Microsoft Office 365 is compliant with a number of important global standards and regulations, ranging from European Union data protection laws to the Health Insurance Portability and Accountability Act and ISO 27001. The service’s ability to meet compliance requirements at the datacenter level isn’t in question. After all, Microsoft’s datacenters are amongst the best in the world. However, the features and functions provided by Office 365 to ensure compliance expose some organizations to unnecessary risk.
Risks and Limitations of Microsoft Office 365 for Compliance
Data retention, completed mostly through Messaging Records Management (MRM), doesn’t guarantee that data is retained. Retention decisions are driven by end users, who effectively classify data based on its business value and determine how long it should be kept. These users can delete this data, and at this point it’s sent to a Recoverable Items folder that, by default, stores the deleted messages for 30 days. Once the 30 days has elapsed, the data is gone.
Write once, ready many (WORM) storage is often seen as a firm requirement for HIPAA/HITECH, FINRA and SEC compliance. Office 365 doesn’t provide immutable WORM storage, and as such it doesn’t effectively meet this requirement.
Protect Against Breaches through Data Loss Prevention
Office 365 provides a number of template-based policies that protect against loss prevention. Custom policies can be created to extend the provided policy set. Default policies, however, aren’t particularly configurable. In addition, there’s no administrative workflow to manage the incidents resulting from outbound emails that violate policy. This makes visibility challenging, and where there are visibility challenges, there are instances of incompliance.
Office 365 doesn’t guarantee that your data is stored in any particular region. They will disclose to the customer where their data is being stored, but won’t be held responsible for informing the customer if it was necessary to move the data. This creates data residency challenges that may adversely affect adherence to regulatory guidance.
Addressing the Challenges
Ensuring compliance with Office 365 should be a high priority for regulated organizations. Failure to comply can result in fines and other penalties.
Third-party solutions for enhancing Office 365’s built-in compliance capabilities, from providers such Proofpoint, can make it easy for organizations to continue meeting their compliance and data privacy needs as they move to an Office 365 environment.
Related Blog Post