TechTarget defines compliance as “being in alignment with guidelines, regulations and/or legislation”. These guidelines, regulations and laws have been put in place by governments to hold organizations accountable for how they operate. Regulations may vary by country, but generally they focus on making sure that organizations keep records of their activities and prevent unauthorized use of data.
Penalties for noncompliance can be severe - in extreme cases, fines are measured in millions of dollars and company executives who make false claims of compliance can be imprisoned. With regulations applying to paperwork and electronic information alike, organizations are looking to IT to keep them and their data out of trouble.
Understandably, CIOs are concerned about meeting compliance requirements, and when you add cloud computing to the mix, they get downright nervous. Microsoft is well aware of these fears and hopes to allay them with the functionality on offer in the Compliance Center.
The Compliance Center is a subset of the Office 365 Admin toolset. Some compliance features have been available in Office 365 since it was launched, but Microsoft is now pursuing a strategy to unite all compliance features under the Compliance Center interface.
As detailed in this video from the recent Ignite conference, Microsoft already has some rich functionality in the Compliance Center and is planning to release more cool features soon. Ultimately, their vision is that the Compliance Center will become the hub for all your organization’s compliance needs. Let’s look at a few of these features.
Archives and Retention Policies
Broadly speaking, data loss occurs when a user deletes data, or when data is passed on to unauthorized persons. To start with, the Compliance Center features Archiving and Retention tools to prevent deletion of emails or documents stored in SharePoint or OneDrive.
The Archiving feature applies to Exchange Online mailboxes. It's activated in the Compliance Center on a user-by-user basis, (although you can perform bulk management using PowerShell), and moves any email older than two years into an archive mailbox by default. The archive mailbox is only accessible to the user and to eDiscovery searches. An administrator can create custom retention policies to modify the retention period and what happens to the email when moved.
The Retention section of the Compliance Center also includes a link to set up document deletion policies for SharePoint and OneDrive. Clicking the link opens the Document Deletion Policy Center in a new window; once you’re there it’s possible to set up a variety of policies that can automate and control document deletion on a site by site, or site collection basis - as detailed in this TechNet walkthrough.
Data loss caused by information being leaked to unauthorized users via email can also be prevented using Exchange Online’s Data Loss Prevention (DLP) features. DLP is also coming to SharePoint Online and OneDrive for Business, where it'll be tightly integrated with Office 2016.
Office 365 boasts native eDiscovery capabilities which allow compliance case workers to perform forensic searches in Office 365. If the search returns content that needs protection against tampering while the legal process is underway, it's possible to set up a litigation hold on the content in Exchange, SharePoint, and OneDrive for Business, without moving it from its original location. This kind of ‘in-place’ litigation hold minimizes disruption while still protecting the evidence.
Compliance Center Permissions
Hopefully, your data is protected by correctly configured permissions, but those same permissions can create a challenge for IT and legal teams when they need to search Office 365. Historically, Microsoft has solved this problem in Exchange by giving the Discovery Management group full access to all data.
Now, however, the Compliance Center has a Permissions node that allows authorized users to be assigned to one of four default groups that have varying degrees of control of the eDiscovery search tools, and access to search results. If the built in groups don’t meet your requirements, you can create your own to assign the required capabilities in a very granular fashion.
One final quick point on possibly the coolest upcoming feature - Equivio Zoom. Zoom is a product acquired by Microsoft to add machine learning capabilities to eDiscovery search and reporting. While Office 365 eDiscovery Search is hugely powerful, it works best when you have very specific search criteria. Without knowing exactly what you're looking for, Search can be a bit like looking for a specific needle in a haystack full of needles.
Using advanced ‘thematic analysis’ and ‘predictive coding’ capabilities, Zoom is able to identify trends, correlate data across email, documents and other Office 365 data sources, and then generate a structured report that lawyers can use. It all looks very impressive in this demonstration at Ignite (skip to 36:30 for the demo), if only for the Star Wars and grocery shopping case study! In large eDiscovery scenarios with millions of documents and as many email messages, Zoom promises to save a lot of time and legal fees.
Big red button
Compliance solutions can be compared to an ejector seat in a fighter plane. You hope you never need to use one, but when you do need it, it had better work. It’s clear that the Compliance Center isn't just a token gesture to enable organizations to meet minimum compliance requirements - it's shaping up to be a powerful, enterprise grade toolkit.
It'll be even more powerful when all the preview features are released for general use. In particular, we’re looking forward to features like DLP or SharePoint, unlimited storage capacity for archive mailboxes, and of course, Equivio Zoom.
What about you? Which Office 365 Compliance features are you eager to see?