The Compliance Implications of an Office 365 Rollout

Cloud technology is one of the most talked about topics in today’s IT world. With a surge in the number of SaaS companies, we have certainly reached the point where an entire business can be run on the cloud. The big savings, hassle-free automatic software updates, reduced downtime, and many other advantages cloud technology brings to the table should make it a natural choice for most decision makers. But, on the contrary, companies are still hesitant to take the plunge; most cite security and compliance as the main reasons for not jumping on the cloud bandwagon.

Cloud compliance—an oxymoron?

Unlike an on-premises set up, data in the cloud is stored in cloud service providers' data centres, and companies don’t really know how their confidential data is being managed. With the looming threat of non-compliance, a company might have a plethora of questions for a cloud service provider when it decides to move to the cloud, such as:

•  Where is our data going to be stored?
•  Who will have access to our data?
•  What is your disaster recovery plan?
•  What industry regulations do you comply with?

Sadly, in most cases, the answers companies get from cloud app developers clearly indicate the fact that security and compliance aren't given the importance they deserve.

Office 365—The outlier.

Office 365 is certainly an outlier among all other cloud apps when it comes to compliance. This online productivity software suite from Microsoft is a one-stop solution for accessing various applications, including Exchange Online, SharePoint Online, OneDrive, Skype, and the hosted versions of Microsoft Office tools. These services deal with heaps of information, and the burden of securing this data falls on Office 365. Failing to ward off any unauthorised access to this information will only invite non-compliance.

The good news is that, on the compliance front, Office 365 is light-years ahead of its competitors. It is compliant with almost all industry mandates such as PCI-DSS, HIPAA, GLBA, and more. It also boasts of a dedicated security and compliance centre, which helps you devise your own strategy to meet the various external and internal rules and regulations that your organisation has to comply with. So, does this signal an end to all your compliance-related issues? The answer to this question would be an emphatic “no.”

Here are some areas, with regard to compliance, where Office 365 still hasn’t upped its game:

• Compliance—a work in progress: The security and compliance capabilities of Office 365 are still a work in progress. Its current approach to compliance might help only those businesses with few, generic compliance requirements. 

But Office 365 doesn't provide many options for organisations that come under the purview of many stringent external IT regulatory bodies and have to audit many specific events and store the logs for specific time periods, for security or compliance reasons.

• Audit trails—a 90-day barrier: To improve performance, all user/administrator activities and mailbox audit trails are purged by Office 365 after 90 days. But most industry compliance mandates require companies store these audit logs for years, to facilitate forensic log analysis in case any issues crop up.
• Limited reports—a major stumbling block: During audits, organisations are required to produce corresponding compliance reports for auditors to validate the security of confidential information across all applications. But native reports in Office 365 are very limited and don’t provide the level of visibility required to ensure hassle-free compliance. For example, Office 365 doesn't report on changes made by Exchange administrators, delegates, and non-owners to mailbox properties. Also, Office 365 reports can't be filtered to meet your needs. So an administrator can view all the accesses to a mailbox, for instance, but not the details pertaining to the accesses made by a single user from different IP addresses. .

These points warrant the need to have a comprehensive Office 365 reporting, auditing, and management solution in place to ward off any security and compliance related issues. This solution should monitor and audit every user and admin activity in all supported applications and alert you of any unusual activity. Furthermore, it should also let companies bypass the much criticised 90-day time limit set for audit logs and must possess a purpose-built reporting package to meet the requirements of PCI-DSS, HIPAA, ISO 27000, GLBA and Sarbanes-Oxley legislation.