Office 365 Revisited: Archiving and Security
Updated: Mar 31, 2018
So, you are using Office 365 or thinking about using it. I believe it’s a good move, as you can tell from my two recent posts, which you can find here:
Office 365 brings value and ease of use and gives your IT team time back since they don’t have to manage on-perm Exchange environments anymore. No doubt, there is big value in that. I’ve mentioned before how our firm, Vicom, is a Microsoft Gold Partner for the past 15 years that has helped countless firms implement and manage their on-prem Exchange environments, and yet we moved to Office 365 a few years ago. Not because we can’t manage our on-prem environment, but why would we want to? Let our people do other value-based tasks and let Microsoft (who has done a good job with O365) manage our email and other services. As I’ve mentioned before, upwards of 8 out of 10 of our customers (from SMB’s to large enterprises) are using O365.
This month let’s talk about a few of the other areas that are of concern to firms from a high level and how O365 addresses.
All versions of O365 Enterprise (E1, E3, & E5) offer access to archiving. There are also various firms that make solutions/products for archiving as well, so many options available. The question becomes, what is the right solution for you and your organization? Many agree the integrated Microsoft archiving within O365 is good enough for what most firms need. If you are using only Microsoft solutions, using the built-in arching is a straightforward way to go.
But what if you already have third-party archiving solutions, as we see firms are using third party solutions—such as Enterprise Vault, Mimecast, etc. A trend we’ve seen is firms moving off of EV to Microsoft archiving or to solutions such as Mimecast or others. This can make sense, but is not as easy as it might seem. For example, we were recently with a firm that has their email archiving on Enterprise Vault and would like to consolidate down to a new archiving solution. The issue that came up was what to with their older Enterprise Vault implementation for archiving, the data of which they have chosen to keep in perpetuity? They can take all that data in EV and migrate it over to Microsoft archiving, but this will require a lot of time and effort as well as the purchase of tools. Since the emails contained in the EV archive are old, are accessed rarely and are needed for compliance purposes only (again rarely) does that large effort and expense make sense?
Maybe it does or maybe it doesn’t. That becomes a decision for the firm to make. Would it be easier going forward if they went through the pain and effort of consolidating the tools upfront? Easy and a bit more manageable? Yes, but more expensive and disruptive to do. So, it not a simple as stating, let’s use Microsoft’s tools. In the situation above, it might make sense to archive all new emails going forward using the Microsoft archive solution and keep a legacy EV environment (again, that is rarely used, but needed for compliance) for the older emails. All of this needs to be weighed out.
Security and Compliance
Of course, we all know one of the biggest concerns for email (and IT environments today) is security and compliance. It’s just part of the world we live in today. Microsoft has solutions built into O365 to address both and, as I mention above, many organization believe that the solutions that Microsoft offers are “good enough” for what they need and, yes, there is an entire ecosystem of third-party solutions that can help in these areas as well. Lots to discuss around this that could take up an entire blog post, so not all of it for today.
As part of E3 you get DLP and Rights Management to help keep data protected to stop/mitigate leakage and protect data in allowing only those that should have access to data, to access it. So, if an email is sent with sensitive data or a link or file shared via OneDrive with sensitive data, it will prevent access it in a very granular, policy driven way. Again, many third-party solutions can do this as well.
With E5 you also get Advanced Threat Protection, to help protect in real-time against suspicious attachments, links and threats in a much more comprehensive way than E1 & E3 subscriptions provide or where you would use third party tools to address. But with E5 you get it as part of your subscription at no additional cost.
You also get much more in terms of granularity with security than in other subscriptions. E5 includes Data Governance for controlling your data, as well as eDiscovery and Auditing. This gives you 1) very deep access to the controls around your data and environment, 2) being able to find data and 3) provides analytics using advanced machine learning. It also helps you monitor and investigates actions taken against your data, quickly identify risks and respond appropriately. All included with E5.
Now what does it all mean? Just because Microsoft has all of this included in their subscriptions, should you use them? In many cases it can make sense. As I’ve mentioned a few times above, many firms feel that the Microsoft solutions are “good enough” to use versus third-party solutions. This is not always fair towards Microsoft’s solutions, which at times, have been perceived to be slow to bring additional and/or advanced functionality to the market. This is almost entirely why third-party ecosystems exists. But I will say, in this case, Microsoft has very robust comprehensive set of solutions that are worth a look.
But (and there’s always a but, right?) some industries have requirements for email where there must be a separate email archiving platform in place from a different vendor then the production one. This helps to mitigate risk and provides (or at least is intended to) for stronger governance. Even if not required, some companies do not want it all under one vendor. Even if a firm wanted to use an all Microsoft solution, legal requirements, or prudence, might not allow them to. And that’s OK.
As you evaluate, use, or continue to use Office 365—as I said in my last post—much is to be considered. And as we all know, what’s right for me, might not be right for you. A full Microsoft O365 solution might work but depending upon your requirements and industry, you might need to use more than just Microsoft’s offerings. Plus, we didn’t talk about how to integrate your other tools and feeds into your O365 environment, such as IAM, and AD integration, Skype, OneDrive, and other solutions, all of which open the door to additional complexity. But is it worth it? Our customers tend to think so.
This is where a good partner can help guide you and vet out what makes sense questions around the scenarios I discuss above and in my previous posts. O365 is much more than just turning on a subscription and getting going. If done right, you’ll be happy with the results and as a point of note we’ve yet to see a customer of ours decide to get rid of O365 and go back to on-premise solutions. That doesn’t mean there aren't issues, but the trade-offs are worth it for most. Most issues that arise can generally be resolved with expectation setting, planning, processes, governance, training, and a good partner to help you figure it out. So, don’t be unwilling to bring in help and guidance when needed around Office 365, as there is a lot to it. You’ll be glad you did.