Making Office 365 More Secure and Compliant


Published on

Although Microsoft has done quite a good job at creating a robust and scalable platform in Office 365 that can satisfy the requirements of many organizations, there are some organizations that will need compliance and security capabilities not available natively in the platform. This white paper discusses what Office 365 will and will not do, and discusses where supplemental offerings from third-party vendors will prove to be beneficial.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Making Office 365 More Secure and Compliant

  1. 1. WHITE PAPER Making Office 365 More Secure and CompliantON An Osterman Research White Paper Published December 2011 SPONSORED BY sponsored by sponsored by sponsored by sponsored by sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • •
  2. 2. Making Office 365 More Secure and CompliantExecutive SummaryMicrosoft Office 365 represents the company’s latest entry into the cloud-based messaging,collaboration and productivity market. While deciding on which of the many flavors of Office365 to deploy can be a bit daunting because of the many (and somewhat confusing) optionsavailable, it is clear that Microsoft has done quite a good job at creating a robust and scalableplatform that can satisfy the requirements of many organizations.That said, there are some organizations that will need compliance and security capabilities notavailable with Office 365. These include some organizations operating in highly regulatedindustries like financial services, healthcare and energy; organizations with strict regulatoryrequirements to protect, archive or sample various types of communications; organizations thatoperate in countries with strict data protection laws; and organizations with specialized securityrequirements that are not satisfied by the features built into Office 365.KEY TAKEAWAYS• Office 365 is a solid platform that can meet a variety of corporate requirements for email, real-time communications and document management.• Migration to Office 365 requires significant expertise, planning and deployment skills if it is to be performed properly and with a minimum of disruption.• Despite being a cloud-based solution, many of the more advanced features of Office 365 require substantial on-premise infrastructure or the use of third-party capabilities.• The archiving and compliance capabilities in Office 365, while useful, will not be sufficient to satisfy many common regulatory and legal data retention, e-discovery and related obligations.• While Office 365 offers robust security capabilities, it does not permit customers to implement all options that they might require. Moreover, the SharePoint Online API requires custom code to work with the Microsoft sandbox model.ABOUT THIS WHITE PAPERThis white paper was sponsored by AppRiver, LiveOffice, Proofpoint and Smarsh. Informationon each of these companies is provided at the end of this document.TWO IMPORTANT CAVEATSIt is important to note at the outset two important caveats about this white paper:• The purpose of this paper is not to denigrate Microsoft Office 365 in any way. In fact, we believe that Office 365 is a robust platform that will meet the needs of many organizations that want to simplify their IT deployments and/or reduce their overall IT costs. However, as with any cloud-based platform, there are limitations in Office 365 that organizations need to understand and evaluate as they consider migrating their email, real-time communications, archiving and other communications and collaboration capabilities to the cloud.©2011 Osterman Research, Inc. 1
  3. 3. Making Office 365 More Secure and Compliant• The third party services discussed in this white paper are complementary, add-on solutions to Office 365, not replacements for the capabilities offered in Office 365.Why Office 365?CORE FEATURES AND PLATFORM OVERVIEWMicrosoft Office 365 is an integrated suite of cloud-based offerings that Microsoft already offersas on-premises solutions:• Microsoft Exchange Online Email, calendaring and task management, including built-in archiving services. The basic Office 365 package includes 25 GB of storage per user.• Microsoft Office The Office Web Apps are lighter versions of Word, PowerPoint, Excel and OneNote intended to satisfy the requirements of basic users of these applications, and/or to supplement the desktop experience of Office Professional Plus that may be required by more advanced users.• Microsoft SharePoint Online Includes document management and collaboration services, Web site development, project management and the ability to develop intranets and extranets.• Microsoft Lync Online Includes real-time communications that includes IP-based voice, video conferencing, Web conferencing, instant messaging and presence capabilities. Lync replaces the existing Office Communications Online and LiveMeeting tools that have been offered by Microsoft for some time.Office 365 is intended to be a mostly cloud-based environment for organizations regardless oftheir size, replacing the core functionality of on-premises systems focused on managing email,collaboration, real-time communications and desktop productivity. In short, Office 365 is thenext generation of Microsoft’s Business Professional Online Services (BPOS), Office Live SmallBusiness and Live@edu offerings.Office 365 is available in various versions that are intended for small businesses through verylarge enterprises – other plans are also available for educational institutions. Microsoft offersmultiple versions of Office 365 ranging from $6 to $27 per user per month, as shown below:• Kiosk plansi o K1: $4 per user per month o K2: $10 per user per month• Personal and Small Business Planii o P1: $6 per user per month©2011 Osterman Research, Inc. 2
  4. 4. Making Office 365 More Secure and Compliant• Enterprise Plansiii o E1: $10 per user per month o E2: $16 per user per month o E3: $24 per user per month o E4: $27 per user per monthDIFFERENCES BETWEEN OFFICE 365 AND BPOSMicrosoft BPOS was introduced toward the end of 2008 and has been fairly successful,achieving a customer base of several million seats. At the same time, BPOS has beensomewhat controversial with Microsoft’s large ecosystem of hosted Exchange providers becauseMicrosoft’s per-seat pricing for BPOS was significantly lower than many providers’ per-seatpricing for hosted Exchange – prices for BPOS were reduced to $5.00 per seat per month.There are some significant differences in the features, function and design between BPOS andOffice 365:• BPOS was built on the 2007 versions of its three key components, Exchange, SharePoint and Office Communications Server (now Lync Server), while Office 365 is built on the 2010 versions of all three products. The difference is important because the 2010 versions were designed with the cloud as a delivery model while the 2007 versions were not.• Office Professional Plus is the most significant difference between BPOS and Office 365 – office productivity functionality of any kind was not included in BPOS. This is Microsoft’s entry into the space that has been dominated by Google Apps and, to a lesser extent, a number of other providers like Zoho, HyperOffice, IBM Lotus and many others.• While BPOS was designed primarily for smaller businesses, Office 365 has been designed for enterprises, as well. Office 365 clearly represents Microsoft’s push into the large-enterprise market for cloud-based applications and messaging functionality.• Office 365 offers a number of enhancements to BPOS, the most notable of which is the Service Connector designed to simplify desktop management, manage updates and patches, and manage the overall login process.• SharePoint Online, originally considered to be just a shared document repository, has now evolved into a true collaboration platform in which enterprises can run enterprise-wide applications. This is particularly advantageous for organizations that rely heavily on their messaging platform to run business applications, such as Lotus Notes customers.WHAT OFFICE 365 WILL DOOffice 365 offers a number of very useful features, including:• Full Web-based email and calendaring functionality• 25 gigabytes of online storage• The ability to send attachments up to 25 megabytes• Document sharing• Instant messaging• Voice conferencing©2011 Osterman Research, Inc. 3
  5. 5. Making Office 365 More Secure and Compliant• Video conferencing• Web-based versions of Word, Excel, PowerPoint and OneNote• Basic archiving• Anti-virus and anti-spam filteringThe enterprise versions of Office 365 add a number of other features, including live telephonesupport, the ability to apply basic legal holds to mailbox items, more advanced voicecapabilities, and the on-premise version of Office Professional Plus 2010. Moreover, Office 365complies with ISO 27001 and EU Safe Harbor standards, while Office 365 data centers –managed by Microsoft Global Foundation Services – support these standards and are alsoSAS70 Type II- and FISMA-compliantiv. Moreover, Office 365 helps customers with regulatorycompliance by adhering to a number of industry standards, including the Health InsurancePortability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act(FERPA), Title 21 CFR Part 11 of the Code of Federal Regulations, the Federal InformationProcessing Standard (FIPS) 140-2, Trusted Internet Connections (TIC), the Gramm-Leach-BlileyAct (GLBA), and Good Manufacturing Practice (GMP).In short, Office 365 compares quite nicely to similar offerings and offers a robust set of featuresand certifications. It is important to keep in mind that technology is not compliance.Organizations can employ Office 365 and other solutions to help them meet many regulatoryrequirements, but they are not a “compliance button”.WHAT OFFICE 365 WON’T DODespite the many features and functions offered in Office 365, there are a number ofcapabilities that the solution does not provide or does not provide to the depth that manyorganizations require, including a number of security and compliance capabilities that arediscussed in more detail in the next section. Among the limitations of Office 365 are:• Exchange Online does not offer managed folders or public folders, complicating the migration process for organizations that currently maintain these folders in their on-premise deployments.• For Mac-enabled organizations, access to Office 365 applications is not as straightforward as it is in Windows-based environmentsv.• On-premise applications that require SMTP functionality for outbound communications require either an on-premise SMTP server or configuration through Forefront Online Protection for Exchange (FOPE).• Microsoft does not offer a migration path from the P1 to any of the E plans.• Directory synchronization and single sign-on are not available with the P1 plan.• Office 365 Plan P does not permit journaling, a serious problem for some organizations considering migration. However, Exchange Online Plan 1 does permit journaling. The Exchange Online management console provides journaling functionality and control for all Enterprise Exchange mailboxes.©2011 Osterman Research, Inc. 4
  6. 6. Making Office 365 More Secure and Compliant• Message revocation for encrypted messages (i.e., message recall) is not supported.• Migration in Office 365 occurs only one mailbox at a time (one source indicates up to 10 mailboxes at a time) and the tools available for archive migration are not simple. Migrating legacy archives or .PST files is not a simple exercise in more sophisticated environments.The Need for Improved Compliance in Office 365One of the fundamental issues that Osterman Research has discovered in its research is thatmany organizations do not consider their specific archiving, security and compliancerequirements in general. Moreover, many do not consider their long-term archiving andcompliance requirements before migrating to a cloud-based platform like Office 365. However,they do so at the peril of being unable to fully satisfy their archiving, security and compliancerequirements. In short, implementing new tools comes with a new set of complianceresponsibilities.BROADER ARCHIVING OPTIONSOne of the most important issues for decision makers to consider is the fact that Office 365does not offer as broad a set of archiving options as they might need today or in the future.For example, as a result of the revised Federal Rules of Civil Procedure (FRCP) and more recentcourt decisions, relevant Electronically Stored Information (ESI) must be retained for longperiods. ESI typically includes content stored on email servers – a leading source ofdiscoverable content in many legal cases – but it also includes electronic content of varioustypes, including:• Documents stored in SharePoint databases and other repositories• Instant messages and other content generated in Lync sessions• Files generated by Office productivity applications• Social media contentHowever, Office 365 has some limitations in the context of its archiving capabilities. Forexample, Microsoft Plans E1 and E2 offer only a Personal Archive option – Plans E3 and E4 offerboth Personal Archive and Advanced Archive. Exchange Online archiving is available only withthe E3 and E4 bundles and cannot be added as an a la carte option to E1 or E2. While thirdparty archiving tools can be used with all of the Enterprise bundles, the P1 bundle does notprovide for journaling control, so there is no real option to add archiving to that offering.Moreover, Plan E1 requires the archive to share the 25 gigabytes of space between each user’smailbox and their personal archive, whereas Plan 2 allows an archive of unlimited size, althougha default quota of 100 gigabytes is provided in Plan 2 – this quota cannot be modified withoutintervention by Microsoft.It is important to note that for purposes of e-discovery or other, corporate-wide datamanagement requirements, there is a need to capture messages in the Personal Archives. Also,there is a 50-mailbox search limitation with Office 365. Moreover, to enable Microsoft’s e-discovery capabilities requires deployment of the E3 offering, a 50% price increase compared to©2011 Osterman Research, Inc. 5
  7. 7. Making Office 365 More Secure and CompliantE2. Inactive mailboxes, such as those for employees who have left the company, still need tobe paid for as if they were active for retention/e-discovery purposes.Another limitation of Office 365 is that if the service goes down for any reason, the archive isalso unavailable. Use of a third party archiving solution gets around this limitation by storingdata in two completely separate infrastructures, allowing users access to their archive and, aspart of a business continuity solution, to send and receive emails while Office 365 isunavailable. This is not a trivial consideration, since there have been some serious outages inthe Office 365 infrastructure, including a three-hour-plus outage on August 17, 2011 caused bya “networking interruption”, and another – also lasting three hours – on September 8, 2011 asa result of a DNS issue.RETENTION POLICIESFor companies requiring granular control over email retention policies, the mail controls builtinto Office 365’s Exchange Online Plan 1 with Outlook 2010 may or may not be adequate. InExchange Online Plan 2 with Outlook 2010, control over email retention policies is granular andflexible.Exchange Online offers retention policies to help organizations reduce the liabilities associatedwith email and other communications. With these policies, administrators can apply retentionsettings to specific folders in users’ inboxes. Administrators can also give users a menu ofretention policies and let them apply the policies to specific items, conversations, or foldersusing Outlook 2010 or Outlook Web App. In Exchange Online, administrators manage retentionpolicies using Remote PowerShell.Exchange Online offers two types of policies: archive policies and delete policies. Both typescan be combined on the same item or folder. For example, a user can tag an email message sothat it is automatically moved to the personal archive in a specified number of days and deletedafter another span of days.With Outlook 2010 and Outlook Web App, users have the flexibility to apply retention policies tofolders, conversations, or individual messages and can also view the applied retention policiesand expected deletion dates on messages. Users of other email clients can have emails deletedor archived based on server-side retention policies provisioned by the administrator, but they donot have the same level of visibility and control. Again, these capabilities will suffice for somecustomers, but not for others.OTHER LIMITATIONS IN MICROSOFT’S ARCHIVING APPROACHIn Office 365, administrators can create transport rules to inspect messages for a variety ofemail attributes, such as specific senders, recipients, distribution lists, keywords, and regularexpressions (for common patterns like those associated with credit card numbers or SocialSecurity numbers). Administrators can also include users’ Active Directory attributes (forexample, department, country, or manager) and distinguish by message types (such asautomatic replies, meeting requests, and voicemail messages).Microsoft is phasing out its Exchange Hosted Archive offering in favor of the archivingfunctionality offered in Office 365, as well as Microsoft’s Exchange Online Archiving. While©2011 Osterman Research, Inc. 6
  8. 8. Making Office 365 More Secure and Compliantmany Office 365 customers will be well served by these new solutions, there are some cases inwhich archiving requirements are beyond their capabilities. For example:• Financial services and other highly regulated firms Financial services firms that are under the regulatory control of the Financial Industry Regulatory Authority (FINRA) must retain all relevant email, instant messaging and social media content. The archiving capability in Office 365 does not support archiving of instant messaging conversations, social media content, Bloomberg, Reuters, etc. and so these firms must employ another archiving solution or face the consequences of non-compliance. Moreover, FINRA-regulated firms must perform granular content sampling on broker- dealers’ communications to remain in compliance. In terms of other regulatory requirements, Office 365 should not be used for managing data governed by the Payment Card Industry Data Security Standard (PCI DSS) standard. While Microsoft does provide email encryption for outbound email through its Exchange Hosted Encryption service, internal communications are not encrypted, resulting in potential violations of various data breach requirements, the Gramm-Leach-Bliley Act, the Sarbanes- Oxley Act and other statutory requirements to encrypt all sensitive communications and data. With regard to Microsoft’s own stance regarding its compliance capabilities, the following are Microsoft’s statements about how well it complies with various requirements: Under EU Data Protection law and our contractual agreement, Microsoft Online Services acts as custodian of your data, essentially a subcontractor (the law calls us the "data processor"). You, the customer, have the final ownership in the data and the responsibility under the law for making sure that we are following the rules and it is legal for you to be sending personal data to us (the law calls you the "data controller"). You must determine for your business in your particular situation if you may use our services to process and store your personal In some (emphasis added) countries, we also adhere to the security requirements for storage of sensitive personal data, as defined by law.vii Microsoft Online Services do not support the processing, transmitting, or storing of PCI governed data, such as credit card numbers.viii However, Microsoft is making a strong push into the HIPAA-regulated marketplace and will be offering Business Associate Agreements (BAAs)ix, a new provision in HIPAA that is required as part of Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Microsoft is among the first in the large-scale hosting industry to offer BAAs as an operationalized part of its solution to address requirements associated with hosting Protected Health Information.• Jurisdictional and geographic requirements Some organizations require strict compliance with various jurisdictional or geographic requirements, such as a requirement that data not leave a particular geographic area or that it not be transferred to a nation that does not offer adequate protection of sensitive data. However, Microsoft admitted in June 2011 that content in its data centers can be©2011 Osterman Research, Inc. 7
  9. 9. Making Office 365 More Secure and Compliant handed over to US or other authorities and that customers might not be notified of this disclosurex. With regard to understanding exactly where customer is stored, some third-party archiving solutions offer greater transparency about where data resides, which will alleviate some decision makers’ concerns.• Strict client requirements With Exchange Online Archiving, each mailbox is paired with a secondary mailbox in the same database that serves as its archive. However, the archived content is visible only for users that employ Outlook 2010, Outlook 2007 or Outlook Web Access. Users that have older versions of Outlook can still use the archive, but cannot see the items in the archive.• E-discovery requirements While the Enterprise plans for Office 365 provide some basic e-discovery capabilities, some organizations will require more sophisticated and more granular e-discovery functionality, including highly configurable legal holds, the export of load files in EDRM XML format when performing early case assessment, and sophisticated case management when performing online reviews. Some organizations that have sophisticated e-discovery requirements will find that although useful, Office 365’s built-in e-discovery capabilities will not meet their needs. Many third-party archiving solutions offer more granular capabilities than are available with Microsoft’s archiving solutions, such as tamper-proof storage, highly granular legal holds and access rights, the ability to perform very complex searches for e-discovery or regulatory compliance purposes, output to a wide variety of file formats when exporting content to third-party review tools, and better support for EDRM requirements. Other capabilities that organizations might need and that are not supported by Microsoft’s archiving solutions include built-in collaborative review of discovered content, and sophisticated culling capabilities to reduce legal costs.• Limitations on content sources that can be archived Organizations that require archiving of content from SharePoint Online and Lync Online cannot use Microsoft’s archiving capabilities because archiving of content from these systems is not supported, nor is file archiving supported. SharePoint backup and restore tools are available, but tend to be more manual and slow than many businesses will need. Moreover, server-side archiving of Lync Online instant messages is not currently available.• Limited platform support Many organizations operate multiple on-premise and cloud-based platforms, and so will need an archiving and compliance solution that can support all of these platforms – capabilities that Microsoft’s archiving solutions do not currently support.• Limitations on storage Some organizations require storage of very large amounts of information as a result of either long retention periods for email and other content, or preservation of data-intensive files like engineering or architectural drawings. Consequently, for some customers the limitations in Office 365’s archiving for the less expensive plans will not be acceptable.©2011 Osterman Research, Inc. 8
  10. 10. Making Office 365 More Secure and CompliantThe Need for Improved Security in Office 365Microsoft provides a number of security features for Office 365, including built-in anti-virus andanti-spam filtering through FOPE; physical security at its data centers, such as videosurveillance; logical security, such as data isolation, identity and access management, andfederated identity; various network security technologies and practices; and real-time healthmonitoring of its infrastructurexi. However, there are a number of security issues that decisionmakers should take into account as they consider a potential move to Office 365, including:• Security configuration limitations The Professional and Small Business Office 365 plans (the “P” plans) do not permit Administration Center Access for configuring domains or changing IP addresses, nor can FOPE Connectors be used to set up smart hosts, safe lists, shared address spaces or to force TLS communications. The Enterprise plans do offer more of this functionality, although configuring domains and changing IP address is available only with the standalone version of FOPE.• Office 365 uses a multi-tenant architecture The Office 365 architecture is multi-tenant, meaning that multiple customers run off of the same servers. While this can be a secure environment, many organizations – particularly those in highly regulated industries or those with very sensitive information – may not be comfortable in a multi-tenant environment. As the amount of information an organization needs to store and manage grows, the appeal of, or requirement for, private cloud solutions and customization tends to move customers away from multi-tenant solutions like Office 365. While Microsoft does offer dedicated services, they are reserved only for large enterprise customers.• Additional security layers may be needed Microsoft FOPE uses multiple scanning engines from Kaspersky and Symantec, among others, and FOPE’s SLA claims to detect 100% of all known viruses with updates every 15 minutes. That said, some customers may want to complement FOPE with an additional layer of inbound protection/detection for increased robustness and phish detection capability. For example, Proofpoint Protection can complement FOPE with a second layer of inbound protection for increased spam capture and phish detection capability; AppRiver’s SecureTide hosted spam and malware protection is currently used to filter email that is then delivered to FOPE for secondary filtering before being delivered to the mailbox. There is no support for blacklists in Office 365 P1. Moreover, Lync Online does not scan files or other content for malware, nor does it archive instant messaging conversations as noted above. Plus, it is important to identify phish from spam, allowing for proper management of phish messages (e.g., not placing phish messages in the same quarantine as spam in order to prevent end users from opening phish messages and having their machine and network potentially compromised). Mobile phone operating systems are currently not supported for reading Exchange Online encrypted email messages, whereas some vendors support mobile decryption on multiple smartphone platforms. Exchange Hosted Encryption (EHE) is Microsoft’s hosted encryption service. While EHE is enabled using Forefront Online Protection for Exchange (FOPE), the©2011 Osterman Research, Inc. 9
  11. 11. Making Office 365 More Secure and Compliant same hosted spam and malware protection included in Office 365 service plans, it is not actually considered an Office 365 product.• Limitations on traffic flow There is a daily limit on the number of recipients that can receive email from Office 365 accounts: 500 emails per 24 hours for small business accounts and 1,500 for enterprise accounts. Moreover, emails are sent at a maximum of 30 per hour. While the reasons for imposing these limitations are sound and will likely not cause problems for some customers, this can seriously limit the utility of Office 365 even for small customers that might process large amounts of email.• SharePoint Online sandbox model SharePoint Online uses a sandbox model and so any custom code designed for SharePoint must work within the limitations of that model. Consequently, the SharePoint Online API requires custom code to work with the Microsoft sandbox model. However, Silverlight, Visual Studio 2010 and SharePoint Designer 2010 all offer tools to help developers leverage the Sandboxed Solution feature inherited by SharePoint Online from SharePoint 2010.• Mobility limitations Office 365 wipes only ActiveSync devices, which can be a serious limitation in the large number of organizations that operate BlackBerry devices. In November 2011, RIM introduced the public beta of BlackBerry Business Cloud Services (BBCS) for Microsoft Office 365, although BlackBerry-enabled organizations that do not want to deploy beta software will continue to be limited to the much slower BlackBerry Internet Service until the former is generally available. BBCS, which delivers a BES-like feature set at little or no cost, is targeted for general availability in January 2012.• Backup and recovery are managed by Microsoft Microsoft manages backup and recovery of content for Office 365 customers unless customers have implemented their own capabilities. While not an inherent weakness per se, customers must rely on Microsoft to manage these aspects of the Office 365 experience. Moreover, data replication does not occur in real time.• Unified messaging Office 365 can be used with the unified messaging functionality in Exchange 2007 and 2010, but it requires the use of a Session Border Controller to integrate an existing telephony system with Office 365.• Single sign-on Single sign-on capabilities are supported in Office 365, but only when Active Directory Federation Services (ADFS) are employed in networks that are running Windows Server 2008 Active Directory on-premises. This means that in enterprise environments, a significant level of on-premise infrastructure is required in order to effectively manage Office 365 access.©2011 Osterman Research, Inc. 10
  12. 12. Making Office 365 More Secure and CompliantKey Questions to AskDecision makers have four basic questions to answer with regard to Office 365:• Should we migrate our active mailboxes to Office 365?• Should we port our existing email archive to Office 365?• If yes to either, should we use Microsoft or a third-party to provide Office 365 services?• Should we use one or more other third parties to provide additional capabilities?Here are some of the more important questions that decision makers should consider as theyconsider a potential migration to Office 365:BUSINESS ISSUES• Because migrating essential services like email and collaboration to the cloud carries with it some level of risk, should we employ multiple providers in order to distribute the risk? For example, if we are concerned about going “all-in” with a cloud strategy, will we be better off using a third-party archiving solution that will maintain copies of data at the Office 365 provider’s and the archiving provider’s data centers?• Should third-party cloud vendors be employed to enhance the security of Office 365, including vendors of email encryption, business and compliance email archiving or Web filtering?• What are the options available for cloud service portability? In other words, how easy or difficult will it be to migrate to Office 365, from Office 365 to another provider, or back to an on-premise service model?• What is the current level of internal IT support that we could devote to managing the migration to and support for Office 365 and third-party offerings?• What is the desired level of internal IT support for managing the migration to and support for Office 365 and third-party offerings?• Should we deploy Office 365 using only basic services with supplemental capabilities offered by third parties, or should we opt for more sophisticated (and more expensive) services initially, keeping in mind the limitations in migrating from less capable to more capable plans?• How will our organization respond and stay productive in the event of an Office 365 service disruption or outage?REGULATORY ISSUES• To what extent do we or will we need to comply with SEC/FINRA, HIPAA, FERPA, SOX, GLBA and other regulatory requirements?• How well will native Office 365 capabilities comply with our requirements and what are the holes we will need to fill with third party services?©2011 Osterman Research, Inc. 11
  13. 13. Making Office 365 More Secure and CompliantSERVICE LEVELS AND SLAs• How reliable is Office 365?• How reliable are third-party solutions focused on archiving, security, compliance, encryption, etc.?• What compensation is offered by providers following outages?• What should our backup strategy for Office 365 data be?• What metrics do we need to establish with regard to Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)?CONTENT MANAGEMENT AND ARCHIVING• Do we need redundant copies of our archived data in multiple locations?• If yes, why? For data protection? Business continuity? Disaster recovery? What is the relative importance of each?• Do we need to specify in which country(ies) our content will be stored?• What will be the impact of the US PATRIOT Act on our ability to protect information?• Do we need to add our corporate domain(s) and set up journal rules to capture all messages sent or received from Exchange Online directly within the administration console?SUPPORT AND INTEGRATION• What types of support services are available with the providers we are considering? Online support only, telephone support, chat support, concierge onboarding, US-based support?• How much support will be required initially and long term?• How well can a third party vendor integrate with Office 365 from a user management and Active Directory sync perspective?FOCUS ON SMBs OR ENTERPRISES?• Does the provider of Office 365 or other services like archiving or security focus on the SMB market, on the enterprise market or both? In other words, what is the market focus of the provider and how well will they meet our specific requirements?MIGRATION SERVICES• What services are offered for migrating existing, on-premise Exchange mailboxes to Office 365?• What services are offered for migrating archived data from on-premise archiving solutions to either Exchange Online Archiving or a third party, cloud-based archiving solution?©2011 Osterman Research, Inc. 12
  14. 14. Making Office 365 More Secure and Compliant• Do these services include mail route control, split domains or blended solutions that can streamline the migration process?• To what extent are customization services required?MOBILE USERS• Which mobile platforms are used today and which ones will be used in the future?• How well will our mobile users be supported in Office 365 and by third party providers?PROFESSIONAL AND RELATED SERVICES• To what extent will Microsoft-focused professional services be required to assist in the migration and/or integration process?• To what extent will deep product integration with Microsoft services and software be required?• How much will providers be required to know about Microsoft’s underlying technology, including key Microsoft-focused competencies and certifications? How much do they know?• How much experience should the provider have with multiple Microsoft platforms like Office 365, BPOS, on-premise Exchange, Exchange Online, SharePoint, Lync, etc.?• Does the provider have direct access to internal Microsoft product team internal resources, training materials and technical content?USER MANAGEMENT• How easy will user management be in Office 365 based on the number of users, the amount of archived data, the geographical distribution of users/offices and other factors?SINGLE SIGN-ON• Is single sign-on required?• If so, will the investment in on-premise Microsoft solutions be worth the expense, or will another single sign-on offering be a better fit?• If a third party is used, will that party leverage Microsoft’s ADFS for identity management and single sign-on as opposed to other, non-Microsoft-sanctioned/approved methods?TRIALS• Are trials of Office 365 and/or various third-party capabilities offered that will enable us to evaluate them in their own real world environment?©2011 Osterman Research, Inc. 13
  15. 15. Making Office 365 More Secure and CompliantSummaryOffice 365 is a robust and capable cloud-based offering that can satisfy the email, real-timecommunications, document sharing, collaboration and document creation needs of small, mid-sized and large organizations. However, despite the many features baked into Office 365, it willnot satisfy every requirement, particularly in the context of highly regulated organizations orthose with specialized security needs. Consequently, while Osterman Research recommendsthat organizations consider Office 365 when they evaluate cloud-based solutions, we believethat most mid-sized and large organizations will need to use third-party solutions to fully satisfytheir migration, compliance and security requirements.Sponsors of This White PaperAppRiver, a leading provider of email messaging andWeb security solutions, was among the first syndicatedpartners to bring the new Microsoft Office 365 suite tomarket. With more than 45,000 corporate customersand 8 million mailboxes worldwide, AppRiver is one of !the largest hosted security service providers in theworld. It is that record of success, and the company’s AppRiver, LLCover-the-top commitment to customer care that made 1101 Gulf Breeze ParkwayAppRiver a natural partner during the launch of Office Suite 200365. Gulf Breeze, FL 32561 USAWith Office 365 from AppRiver, theres no upfrontinvestment in software, updates are automatic and +1 866 223 4645included, and service plans may be tried out for free for www.appriver.com30 days. There are no cancellation penalties and clientsare free to leave at any time. That said, the company maintains an impressive 93% customerretention rate since inception and backs its services with award-winning Phenomenal Care™.Every AppRiver customer has VIP access to US-based technicians 24 hours a day, every day.What’s more, a team of trained sales engineers is available to assist customers withcomplimentary migration to the cloud.AppRiver offers a growing suite of cloud-based security solutions that may be managed within asingle, easy-to-use customer portal. Services include spam and virus protection, secureExchange hosting, email encryption, email continuity, archiving and Web protection. Thecompany is led by an Ernst & Young Florida Entrepreneur of the Year award winner, and hasbeen identified as a Top 20 Cloud Security Vendor in 2011 by Everything Channel’s CRNmagazine. For more information, please visit©2011 Osterman Research, Inc. 14
  16. 16. Making Office 365 More Secure and CompliantLiveOffice is the number-one global provider of cloud-based email archiving, email compliance, emaildiscovery and email continuity solutions, with more !than 20,000 clients and a 97-percent client retentionrate. LiveOffice LLC 2780 Skypark DriveUNIQUE PARTNERSHIP WITH MICROSOFT Suite 300 USAOFFICE 365LiveOffice offers advanced compliance and e-discovery +1 800 374 2032capabilities for Microsoft Office 365. It is the only www.liveoffice.comarchiving provider that securely captures, retains and !synchronizes users in one integrated system and provides the only archiving solution that:• Archives Exchange Online (including Personal Archive), SharePoint Online and Lync Online content• Automatically synchronizes users, email addresses and distribution lists• Provides native archive access from Windows Phone 7, along with other mobile devices and tabletsTHE ONLY THIRD-PARTY ARCHIVE WITH AUTOMATED DIRECTORY SYNC TOOFFICE 365With automated directory sync, Exchange administrators only need to manage and provisionusers and mailboxes in one place. Unlike most archiving solutions that may leverage othersingle sign-on (non-Microsoft) methodologies, LiveOffice enables single sign-on through thesame ADFS mechanism that enables users to sign in to Office 365. This simplifies the archivedeployment for Exchange administrators and minimizes the user impact and learning curve.©2011 Osterman Research, Inc. 15
  17. 17. Making Office 365 More Secure and Compliant• Other benefits include: o Significant cost savings for organizations looking for advanced compliance and e- discovery (when bundled with E1 or E2 plans) o Seamless migration of existing data (e.g., tape backups, PSTs/NSFs or on-premise archives)For more information, call 800.374.2032 or visit Visit the LiveOffice Blog at or follow us on twitter at, Inc. helps the largest and most successfulcompanies in the world protect and govern their most !sensitive data. Proofpoint delivers an integrated suite ofon-demand data protection solutions spanning threat Proofpoint,, regulatory compliance, data governance 892 Ross Driveand secure communications—all of which are based on Sunnyvale, CA 94089a common security-as-a-service platform. USA +1 408 517 4710Proofpoint Enterprise Archive is an on-demand email!archiving Software-as-a-Service (SaaS) solution thatcan supports Microsoft Office 365 and both hosted andon-premises versions of Microsoft Exchange Server. Proofpoint Enterprise Archive’s policyengine allows an organization to create, maintain and consistently enforce a clear corporateemail retention policy.Proofpoint Enterprise Archive offers users the following advantages:• Mitigates discovery risk by preserving a copy of every message and improves efficiency in managing the discovery hold process.• Permits users to systematically review selected email, to help simplify the compliance audit process, and foster compliance with SEC and FINRA regulations for email.• Securely archives a copy of every internal and external email in Proofpoint’s state-of- the-art data centers and provides customers with easy access to their messages at all times.Learn more about Proofpoint Enterprise Archive for Office 365 at every enterprise is unique, flexibility defines Proofpoint solutions, deployments andsupport. We lead the way with cloud-based email solutions, but also specialize in appliance,virtual appliance and unique hybrid deployments. And we back it all up with a commitment tocustomer service where exceptional is the rule.©2011 Osterman Research, Inc. 16
  18. 18. Making Office 365 More Secure and CompliantHeadquartered in Sunnyvale, California, Proofpoint has offices around the globe includingCanada, Japan, the United Kingdom, Asia Pacific, Europe and Mexico.Smarsh® provides hosted solutions for archivingelectronic communications, including email, instantmessaging and social media platforms such as !Facebook, LinkedIn and Twitter. Founded in 2001, the Smarshcompany helps organizations manage and enforce 921 SW Washington Streetflexible, secure and cost-effective compliance and Suite 540records retention strategies. Portland, OR 97205 USAWith robust supervision, compliance and e-discoveryfunctionality designed to meet the sophisticated needs +1 866 762 7741!of highly-regulated industries, the Smarsh email andelectronic message archiving platform enables clients topowerfully augment the capabilities of a Microsoft Office 365 deployment. Clients search, reviewand produce email on-demand alongside an expanding number of electronic messaging forms,including enterprise (ex. Lync Online), public and third-party (Reuters, Bloomberg)communications platforms, SMS/text messages, social media content and websites.Customizable solutions fit the needs, budgets and technological infrastructure of any businessand are matched with unrivaled customer support and service. For more information, and follow Smarsh at©2011 Osterman Research, Inc. 17
  19. 19. Making Office 365 More Secure and Compliant© 2011 Osterman Research, Inc. All rights reserved.No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission ofOsterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without priorwritten authorization of Osterman Research, Inc.Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this documentor any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws(including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,“Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Lawsreferenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of theinformation contained in this document.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS,CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.i Addressing Cloud Computing Security Considerations with Microsoft Office 365, Microsoft Corporation©2011 Osterman Research, Inc. 18