Until recently, online protection for Microsoft’s Office 365 productivity suite was provided by the Microsoft Security & Compliance Center. The portal combined security features to manage identities, devices and applications with compliance control areas such as data retention, sensitivity and eDiscovery.
In 2018, Microsoft announced that this portal would split into separate products, taking effect in April 2019. Historically, the primary focus (certainly in terms of high-profile media coverage and attention) had been around the security aspects of the Microsoft 365 Security & Compliance Center. With the advent of the EU GDPR, other data protection regulations and a broader recognition of legal and regulatory restrictions, the split out of the combined product set into two separate portals indicates Microsoft’s recognition of the compliance challenges and its increasing importance and relevance. This is especially true within heavily regulated industries such as Financial Services.
Stay current on your favourite topics
It should be noted that the separation of functionality and features has not been a straightforward or definitive split. There are certain features, such as Labels, which maintain a presence in both Security and Compliance portals; other functionality such as Azure Information Protection can end up in separate portals on which Security and Compliance are dependent. Over time, we expect this feature set alignment to evolve further.
Now is a great time for firms considering a M365 migration to identify the key blockers and success factors in the adoption of M365 Compliance Center. Citihub Consulting regards the following as crucial considerations when adopting the M365 product suite. They are often deprioritised by the higher profile security features, but can present financial services firms with a real headache if not addressed early in the process:
- Records Management & Retention Policies: M365 Compliance Center supports the application of retention policies to retain different data types according to the firm’s records taxonomy. This might apply the same policy to the entire organization, or more often to specific geographical locations, groups of users or individual users, in order to align with regulatory requirements. Most organisations’ records taxonomies describe the different data classes represented in the business, from trading data to HR, across client and reference data. The use and effective management of these taxonomies through the appropriate use of retention policies are becoming increasingly relevant as regulatory sanctions continue to increase and extend.
- eDiscovery Search & Export: Microsoft has provided two levels of eDiscovery capability, after augmenting their product set to include “Advanced” eDiscovery with the purchase of Equivio in 2015. Among other features, Advanced eDiscovery enables searching and reviewing of collected data with advanced analytics through machine learning. With regular updates and feature enhancements, Advanced eDiscovery is rapidly evolving; however, it’s still not truly ready for enterprise use, with limitations around searching, exporting and indexing among other challenges yet to be addressed. Over time, these issues are likely to be resolved (and Citihub Consulting has worked with clients and Microsoft to identify suitable workarounds and configuration to optimise the existing capabilities), but for now, the product set won’t displace existing third-party eDiscovery tools used by large financial services institutions.
- Compliance Boundaries: Large financial services firms will need to differentiate user and admin roles relating to data management and compliance, whether that’s in support of searching, analysing and exporting of data by geographical locations, or functionally in order to enforce segregation of duties in the eDiscovery process. Compliance Boundaries support this capability, for example differentiating between functions that are only permitted to search but not export, using Microsoft’s RBAC model and compliance security filtering to reduce operational risk and align granular access rights to appropriate roles within the organisation.
- Centralised Mail Transport: It’s important that any emails being sent outside of the company are routed back through the corporate mail backbone to ensure that functions such as DLP and hygiene scanning are taking place. Financial services firms will either need to configure CMT or rely on Microsoft’s Online Protection Routing and toolsets – which many large enterprises may decide are not yet mature enough for use. We discuss this in a little more detail in our blog, “Exchange Online & Hybrid Deployment Considerations for Financial Services”.
- Multi-Geo Support: Most financial services firms are regulated in a way which enforces different rules and legislation in different countries or jurisdictions. To ensure that data is being managed in the most appropriate manner for the relevant jurisdiction in which it resides, it’s important to configure the multi-geo settings for M365 to prevent inconvenient or accidental movement of data outside of jurisdictions in which more restrictive rules apply. For example, a regulator may demand that data be stored and managed within the country of creation and not be left to a software failover algorithm to inadvertently move that data elsewhere.
- Exchange Online Journaling & Conditional Based Routing: An essential part of any organisation’s mail flow is making sure that journaling is enabled and email data is archived. Setting up journal rules with Conditional Based Routing (CBR) allows for journaled items and user email to be routed based on the location or jurisdiction of choice, in order to meet regulatory requirements for keeping data local.
- Litigation & eDiscovery Hold: eDiscovery Hold is the new name for the functionality previously known as In-Place Hold. This supports the selective preservation of data items for the purposes of an eDiscovery investigation. Though the name has changed, the technology under the covers still has the same results when it comes to placing items within a user’s mailbox, SharePoint, OneDrive and Teams on hold. Additionally, Litigation Hold is still available to place the user’s entire mailbox and applications on hold.
- Mailbox Archiving:
- In-Place Archiving (Convenience Archiving) Having the ability to be able to store date range selective mailbox data into Exchange Online’s In-Place Archive allows organisations to archive data in Office 365 with potentially unlimited capacity. Mailboxes and their underlying archive can auto-expand, useful for avoiding capacity constraints (although there are known issues with older versions such as Outlook 2013).
- Compliance Archiving (Legal Hold). Although Office 365’s Advanced eDiscovery product is offered as a comprehensive compliance solution, Citihub Consulting’s experience has shown that currently, this is still a maturing product. The full capabilities of Office 365’s compliance suite are not yet ready to provide all of the functions of mature third-party product sets typically used today for most large organisations’ on-premise data.
- Reporting: Out of the box reporting capabilities surrounding the M365 Compliance Center portal can appear somewhat limited. Many organisations are relying on custom PowerShell scripts to achieve the desired output; Citihub Consulting’s Jim Barrett gives his opinion on the need and benefits of using PowerShell in his blog, “PowerShell: The Oxygen of O365 Management”.
- Data disposition: Citihub Consulting has been working with clients on how they can defensibly dispose of data (see our blog around Defensible Disposal and Legal Hold, from our “15 Minutes with” series). This is becoming one of the biggest data challenges in the industry, as teams have historically retained data indefinitely, concerned that deletion of data will result in legal or regulatory implications. However, with data storage volumes now soaring, coupled with new data protection regulations such as the EU GDPR, it’s rapidly becoming time for firms to identify when and how data should be disposed of. M365 Compliance Center can help firms achieve this by triggering a Disposition Review for data reaching the expiry of its retention period. This allows additional retention rules to be applied, or for data to be deleted on the approval of the reviewers.