Tactical Advice

How to Use Office 365 and Maintain Compliance

Do archiving and security features in Office 365 make the grade for regulatory compliance?
How to Use Office 365 and Maintain Compliance

Office 365 is a welcome upgrade from the Business Productivity Online Standard Suite (BPOS) for Microsoft's customers. But while suitable for the needs of many businesses, cloud services can provide some challenges for organizations that need to go beyond regulatory codes.

Office 365 Architecture and Industry Standards

Office 365 is a multitenant public cloud service, which means services for all customers are run on the same physical infrastructure in the data center, but Microsoft uses specially designed technology to segregate data storage and processing. One exception is Office 365 for Government, which uses a separate infrastructure for U.S. government customers.

Services delivered via Office 365 are ISO 27001 certified — a common standard for information security management systems. Other standards supported are SAS 70 Type II, EU Safe Harbor, EU Model Clauses, the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA) and the Federal Information Security Management Act (FISMA).

Compliance with E-mail Archiving

The E1 and E2 plans have a combined quota limit of 25GB for a user’s mailbox and personal archive. The E3 and E4 plans also have a 25GB limit on mailboxes but offer unlimited space for personal archives, although the default quota limit can be increased to 100GB by contacting support. Office 365 enterprise plans allow Exchange users to have an archive enabled for their primary mailbox, and personal archives are included in multiple-mailbox searches to facilitate discovery.

Although it’s possible for organizations to use locally stored personal folders (.PST files) for archiving purposes in Outlook, system administrators will be only too aware of the disadvantages with this strategy, including the challenges involved in making sure archives get backed up and in searching e-mail when it’s not stored on a server.

Mailboxes can be put on litigation hold in the E3 and E4 enterprise plans, including personal archives, if enabled. Bear in mind that users can delete items from their personal archive, and the default recovery period for deleted items is 14 days, after which any items moved to the trash are automatically purged. The maximum recovery period is 30 days, but users can contact support and have the recovery period for deleted items extended.

The Office 365 management portal lets administrators configure retention tags so that rules can be created for archiving. For instance, you can set up a rule that automatically applies tags to e-mails so that they’re moved to an archive after one year or deleted after five years.

Exchange Journaling

Journaling differs from personal archives, in that all mail passing through an Exchange organization can be matched against one or more journaling rules. If an e-mail matches a rule, it can be sent as an attachment to a designated mailbox, sometimes called “envelope journaling,” or a copy can be sent in its entirety.

Journal recipients, the people whose mail is included in a journal rule, can be a small group or everyone in an organization. The scope of a journal rule can be restricted, for example, to external mail only, helping to limit the size of the journal mailbox. It’s possible to have more than one journal mailbox and multiple journal rules.

Security and Storage Limits in Office 365

Microsoft’s data centers provide defense-in-depth physical and logical security, while the Forefront Protection Suite of enterprise-grade security products provides antispam and antivirus for Exchange and SharePoint in the cloud.

The 128-bit SSL/TLS encryption between SharePoint Online and a corporate intranet, or computers, is only provided in enterprise plans, which could lead to sensitive information being transmitted over the public Internet in cleartext. Data transmitted to and from Outlook Web Access is encrypted over the wire in all plans. There’s no archiving capability in SharePoint Online; however, Microsoft has recently increased the maximum storage limit from 5TB to 25TB.

If an extra layer of security beyond basic SharePoint permissions is needed, Office 365 supports Information Rights Management for restricting access to documents and what actions can be performed. This extends to e-mails and voicemail messages. Office 365 Exchange and Outlook also support Secure/Multipurpose Internet Mail Extensions (S/MIME) for public key encryption and digital signatures.

Office 365's Single Sign-On

Organizations can use single sign-on to synchronize accounts held in an on-premises Active Directory (AD) domain with Office 365 so that security policies have to be managed in only one place. A common user account and password for both AD and Office 365 improves security and reduces help-desk calls. If single sign-on is enabled, two-factor authentication is also supported for stronger security, which means a user must provide something physical, such as a smart card, in addition to a password.

Businesses wishing to deploy single sign-on must have Windows Server 2003 (or later) Active Directory running on premises. Active Directory Federation Services (ADFS) version 2 must also be deployed on premises and installed on Windows 2008 or later. If users need access to Office 365 using single sign-on from outside the corporate firewall, an ADFS proxy server must also be deployed.

Privacy in the Cloud

The administration console in Office 365 allows organizations to customize security and access for documents stored in the cloud so that specific regulatory requirements can be met. For businesses that can’t put their most valuable assets in the hands of a public cloud provider, a public/private cloud could be the answer, hosting the most sensitive data on premises and everything else online.

Consider whether data that’s subject to regulatory compliance should be placed in the cloud. Start by creating an internal data-classification policy to help identify exactly what information is subject to regulation; doing so will allow you to determine whether Office 365 can provide the necessary tools to protect that data.

Sign up for our e-newsletter

About the Author

Russell Smith

Russell Smith

Microsoft Technology Best Practices

Russell is a technology consultant and trainer specializing in management and security of Microsoft server and client technologies. A Microsoft Certified Systems Engineer with more than 10 years of experience, Russell’s projects have included everything from deploying Small Business Server to developing security practices on large-scale United Kingdom government IT projects. Russell is also author of Least Privilege Security for Windows 7, Vista and XP published by Packt.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.