Making Office 365 More Secure and Compliant

WHITE PAPER

Making Office 365 More
Secure and Compliant
ON An Osterman Research White Paper
Published December 2011

SPONSORED BY
sponsored by
sponsored by
sponsored by

sponsored by
sponsored by
SPON

sponsored by
Osterman Research, Inc.
P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA
Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com
www.ostermanresearch.com • twitter.com/mosterman

Making Office 365 More Secure and Compliant

Executive Summary
Microsoft Office 365 represents the company’s latest entry into the cloud-based messaging,
collaboration and productivity market. While deciding on which of the many flavors of Office
365 to deploy can be a bit daunting because of the many (and somewhat confusing) options
available, it is clear that Microsoft has done quite a good job at creating a robust and scalable
platform that can satisfy the requirements of many organizations.

That said, there are some organizations that will need compliance and security capabilities not
available with Office 365. These include some organizations operating in highly regulated
industries like financial services, healthcare and energy; organizations with strict regulatory
requirements to protect, archive or sample various types of communications; organizations that
operate in countries with strict data protection laws; and organizations with specialized security
requirements that are not satisfied by the features built into Office 365.

KEY TAKEAWAYS
• Office 365 is a solid platform that can meet a variety of corporate requirements for email,
real-time communications and document management.

• Migration to Office 365 requires significant expertise, planning and deployment skills if it is
to be performed properly and with a minimum of disruption.

• Despite being a cloud-based solution, many of the more advanced features of Office 365
require substantial on-premise infrastructure or the use of third-party capabilities.

• The archiving and compliance capabilities in Office 365, while useful, will not be sufficient to
satisfy many common regulatory and legal data retention, e-discovery and related
obligations.

• While Office 365 offers robust security capabilities, it does not permit customers to
implement all options that they might require. Moreover, the SharePoint Online API
requires custom code to work with the Microsoft sandbox model.

ABOUT THIS WHITE PAPER
This white paper was sponsored by AppRiver, LiveOffice, Proofpoint and Smarsh. Information
on each of these companies is provided at the end of this document.

TWO IMPORTANT CAVEATS
It is important to note at the outset two important caveats about this white paper:

• The purpose of this paper is not to denigrate Microsoft Office 365 in any way. In fact, we
believe that Office 365 is a robust platform that will meet the needs of many organizations
that want to simplify their IT deployments and/or reduce their overall IT costs. However, as
with any cloud-based platform, there are limitations in Office 365 that organizations need to
understand and evaluate as they consider migrating their email, real-time communications,
archiving and other communications and collaboration capabilities to the cloud.

©2011 Osterman Research, Inc. 1


• The third party services discussed in this white paper are complementary, add-on solutions
to Office 365, not replacements for the capabilities offered in Office 365.

Why Office 365?
CORE FEATURES AND PLATFORM OVERVIEW
Microsoft Office 365 is an integrated suite of cloud-based offerings that Microsoft already offers
as on-premises solutions:

• Microsoft Exchange Online
Email, calendaring and task management, including built-in archiving services. The basic
Office 365 package includes 25 GB of storage per user.

• Microsoft Office
The Office Web Apps are lighter versions of Word, PowerPoint, Excel and OneNote intended
to satisfy the requirements of basic users of these applications, and/or to supplement the
desktop experience of Office Professional Plus that may be required by more advanced
users.

• Microsoft SharePoint Online
Includes document management and collaboration services, Web site development, project
management and the ability to develop intranets and extranets.

• Microsoft Lync Online
Includes real-time communications that includes IP-based voice, video conferencing, Web
conferencing, instant messaging and presence capabilities. Lync replaces the existing Office
Communications Online and LiveMeeting tools that have been offered by Microsoft for some
time.

Office 365 is intended to be a mostly cloud-based environment for organizations regardless of
their size, replacing the core functionality of on-premises systems focused on managing email,
collaboration, real-time communications and desktop productivity. In short, Office 365 is the
next generation of Microsoft’s Business Professional Online Services (BPOS), Office Live Small
Business and Live@edu offerings.

Office 365 is available in various versions that are intended for small businesses through very
large enterprises – other plans are also available for educational institutions. Microsoft offers
multiple versions of Office 365 ranging from $6 to $27 per user per month, as shown below:

• Kiosk plansi
o K1: $4 per user per month
o K2: $10 per user per month

• Personal and Small Business Planii
o P1: $6 per user per month



• Enterprise Plansiii
o E1: $10 per user per month

DIFFERENCES BETWEEN OFFICE 365 AND BPOS
Microsoft BPOS was introduced toward the end of 2008 and has been fairly successful,
achieving a customer base of several million seats. At the same time, BPOS has been
somewhat controversial with Microsoft’s large ecosystem of hosted Exchange providers because
Microsoft’s per-seat pricing for BPOS was significantly lower than many providers’ per-seat
pricing for hosted Exchange – prices for BPOS were reduced to $5.00 per seat per month.

There are some significant differences in the features, function and design between BPOS and
Office 365:

• BPOS was built on the 2007 versions of its three key components, Exchange, SharePoint
and Office Communications Server (now Lync Server), while Office 365 is built on the 2010
versions of all three products. The difference is important because the 2010 versions were
designed with the cloud as a delivery model while the 2007 versions were not.

• Office Professional Plus is the most significant difference between BPOS and Office 365 –
office productivity functionality of any kind was not included in BPOS. This is Microsoft’s
entry into the space that has been dominated by Google Apps and, to a lesser extent, a
number of other providers like Zoho, HyperOffice, IBM Lotus and many others.

• While BPOS was designed primarily for smaller businesses, Office 365 has been designed for
enterprises, as well. Office 365 clearly represents Microsoft’s push into the large-enterprise
market for cloud-based applications and messaging functionality.

• Office 365 offers a number of enhancements to BPOS, the most notable of which is the
Service Connector designed to simplify desktop management, manage updates and patches,
and manage the overall login process.

• SharePoint Online, originally considered to be just a shared document repository, has now
evolved into a true collaboration platform in which enterprises can run enterprise-wide
applications. This is particularly advantageous for organizations that rely heavily on their
messaging platform to run business applications, such as Lotus Notes customers.

WHAT OFFICE 365 WILL DO
Office 365 offers a number of very useful features, including:

• Full Web-based email and calendaring functionality
• 25 gigabytes of online storage
• The ability to send attachments up to 25 megabytes
• Document sharing
• Instant messaging
• Voice conferencing



• Video conferencing
• Web-based versions of Word, Excel, PowerPoint and OneNote
• Basic archiving
• Anti-virus and anti-spam filtering

The enterprise versions of Office 365 add a number of other features, including live telephone
support, the ability to apply basic legal holds to mailbox items, more advanced voice
capabilities, and the on-premise version of Office Professional Plus 2010. Moreover, Office 365
complies with ISO 27001 and EU Safe Harbor standards, while Office 365 data centers –
managed by Microsoft Global Foundation Services – support these standards and are also
SAS70 Type II- and FISMA-compliantiv. Moreover, Office 365 helps customers with regulatory
compliance by adhering to a number of industry standards, including the Health Insurance
Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act
(FERPA), Title 21 CFR Part 11 of the Code of Federal Regulations, the Federal Information
Processing Standard (FIPS) 140-2, Trusted Internet Connections (TIC), the Gramm-Leach-Bliley
Act (GLBA), and Good Manufacturing Practice (GMP).

In short, Office 365 compares quite nicely to similar offerings and offers a robust set of features
and certifications. It is important to keep in mind that technology is not compliance.
Organizations can employ Office 365 and other solutions to help them meet many regulatory
requirements, but they are not a “compliance button”.

WHAT OFFICE 365 WON’T DO
Despite the many features and functions offered in Office 365, there are a number of
capabilities that the solution does not provide or does not provide to the depth that many
organizations require, including a number of security and compliance capabilities that are
discussed in more detail in the next section. Among the limitations of Office 365 are:

• Exchange Online does not offer managed folders or public folders, complicating the
migration process for organizations that currently maintain these folders in their on-premise
deployments.

• For Mac-enabled organizations, access to Office 365 applications is not as straightforward as
it is in Windows-based environmentsv.

• On-premise applications that require SMTP functionality for outbound communications
require either an on-premise SMTP server or configuration through Forefront Online
Protection for Exchange (FOPE).

• Microsoft does not offer a migration path from the P1 to any of the E plans.

• Directory synchronization and single sign-on are not available with the P1 plan.

• Office 365 Plan P does not permit journaling, a serious problem for some organizations
considering migration. However, Exchange Online Plan 1 does permit journaling. The
Exchange Online management console provides journaling functionality and control for all
Enterprise Exchange mailboxes.



• Message revocation for encrypted messages (i.e., message recall) is not supported.

• Migration in Office 365 occurs only one mailbox at a time (one source indicates up to 10
mailboxes at a time) and the tools available for archive migration are not simple. Migrating
legacy archives or .PST files is not a simple exercise in more sophisticated environments.

The Need for Improved Compliance in Office 365
One of the fundamental issues that Osterman Research has discovered in its research is that
many organizations do not consider their specific archiving, security and compliance
requirements in general. Moreover, many do not consider their long-term archiving and
compliance requirements before migrating to a cloud-based platform like Office 365. However,
they do so at the peril of being unable to fully satisfy their archiving, security and compliance
requirements. In short, implementing new tools comes with a new set of compliance
responsibilities.

BROADER ARCHIVING OPTIONS
One of the most important issues for decision makers to consider is the fact that Office 365
does not offer as broad a set of archiving options as they might need today or in the future.
For example, as a result of the revised Federal Rules of Civil Procedure (FRCP) and more recent
court decisions, relevant Electronically Stored Information (ESI) must be retained for long
periods. ESI typically includes content stored on email servers – a leading source of
discoverable content in many legal cases – but it also includes electronic content of various
types, including:

• Documents stored in SharePoint databases and other repositories
• Instant messages and other content generated in Lync sessions
• Files generated by Office productivity applications
• Social media content

However, Office 365 has some limitations in the context of its archiving capabilities. For
example, Microsoft Plans E1 and E2 offer only a Personal Archive option – Plans E3 and E4 offer
both Personal Archive and Advanced Archive. Exchange Online archiving is available only with
the E3 and E4 bundles and cannot be added as an a la carte option to E1 or E2. While third
party archiving tools can be used with all of the Enterprise bundles, the P1 bundle does not
provide for journaling control, so there is no real option to add archiving to that offering.

Moreover, Plan E1 requires the archive to share the 25 gigabytes of space between each user’s
mailbox and their personal archive, whereas Plan 2 allows an archive of unlimited size, although
a default quota of 100 gigabytes is provided in Plan 2 – this quota cannot be modified without
intervention by Microsoft.

It is important to note that for purposes of e-discovery or other, corporate-wide data
management requirements, there is a need to capture messages in the Personal Archives. Also,
there is a 50-mailbox search limitation with Office 365. Moreover, to enable Microsoft’s e-
discovery capabilities requires deployment of the E3 offering, a 50% price increase compared to



E2. Inactive mailboxes, such as those for employees who have left the company, still need to
be paid for as if they were active for retention/e-discovery purposes.

Another limitation of Office 365 is that if the service goes down for any reason, the archive is
also unavailable. Use of a third party archiving solution gets around this limitation by storing
data in two completely separate infrastructures, allowing users access to their archive and, as
part of a business continuity solution, to send and receive emails while Office 365 is
unavailable. This is not a trivial consideration, since there have been some serious outages in
the Office 365 infrastructure, including a three-hour-plus outage on August 17, 2011 caused by
a “networking interruption”, and another – also lasting three hours – on September 8, 2011 as
a result of a DNS issue.

RETENTION POLICIES
For companies requiring granular control over email retention policies, the mail controls built
into Office 365’s Exchange Online Plan 1 with Outlook 2010 may or may not be adequate. In
Exchange Online Plan 2 with Outlook 2010, control over email retention policies is granular and
flexible.

Exchange Online offers retention policies to help organizations reduce the liabilities associated
with email and other communications. With these policies, administrators can apply retention
settings to specific folders in users’ inboxes. Administrators can also give users a menu of
retention policies and let them apply the policies to specific items, conversations, or folders
using Outlook 2010 or Outlook Web App. In Exchange Online, administrators manage retention
policies using Remote PowerShell.

Exchange Online offers two types of policies: archive policies and delete policies. Both types
can be combined on the same item or folder. For example, a user can tag an email message so
that it is automatically moved to the personal archive in a specified number of days and deleted
after another span of days.

With Outlook 2010 and Outlook Web App, users have the flexibility to apply retention policies to
folders, conversations, or individual messages and can also view the applied retention policies
and expected deletion dates on messages. Users of other email clients can have emails deleted
or archived based on server-side retention policies provisioned by the administrator, but they do
not have the same level of visibility and control. Again, these capabilities will suffice for some
customers, but not for others.

OTHER LIMITATIONS IN MICROSOFT’S ARCHIVING APPROACH
In Office 365, administrators can create transport rules to inspect messages for a variety of
email attributes, such as specific senders, recipients, distribution lists, keywords, and regular
expressions (for common patterns like those associated with credit card numbers or Social
Security numbers). Administrators can also include users’ Active Directory attributes (for
example, department, country, or manager) and distinguish by message types (such as
automatic replies, meeting requests, and voicemail messages).

Microsoft is phasing out its Exchange Hosted Archive offering in favor of the archiving
functionality offered in Office 365, as well as Microsoft’s Exchange Online Archiving. While



many Office 365 customers will be well served by these new solutions, there are some cases in
which archiving requirements are beyond their capabilities. For example:

• Financial services and other highly regulated firms
Financial services firms that are under the regulatory control of the Financial Industry
Regulatory Authority (FINRA) must retain all relevant email, instant messaging and social
media content. The archiving capability in Office 365 does not support archiving of instant
messaging conversations, social media content, Bloomberg, Reuters, etc. and so these firms
must employ another archiving solution or face the consequences of non-compliance.
Moreover, FINRA-regulated firms must perform granular content sampling on broker-
dealers’ communications to remain in compliance.

In terms of other regulatory requirements, Office 365 should not be used for managing data
governed by the Payment Card Industry Data Security Standard (PCI DSS) standard. While
Microsoft does provide email encryption for outbound email through its Exchange Hosted
Encryption service, internal communications are not encrypted, resulting in potential
violations of various data breach requirements, the Gramm-Leach-Bliley Act, the Sarbanes-
Oxley Act and other statutory requirements to encrypt all sensitive communications and
data. With regard to Microsoft’s own stance regarding its compliance capabilities, the
following are Microsoft’s statements about how well it complies with various requirements:

Under EU Data Protection law and our contractual agreement, Microsoft Online
Services acts as custodian of your data, essentially a subcontractor (the law
calls us the "data processor"). You, the customer, have the final ownership in
the data and the responsibility under the law for making sure that we are
following the rules and it is legal for you to be sending personal data to us (the
law calls you the "data controller"). You must determine for your business in
your particular situation if you may use our services to process and store your
personal data.vi

In some (emphasis added) countries, we also adhere to the security
requirements for storage of sensitive personal data, as defined by law.vii

Microsoft Online Services do not support the processing, transmitting, or
storing of PCI governed data, such as credit card numbers.viii

However, Microsoft is making a strong push into the HIPAA-regulated marketplace and will
be offering Business Associate Agreements (BAAs)ix, a new provision in HIPAA that is
required as part of Subtitle D of the Health Information Technology for Economic and
Clinical Health (HITECH) Act. Microsoft is among the first in the large-scale hosting industry
to offer BAAs as an operationalized part of its solution to address requirements associated
with hosting Protected Health Information.

• Jurisdictional and geographic requirements
Some organizations require strict compliance with various jurisdictional or geographic
requirements, such as a requirement that data not leave a particular geographic area or
that it not be transferred to a nation that does not offer adequate protection of sensitive
data. However, Microsoft admitted in June 2011 that content in its data centers can be



handed over to US or other authorities and that customers might not be notified of this
disclosurex.

With regard to understanding exactly where customer is stored, some third-party archiving
solutions offer greater transparency about where data resides, which will alleviate some
decision makers’ concerns.

• Strict client requirements
With Exchange Online Archiving, each mailbox is paired with a secondary mailbox in the
same database that serves as its archive. However, the archived content is visible only for
users that employ Outlook 2010, Outlook 2007 or Outlook Web Access. Users that have
older versions of Outlook can still use the archive, but cannot see the items in the archive.

• E-discovery requirements
While the Enterprise plans for Office 365 provide some basic e-discovery capabilities, some
organizations will require more sophisticated and more granular e-discovery functionality,
including highly configurable legal holds, the export of load files in EDRM XML format when
performing early case assessment, and sophisticated case management when performing
online reviews. Some organizations that have sophisticated e-discovery requirements will
find that although useful, Office 365’s built-in e-discovery capabilities will not meet their
needs.

Many third-party archiving solutions offer more granular capabilities than are available with
Microsoft’s archiving solutions, such as tamper-proof storage, highly granular legal holds
and access rights, the ability to perform very complex searches for e-discovery or regulatory
compliance purposes, output to a wide variety of file formats when exporting content to
third-party review tools, and better support for EDRM requirements. Other capabilities that
organizations might need and that are not supported by Microsoft’s archiving solutions
include built-in collaborative review of discovered content, and sophisticated culling
capabilities to reduce legal costs.

• Limitations on content sources that can be archived
Organizations that require archiving of content from SharePoint Online and Lync Online
cannot use Microsoft’s archiving capabilities because archiving of content from these
systems is not supported, nor is file archiving supported. SharePoint backup and restore
tools are available, but tend to be more manual and slow than many businesses will need.
Moreover, server-side archiving of Lync Online instant messages is not currently available.

• Limited platform support
Many organizations operate multiple on-premise and cloud-based platforms, and so will
need an archiving and compliance solution that can support all of these platforms –
capabilities that Microsoft’s archiving solutions do not currently support.

• Limitations on storage
Some organizations require storage of very large amounts of information as a result of
either long retention periods for email and other content, or preservation of data-intensive
files like engineering or architectural drawings. Consequently, for some customers the
limitations in Office 365’s archiving for the less expensive plans will not be acceptable.



The Need for Improved Security in Office 365
Microsoft provides a number of security features for Office 365, including built-in anti-virus and
anti-spam filtering through FOPE; physical security at its data centers, such as video
surveillance; logical security, such as data isolation, identity and access management, and
federated identity; various network security technologies and practices; and real-time health
monitoring of its infrastructurexi. However, there are a number of security issues that decision
makers should take into account as they consider a potential move to Office 365, including:

• Security configuration limitations
The Professional and Small Business Office 365 plans (the “P” plans) do not permit
Administration Center Access for configuring domains or changing IP addresses, nor can
FOPE Connectors be used to set up smart hosts, safe lists, shared address spaces or to
force TLS communications. The Enterprise plans do offer more of this functionality,
although configuring domains and changing IP address is available only with the standalone
version of FOPE.

• Office 365 uses a multi-tenant architecture
The Office 365 architecture is multi-tenant, meaning that multiple customers run off of the
same servers. While this can be a secure environment, many organizations – particularly
those in highly regulated industries or those with very sensitive information – may not be
comfortable in a multi-tenant environment. As the amount of information an organization
needs to store and manage grows, the appeal of, or requirement for, private cloud solutions
and customization tends to move customers away from multi-tenant solutions like Office
365. While Microsoft does offer dedicated services, they are reserved only for large
enterprise customers.

• Additional security layers may be needed
Microsoft FOPE uses multiple scanning engines from Kaspersky and Symantec, among
others, and FOPE’s SLA claims to detect 100% of all known viruses with updates every 15
minutes. That said, some customers may want to complement FOPE with an additional
layer of inbound protection/detection for increased robustness and phish detection
capability. For example, Proofpoint Protection can complement FOPE with a second layer of
inbound protection for increased spam capture and phish detection capability; AppRiver’s
SecureTide hosted spam and malware protection is currently used to filter email that is then
delivered to FOPE for secondary filtering before being delivered to the mailbox. There is no
support for blacklists in Office 365 P1.

Moreover, Lync Online does not scan files or other content for malware, nor does it archive
instant messaging conversations as noted above. Plus, it is important to identify phish from
spam, allowing for proper management of phish messages (e.g., not placing phish
messages in the same quarantine as spam in order to prevent end users from opening phish
messages and having their machine and network potentially compromised).

Mobile phone operating systems are currently not supported for reading Exchange Online
encrypted email messages, whereas some vendors support mobile decryption on multiple
smartphone platforms. Exchange Hosted Encryption (EHE) is Microsoft’s hosted encryption
service. While EHE is enabled using Forefront Online Protection for Exchange (FOPE), the



same hosted spam and malware protection included in Office 365 service plans, it is not
actually considered an Office 365 product.

• Limitations on traffic flow
There is a daily limit on the number of recipients that can receive email from Office 365
accounts: 500 emails per 24 hours for small business accounts and 1,500 for enterprise
accounts. Moreover, emails are sent at a maximum of 30 per hour. While the reasons for
imposing these limitations are sound and will likely not cause problems for some customers,
this can seriously limit the utility of Office 365 even for small customers that might process
large amounts of email.

• SharePoint Online sandbox model
SharePoint Online uses a sandbox model and so any custom code designed for SharePoint
must work within the limitations of that model. Consequently, the SharePoint Online API
requires custom code to work with the Microsoft sandbox model. However, Silverlight,
Visual Studio 2010 and SharePoint Designer 2010 all offer tools to help developers leverage
the Sandboxed Solution feature inherited by SharePoint Online from SharePoint 2010.

• Mobility limitations
Office 365 wipes only ActiveSync devices, which can be a serious limitation in the large
number of organizations that operate BlackBerry devices. In November 2011, RIM
introduced the public beta of BlackBerry Business Cloud Services (BBCS) for Microsoft Office
365, although BlackBerry-enabled organizations that do not want to deploy beta software
will continue to be limited to the much slower BlackBerry Internet Service until the former is
generally available. BBCS, which delivers a BES-like feature set at little or no cost, is
targeted for general availability in January 2012.

• Backup and recovery are managed by Microsoft
Microsoft manages backup and recovery of content for Office 365 customers unless
customers have implemented their own capabilities. While not an inherent weakness per
se, customers must rely on Microsoft to manage these aspects of the Office 365 experience.
Moreover, data replication does not occur in real time.

• Unified messaging
Office 365 can be used with the unified messaging functionality in Exchange 2007 and 2010,
but it requires the use of a Session Border Controller to integrate an existing telephony
system with Office 365.

• Single sign-on
Single sign-on capabilities are supported in Office 365, but only when Active Directory
Federation Services (ADFS) are employed in networks that are running Windows Server
2008 Active Directory on-premises. This means that in enterprise environments, a
significant level of on-premise infrastructure is required in order to effectively manage Office
365 access.



Key Questions to Ask
Decision makers have four basic questions to answer with regard to Office 365:

• Should we migrate our active mailboxes to Office 365?
• Should we port our existing email archive to Office 365?
• If yes to either, should we use Microsoft or a third-party to provide Office 365 services?
• Should we use one or more other third parties to provide additional capabilities?

Here are some of the more important questions that decision makers should consider as they
consider a potential migration to Office 365:

BUSINESS ISSUES
• Because migrating essential services like email and collaboration to the cloud carries with it
some level of risk, should we employ multiple providers in order to distribute the risk? For
example, if we are concerned about going “all-in” with a cloud strategy, will we be better off
using a third-party archiving solution that will maintain copies of data at the Office 365
provider’s and the archiving provider’s data centers?

• Should third-party cloud vendors be employed to enhance the security of Office 365,
including vendors of email encryption, business and compliance email archiving or Web
filtering?

• What are the options available for cloud service portability? In other words, how easy or
difficult will it be to migrate to Office 365, from Office 365 to another provider, or back to
an on-premise service model?

• What is the current level of internal IT support that we could devote to managing the
migration to and support for Office 365 and third-party offerings?

• What is the desired level of internal IT support for managing the migration to and support
for Office 365 and third-party offerings?

• Should we deploy Office 365 using only basic services with supplemental capabilities offered
by third parties, or should we opt for more sophisticated (and more expensive) services
initially, keeping in mind the limitations in migrating from less capable to more capable
plans?

• How will our organization respond and stay productive in the event of an Office 365 service
disruption or outage?

REGULATORY ISSUES
• To what extent do we or will we need to comply with SEC/FINRA, HIPAA, FERPA, SOX,
GLBA and other regulatory requirements?

• How well will native Office 365 capabilities comply with our requirements and what are the
holes we will need to fill with third party services?



SERVICE LEVELS AND SLAs
• How reliable is Office 365?

• How reliable are third-party solutions focused on archiving, security, compliance, encryption,
etc.?

• What compensation is offered by providers following outages?

• What should our backup strategy for Office 365 data be?

• What metrics do we need to establish with regard to Recovery Time Objectives (RTO) and
Recovery Point Objectives (RPO)?

CONTENT MANAGEMENT AND ARCHIVING
• Do we need redundant copies of our archived data in multiple locations?

• If yes, why? For data protection? Business continuity? Disaster recovery? What is the
relative importance of each?

• Do we need to specify in which country(ies) our content will be stored?

• What will be the impact of the US PATRIOT Act on our ability to protect information?

• Do we need to add our corporate domain(s) and set up journal rules to capture all
messages sent or received from Exchange Online directly within the administration console?

SUPPORT AND INTEGRATION
• What types of support services are available with the providers we are considering? Online
support only, telephone support, chat support, concierge onboarding, US-based support?

• How much support will be required initially and long term?

• How well can a third party vendor integrate with Office 365 from a user management and
Active Directory sync perspective?

FOCUS ON SMBs OR ENTERPRISES?
• Does the provider of Office 365 or other services like archiving or security focus on the SMB
market, on the enterprise market or both? In other words, what is the market focus of the
provider and how well will they meet our specific requirements?

MIGRATION SERVICES
• What services are offered for migrating existing, on-premise Exchange mailboxes to Office
365?

• What services are offered for migrating archived data from on-premise archiving solutions to
either Exchange Online Archiving or a third party, cloud-based archiving solution?



• Do these services include mail route control, split domains or blended solutions that can
streamline the migration process?

• To what extent are customization services required?

MOBILE USERS
• Which mobile platforms are used today and which ones will be used in the future?

• How well will our mobile users be supported in Office 365 and by third party providers?

PROFESSIONAL AND RELATED SERVICES
• To what extent will Microsoft-focused professional services be required to assist in the
migration and/or integration process?

• To what extent will deep product integration with Microsoft services and software be
required?

• How much will providers be required to know about Microsoft’s underlying technology,
including key Microsoft-focused competencies and certifications? How much do they know?

• How much experience should the provider have with multiple Microsoft platforms like Office
365, BPOS, on-premise Exchange, Exchange Online, SharePoint, Lync, etc.?

• Does the provider have direct access to internal Microsoft product team internal resources,
training materials and technical content?

USER MANAGEMENT
• How easy will user management be in Office 365 based on the number of users, the
amount of archived data, the geographical distribution of users/offices and other factors?

SINGLE SIGN-ON
• Is single sign-on required?

• If so, will the investment in on-premise Microsoft solutions be worth the expense, or will
another single sign-on offering be a better fit?

• If a third party is used, will that party leverage Microsoft’s ADFS for identity management
and single sign-on as opposed to other, non-Microsoft-sanctioned/approved methods?

TRIALS
• Are trials of Office 365 and/or various third-party capabilities offered that will enable us to
evaluate them in their own real world environment?



Summary
Office 365 is a robust and capable cloud-based offering that can satisfy the email, real-time
communications, document sharing, collaboration and document creation needs of small, mid-
sized and large organizations. However, despite the many features baked into Office 365, it will
not satisfy every requirement, particularly in the context of highly regulated organizations or
those with specialized security needs. Consequently, while Osterman Research recommends
that organizations consider Office 365 when they evaluate cloud-based solutions, we believe
that most mid-sized and large organizations will need to use third-party solutions to fully satisfy
their migration, compliance and security requirements.

Sponsors of This White Paper
AppRiver, a leading provider of email messaging and
Web security solutions, was among the first syndicated
partners to bring the new Microsoft Office 365 suite to
market. With more than 45,000 corporate customers
and 8 million mailboxes worldwide, AppRiver is one of
!
the largest hosted security service providers in the
world. It is that record of success, and the company’s AppRiver, LLC
over-the-top commitment to customer care that made 1101 Gulf Breeze Parkway
AppRiver a natural partner during the launch of Office Suite 200
365. Gulf Breeze, FL 32561
USA
With Office 365 from AppRiver, there's no upfront
investment in software, updates are automatic and +1 866 223 4645
included, and service plans may be tried out for free for www.appriver.com
30 days. There are no cancellation penalties and clients
are free to leave at any time. That said, the company maintains an impressive 93% customer
retention rate since inception and backs its services with award-winning Phenomenal Care™.
Every AppRiver customer has VIP access to US-based technicians 24 hours a day, every day.
What’s more, a team of trained sales engineers is available to assist customers with
complimentary migration to the cloud.

AppRiver offers a growing suite of cloud-based security solutions that may be managed within a
single, easy-to-use customer portal. Services include spam and virus protection, secure
Exchange hosting, email encryption, email continuity, archiving and Web protection. The
company is led by an Ernst & Young Florida Entrepreneur of the Year award winner, and has
been identified as a Top 20 Cloud Security Vendor in 2011 by Everything Channel’s CRN
magazine. For more information, please visit www.appriver.com.



LiveOffice is the number-one global provider of cloud-
based email archiving, email compliance, email
discovery and email continuity solutions, with more !
than 20,000 clients and a 97-percent client retention
rate. LiveOffice LLC
2780 Skypark Drive
UNIQUE PARTNERSHIP WITH MICROSOFT Suite 300
USA
OFFICE 365
LiveOffice offers advanced compliance and e-discovery +1 800 374 2032
capabilities for Microsoft Office 365. It is the only www.liveoffice.com
archiving provider that securely captures, retains and !
synchronizes users in one integrated system and provides the only archiving solution that:

• Archives Exchange Online (including Personal Archive), SharePoint Online and Lync Online
content

• Automatically synchronizes users, email addresses and distribution lists

• Provides native archive access from Windows Phone 7, along with other mobile devices and
tablets

THE ONLY THIRD-PARTY ARCHIVE WITH AUTOMATED DIRECTORY SYNC TO
OFFICE 365
With automated directory sync, Exchange administrators only need to manage and provision
users and mailboxes in one place. Unlike most archiving solutions that may leverage other
single sign-on (non-Microsoft) methodologies, LiveOffice enables single sign-on through the
same ADFS mechanism that enables users to sign in to Office 365. This simplifies the archive
deployment for Exchange administrators and minimizes the user impact and learning curve.



• Other benefits include:

o Significant cost savings for organizations looking for advanced compliance and e-
discovery (when bundled with E1 or E2 plans)

o Seamless migration of existing data (e.g., tape backups, PSTs/NSFs or on-premise
archives)

For more information, call 800.374.2032 or visit www.liveoffice.com. Visit the LiveOffice Blog at
http://blog.liveoffice.com or follow us on twitter at www.twitter.com/liveoffice.

Proofpoint, Inc. helps the largest and most successful
companies in the world protect and govern their most !
sensitive data. Proofpoint delivers an integrated suite of
on-demand data protection solutions spanning threat Proofpoint, Inc.
management, regulatory compliance, data governance 892 Ross Drive
and secure communications—all of which are based on Sunnyvale, CA 94089
a common security-as-a-service platform. USA

+1 408 517 4710
Proofpoint Enterprise Archive is an on-demand email
www.proofpoint.com!
archiving Software-as-a-Service (SaaS) solution that
can supports Microsoft Office 365 and both hosted and
on-premises versions of Microsoft Exchange Server. Proofpoint Enterprise Archive’s policy
engine allows an organization to create, maintain and consistently enforce a clear corporate
email retention policy.

Proofpoint Enterprise Archive offers users the following advantages:

• Mitigates discovery risk by preserving a copy of every message and improves efficiency in
managing the discovery hold process.

• Permits users to systematically review selected email, to help simplify the compliance
audit process, and foster compliance with SEC and FINRA regulations for email.

• Securely archives a copy of every internal and external email in Proofpoint’s state-of-
the-art data centers and provides customers with easy access to their messages at
all times.

Learn more about Proofpoint Enterprise Archive for Office 365 at
http://www.proofpoint.com/office-365.

Because every enterprise is unique, flexibility defines Proofpoint solutions, deployments and
support. We lead the way with cloud-based email solutions, but also specialize in appliance,
virtual appliance and unique hybrid deployments. And we back it all up with a commitment to
customer service where exceptional is the rule.



Headquartered in Sunnyvale, California, Proofpoint has offices around the globe including
Canada, Japan, the United Kingdom, Asia Pacific, Europe and Mexico.

Smarsh® provides hosted solutions for archiving
electronic communications, including email, instant
messaging and social media platforms such as
!
Facebook, LinkedIn and Twitter. Founded in 2001, the Smarsh
company helps organizations manage and enforce 921 SW Washington Street
flexible, secure and cost-effective compliance and Suite 540
records retention strategies. Portland, OR 97205
USA
With robust supervision, compliance and e-discovery
functionality designed to meet the sophisticated needs +1 866 762 7741
www.smarsh.com!
of highly-regulated industries, the Smarsh email and
electronic message archiving platform enables clients to
powerfully augment the capabilities of a Microsoft Office 365 deployment. Clients search, review
and produce email on-demand alongside an expanding number of electronic messaging forms,
including enterprise (ex. Lync Online), public and third-party (Reuters, Bloomberg)
communications platforms, SMS/text messages, social media content and websites.

Customizable solutions fit the needs, budgets and technological infrastructure of any business
and are matched with unrivaled customer support and service. For more information, visit
www.smarsh.com and follow Smarsh at www.twitter.com/SmarshInc.



© 2011 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of
Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior
written authorization of Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document
or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws
(including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws
referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the
information contained in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS,
CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

i
http://www.microsoft.com/en-us/office365/enterprise-solutions/enterprise-plans.aspx#fbid=Wmp7vsIGoJd
ii
http://www.microsoft.com/en-us/office365/buy-small-business.aspx?WT.z_O365_ca=Buy_how-to-get_en-us#fbid=Wmp7vsIGoJd
iii
http://www.microsoft.com/en-us/office365/enterprise-solutions/enterprise-plans.aspx#fbid=Wmp7vsIGoJd
iv
http://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Security_Audit.htm
v
http://www.zdnet.com/blog/howlett/microsoft-office-365-is-dead-to-me/3241
vi
http://www.microsoft.com/online//legal/v2/?docid=31
vii
viii
ix
http://www.hipaasecurenow.com/index.php/microsoft-office-365-cloud-service-to-offer-business-associate-agreements
x
http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225
xi
Addressing Cloud Computing Security Considerations with Microsoft Office 365, Microsoft Corporation


Making Office 365 More Secure and Compliant

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Making Office 365 More Secure and Compliant

Similaire à Making Office 365 More Secure and Compliant (20)

Plus de Osterman Research, Inc.

Plus de Osterman Research, Inc. (20)

Dernier

Dernier (20)

Making Office 365 More Secure and Compliant