual, a 365, but not for catch-all mailbox is used. The conversion of third-party content in this way all file types. removes key elements of context, and makes it difficult to re-create a historically valid chain of events in some cases.

THE IMPORTANCE OF eDISCOVERY The process of electronic discovery (eDiscovery) is key for any email and collaboration because of the need to produce information in support of litigation efforts, and because a large part of the typical organization’s data is stored in their email and collaboration databases. Office 365 offers some important eDiscovery capabilities, but there are some limitations to consider. For example:

• There is no Service Level Agreement (SLA) for a Content Search or eDiscovery search, but Microsoft claims that 100 mailboxes can be searched in 30 seconds and 10,000 mailboxes in four minutes. Based on user feedback, Osterman Research has found that this goal is not met consistently.

• Individual retention, preservation and disposition policies cannot be created for a user’s mailbox and their Online Archive. Some third-party solutions allow different policies to be created for each.

• Office 365 offers an advanced eDiscovery capability for Office 365 applications, but it is not “in-place” and they are not integrated directly into the data sources. Consequently, the effort is a two-step process, requiring a search and export for

data using the Security & Compliance Center capabilities, and then selecting the advanced eDiscovery center as a destination before running the advanced tools

• The European Union’s General Data Protection Regulation (GDPR) ushered in a shift to privacy regulations beyond traditional data security mandates. The GDPR and other regulations include the expectation of being able to handle robust search capabilities for subject access requests, as well as good discovery and deletion capabilities to support the “right to be forgotten”. Office 365 includes basic functionality to support these requirements, but the burden is still on IT to carry them out through IT-centric processes and admin interfaces. With GDPR and the new California Consumer Privacy Act (CCPA), these requests will continue to increase. As a result, organizations need to be prepared to have IT disrupted by a potentially significant number of requests that should really be delegated to line-of-business owners. Third-party solutions are available to address this compliance requirement and prevent it from becoming an IT bottleneck.

Office 365 includes a range of eDiscovery capabilities for searching for responsive material, plus a more advanced eDiscovery service called Advanced eDiscovery that adds text analytics, machine learning, and relevance and predictive coding for early case assessment. Advanced eDiscovery is available in the premium Enterprise E5 plan, and as an additional cost add-on to the much less expensive Enterprise E3 plan. However:

• Office 365 includes minimal workflow or project tracking for an eDiscovery case, such as the status of the case (apart from Active and Closed), the individuals who are involved, and the current state of tasks assigned to the case. Office 365 includes • eDiscovery case administrators have no ability to send legal hold notification alerts, reminders or escalations within the Office 365 Security & Compliance minimal Center and so must be handled out-of-band. workflow or

• Cases consist of holds and searches and no two searches within any eDiscovery project case across the organization can have exactly the same name. Office 365 will permit a given name to be used only once in eDiscovery cases across the entire tracking for an tenant. eDiscovery

• eDiscovery cases within Office 365 are created and managed in an ad-hoc way case. and a compliance officer is responsible for entering ad-hoc search terms. It is not possible to create a case template for repeatability and auditing, with standard search queries and locations, key actions and requirements to complete, and an audit trail of what has and has not been completed. This can be an issue for organizations that are not doing eDiscovery on a regular basis, since the ad-hoc approach means that previous knowledge and techniques are likely to be forgotten and overlooked in a current eDiscovery case, possibly exposing an organization to sanction for insufficient production of evidence.

• Configuration of a more limited search scope for eDiscovery managers searching OneDrive, SharePoint Online repositories, and Exchange mailboxes is not possible. For example, any eDiscovery manager can search any OneDrive folder, SharePoint Online site, or Exchange mailbox anywhere in the world and no controls currently exist to restrict access by country or region.

• Signature blocks cannot be excluded from the search scope on email messages, so if a keyword appears in an email signature it can generate a high rate of false positives.

• The eDiscovery capabilities in the Office 365 Security & Compliance Center allow content to be searched in user and group mailboxes in Exchange Online, sites in SharePoint and OneDrive, and Exchange public folders. Workloads that store content in these containers can be searched, but other workloads that do not are

excluded (such as Yammer, Microsoft Stream, and Microsoft Planner). Further, an eDiscovery case created in the Security & Compliance Center cannot search for responsive content in content repositories outside of Office 365, such as those maintained on-premises or in other cloud services. This limited approach means that any organization with content outside of Office 365 – including SharePoint 2013 and 2016 on-premises – will need multiple eDiscovery tools, in addition to having to start, conduct, and coordinate multiple eDiscovery cases in each separate tool.

• When generating search results for Exchange Online, SharePoint Online and OneDrive, these must be exported from Office 365 to facilitate the review process; the Exchange content as one or more .PST files, and the SharePoint and OneDrive content as individual files (with an option for all versions). This creates several challenges: 1) a duplicate content set apart from Office 365 needs to be protected, 2) there is no reporting on actions taken on the exported content in the eDiscovery case because Office 365 is blind to post-export actions, 3) if the search is run again then another export is required along with integration of multiple sets of data, and 4) there is no connection between what was collected and the coding decisions made to that content in order to inform future cases and reduce the volume of potentially responsive content in Office 365.

• The exports from Office 365 content stores are not protected and so are at risk of alteration and spoliation. The output is a raw native export and not in a preservation format, such as forensic image format, which many third-party eDiscovery collection tools offer.

OFFICE 365 DOES NOT INDEX ALL KEY FILE TYPES There are some Microsoft indexes 58 file types, most of which are focused on types generated by Microsoft applications. When undertaking an eDiscovery search and performing an limitations in early case assessment, any file that is not included in these 58 will be flagged as Office 365 in unprocessed. When applying DLP rules, file types not included will not trigger the capture rules. The implication is the need for a manual review of these non- the context of supported file types by a compliance officer or legal counsel, adding to the cost of looking for processing the data. Moreover, keyword searches might also miss relevant content due to the use of a “best-effort” index. If an organization makes regular use of non- sensitive data supported file types, it should look at third-party tools that will index additional file in email types. messages. SENSITIVE DATA There are some limitations in Office 365 in the context of looking for sensitive data in email messages:

• When analyzing content for sensitive data there is a reliance on either the Sensitive Information Types provided by Microsoft, or a custom-definition created by the customer itself. Sensitive data matching is fairly easy to bypass to exfiltrate data; the matching algorithms look for exact matches and are easy to trick. For example, matching a credit card number can be circumvented by changing any one of the 16 digits into the equivalent word (e.g., writing the last four digits as “997nine”, which will not match against the credit card regex); or matching a SWIFT code by changing a digit to a word or a letter to the alphabet equivalent (e.g., writing the SWIFT code WPHBVZ4W as WPHBVZed4W.)

• In situation where there is no attempt to deliberately obfuscate the presence of Sensitive Information, messages that contain sensitive information can be missed by DLP policies if explanatory metadata is missing from the email. For example, an email that contains a Social Security Number, but not the explanatory phrase “Social Security Number” will not trigger a DLP policy looking for them.

In short, matching sensitive data requires more or less perfection in how sensitive data is formed in a message, and does not use a balanced evaluation for the presence of sensitive data.

STORING AUDIT LOGS FOR COMPLIANCE By default, the Office 365 Audit Log will retain audit events only for 90 days for Office 365 subscribers with Enterprise E3 or below and there is no way to increase this period. This means that the Audit Log won’t be useful when trying to track down an issue or problem that occurred beyond the past three months. However, the exception is audit log entries within Exchange Online, where an administrator can change the default from 90 days for Exchange audit log entries. For customers with Office 365 E5 and Microsoft 365, audit log entries can be retained for up to one year. This change was introduced to public preview in October 2018, but applies only to audit log records generated after the longer duration comes into effect. Existing log entries are unaffected by the longer retention duration.

Within Azure Active Directory, the free and basic editions retain activity and security audit items for only seven days. Gaining insight into account compromise, for example, is generally not possible unless it is identified almost immediately – given that dwell times can be several months longer, seven days is not adequate. With a subscription to Azure AD Premium P2, this can be increased to a maximum of 30 days for activity items and 90 days for security items.

Any organization that needs longer-term access to their audit report items – such as seven years’ worth of data under some compliance regulations – should be aware of the limitations of the Office 365 Audit Log service. eDISCOVERY ACROSS EX-EMPLOYEE DATA Consider using Complete eDiscovery must include data generated by ex-employees. To date, third-party Microsoft’s inactive mailbox facility has enabled the mailboxes of those who have left the organization to be retained indefinitely without charge, although in October 2017 solutions to the intent to charge US$3.00 per mailbox per month was suggested. However, after meet the receiving pushback from customers and MVPs, Microsoft revoked the introduction of this cost until further notice. challenges of a

Given that the average employee, at least in the United States, changes jobs about hybrid every four years, Osterman Research predicts the exponential growth of ex-employee environment. data will make it almost inevitable that inactive mailboxes will attract new licensing terms during 2019 or 2020. This is likely to drive enterprises to seek lower-cost strategies for hosting ex-employee data.

THE NEED TO MANAGE HYBRID ENVIRONMENTS Hybrid environments in Office 365 – whether on-premises Exchange, other on- premises systems or other cloud solutions – create their own challenges. For example, Office 365 hybrid deployments introduce a number of interfaces on- premises and in the cloud that make day-to-day management and automation more difficult, partly because they are not connected. Moreover, the synchronization of identities from on-premises to cloud-enabled rules can make it difficult to make changes without complex scripts and privileged accounts. Consequently, tasks that the help desk could perform before can no longer be accomplished in hybrid environments, with the result that the increased administrative burden can negate much of the perceived benefit that Office 365 provides.

In hybrid environments, organizations should consider using third-party solutions to meet the challenges that will be posed by these environments. This is especially true for larger organizations that will have a higher proportion of on-premises users and applications even after migrating to Office 365.

AUTHENTICATION WITH AZURE ACTIVE DIRECTORY Disruptions in one region with Azure AD can have cascading effects to other data centers and regions. While Microsoft’s intent is that Azure AD is globally resilient, the architecture for Azure has not yet delivered a completely fail-safe, cloud-based authentication service. As one example, a lightning strike in Texas on September 4, 2018 disrupted the cooling systems at the US South Central data center in San Antonio. This had a significant impact on both Office 365 and Azure services, with customers outside of the US South Central region experiencing Azure AD authentication problems.

Microsoft's implementation of multi-factor authentication (MFA) in Azure and Office 365 delivers a single point of failure. If MFA is experiencing downtime, affected users cannot log in – this happened two times during November 2018. Some customers using third-party MFA services with Office 365 claimed to be unaffected by the outages, such as those using Duo and Okta.

SUPERVISORY REVIEW FOR FINRA COMPLIANCE Some industry regulations, especially those enforced by the Financial Industry Regulatory Authority (FINRA), necessitate the capture and review of communications between various individual, such as broker-dealers and registered investment advisors with their clients. Office 365 previously offered a Supervisory Review Supervision capability that could work with Exchange Online messages, but it had some issues. works only Microsoft replaced the legacy Supervisory Review capability in May 2017 with a new Supervision tool that requires the Enterprise E5 plan or the Advanced Compliance with Exchange add-on. Administrators with the appropriate access permissions can set up one or Online in Office more supervision policies. For example: 365, but does • Every individual who must be covered by a Supervision policy needs an not address Enterprise E5 license or the Advanced Compliance add-on. This is a per-user licensing requirement, not an organizational-level option. Microsoft's other commun- • Supervision works only with Exchange Online in Office 365, but does not address Microsoft's other communication tools, such as Yammer and Skype for ication tools, Business/Microsoft Teams. This is a problem for users who employ these tools such as and need to have their communications supervised. Yammer and • Once a supervision policy has been established, a private shared mailbox is provisioned for receiving the messages that have been captured. Supervisory Skype for reviewers must connect to the shared mailbox to review and assess each Business/ message. Microsoft • Built-in workflow is not available to alert reviewers of a new supervision policy Teams. that provides them the ability to review messages. Advising reviewers must be handled out-of-band by the person who set up the supervision policy.

• A single individual can be both the person to put under supervisory review and the reviewer of a given policy.

• Sensitive information types does not work in Supervision policies.

• When adding conditions to the supervision policy, words or phrases must match exactly, and so a misspelt variant will not trigger the supervisory rule. It would be useful if Office 365 offered the ability to use fuzzy matching.

• Outlook’s filter options challenge supervision goals. There is no ability to sort and filter messages based on content or metadata relevant to the supervision policy.

• Deleting all messages in a supervision mailbox is not audit logged against the messages.

• A supervisor can reply to or forward a message from within the supervision mailbox, but cannot audit or review what messages have been sent from the supervision mailbox.

• An individual who reviews multiple Supervision mailboxes must go through each supervision mailbox one-at-a-time. There is no ability to gain a unified view across multiple supervision policies.

• At present, there is no migration support between the old Supervisory Review feature and the new Supervision feature. Policies from the previous approach have to be deleted; they cannot be migrated and updated, and they are not automatically updated.

• Messages are captured for post-delivery or after-the-fact review, but there is no ability to quarantine an offending message and have it routed for approval before it is released.

• The audit log in Office 365 is blind to supervision policies: actions like creating, editing, and deleting supervision policies are not audit logged.

MISCELLANEOUS ISSUES TO CONSIDER • Passphrases are not supported within Office 365. These are generally longer phrases that contain multiple natural language words that are easier to remember than a password with a difficult pattern. For example, a passphrase could be "I wrecked the car while driving Sherry to the prom." This is a 50- character “password” that is simultaneously easy-to-remember for the end user but, due to its length, harder for an attacker to guess or crack. Office 365 does Any decision not support passphrases because Azure AD accounts do not support the use of maker spaces, and are limited to a maximum of 16 characters. considering the • New reports on access and authentication cannot be created by administrators. deployment of Office 365 Next Steps would be well- Any decision maker considering the deployment of Office 365 would be well-advised advised to do to do so – it’s a solid platform that will provide robust benefits. But they must also consider limitations in the platform to determine how it will fit into their existing so. environment and what third-party solutions should also be considered to improve the overall deployment.

DO YOUR HOMEWORK FIRST The decision to migrate to Office 365 is often top-down: the CIO, CEO or others in senior management will decide that their organization will move to the platform and the architects, security teams and others are charged with making it happen. The problem is that some existing processes, on-premises solutions, various applications, etc. won’t play well with Office 365. The problem is compounded by the fact that those charged with making Office 365 work often don’t know the platform all that well, and so they are learning it as they implement it. The process of learning the minutiae of Office 365 can be tedious and, because Microsoft frequently updates features and functions in the platform, it’s hard to keep up. Consequently, we highly recommend doing as much due diligence on Office 365 as is possible before the decision is made to move to the platform.

UNDERSTAND THE COSTS OF OFFICE 365 Decision makers should conduct a thorough cost analysis of Office 365 over time. While some Office 365 customers will opt for Enterprise Plan E5 (with a current list price in the United States of $35 per seat per month) others may choose to stay with Enterprise Plan E3 and use add-on solutions to improve its eDiscovery, archiving, security and other functionality. Osterman Research has determined that the use of

third-party solutions alongside a less expensive Office 365 plan (e.g., Enterprise Plan E3 with a current list price in the United States of $20 per seat per month) will offer improved capabilities than Plan E5 and at a reduced total cost per month. The more important capabilities for which third-party solutions should be considered include:

• Data protection, which should include storage of Office 365 data on a non- Microsoft platform; as well as capabilities to recover individual files and corrupted data.

• Protection of corporate data that permits organizations to delete individual records from their Office 365 accounts in order to comply with requirements like GDPR’s Right-to-be-Forgotten.

• Archiving of various content types that contain business records, including SharePoint and OneDrive data.

• The ability to conduct supervision for users in more heavily regulated organizations, such as financial services.

• Robust eDiscovery capabilities that provide good workflow and project tracking capabilities, more granular eDiscovery, and SLA for search.

Summary and Conclusions Organizations that opt to deploy Office 365 will generally be well-served: it’s a solid Osterman platform that will satisfy a number of business requirements for archiving, security, Research data protection, encryption and other key business processes. recommends However, Osterman Research recommends that Office 365 deployments include an that Office 365 accompanying, robust data protection solution. Office 365 does not yet include adequate controls to protect against data deletion by rogue administrators in all deployments cases, so essential corporate data can be cleared maliciously or even accidentally, include an storage costs for retention can end up growing quickly, and backup capabilities in the platform violate the well-established “3-2-1 Rule”. Osterman Research recommends accompanying, the use of a third-party solution that will address Office 365 data protection holistically, offering support for Exchange Online, OneDrive, SharePoint, Teams and robust data other capabilities in the Office 365 platform. protection

solution. About Commvault Commvault is the recognized leader in data backup and recovery. Through a single interface, Commvault provides data protection for on-premises and cloud-based data workloads. Commvault provides a comprehensive data management platform for managing data across files, applications, databases, hypervisors, and clouds. Commvault includes data backup, recovery, management and e-discovery, capabilities that are tightly integrated with today’s leading cloud providers.

Commvault data protection extends to Office 365, providing backup and restore for Exchange Online, SharePoint Online and OneDrive for Business. With Commvault, enterprises can quickly and efficiently complete migration of on-premises Exchange Mailboxes to Office 365 through the archiving of redundant, outdated, and trivial data, allowing you to migrate only recent and business-critical data.

No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

REFERENCES i https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service- description/service-health-and-continuity ii https://istheservicedown.com/problems/office-365/history iii https://docs.microsoft.com/en-us/exchange/back-up-email iv Skype for Business is being integrated with Microsoft Teams and the former is being eliminated as a separate offering. v Skype for Business is being end-of-lifed and replaced with Microsoft Teams, but the underlying issues around archiving remain the same. vi https://docs.microsoft.com/en-us/office365/securitycompliance/archiving-third-party-data