WHITE PAPER SPON. Microsoft Office 365 for the Enterprise: How to Strengthen Security, Compliance and Control. Published February 2015

Transcription

1 WHITE PAPER N An Osterman Research White Paper Published February 2015 spnsred by SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn USA Tel: Fax: inf@stermanresearch.cm twitter.cm/msterman

2 EXECUTIVE SUMMARY Micrsft Office 365 is a rbust set f and cllabratin tls that is ffered in a number f cnfiguratins with varying levels f features and functins. Office 365 represents Micrsft s latest and arguably, mst successful venture int the clud services space in the 13+ years that the cmpany has ffered hsted services. KEY TAKEAWAY Despite the range f functinality ffered in Office 365, like any clud-based ffering it cannt be all things t all custmers. There are sme missing features in Office 365 that will prmpt sme custmers t cnsider the use f third-party, clud-based r n-premises tls t enhance Office 365 s native capabilities. Specifically, we believe that these third party enhancements will be fcused primarily n the security, archiving and encryptin capabilities available with Office 365. That is nt t say that Micrsft has nt addressed these capabilities, but many third parties prvide mre granular r mre capable services than Micrsft has ffered in Office 365. Osterman Research believes that the third-party market fr clud-based and n-premises capabilities designed t supplement r replace specific Office 365 features and functins will grw at a healthy pace alng with the market fr Office 365. AN IMPORTANT NOTE The purpse f this white paper is nt t dismiss Office 365, its features and functins, r Micrsft itself. On the cntrary, we believe that Office 365 prvides a useful set f features and functins that will be well received by many rganizatins. Hwever, ur gal is t be as fair and balanced as pssible in discussing bth the advantages and disadvantages f Office 365. As with any clud-based service, there are limitatins in Office 365 that can be managed mre apprpriately thrugh the use f third party services. Any limitatins discussed here are nt limited t Office 365, but can be said fr any clud-based slutin. ABOUT THIS WHITE PAPER This white paper discusses the Office 365 envirnment, its applicability fr rganizatins f all sizes, and the third party capabilities that Office 365 custmers shuld cnsider t supplement the platfrm. This dcument als prvides a brief verview f its spnsr McAfee and the cmpany s relevant fferings. KEY FEATURES AND FUNCTIONS OF OFFICE 365 Office 365 represents Micrsft s newest fray (in quite a lng line f them) int the clud-based and cllabratin space. The platfrm is a grup f clud-based fferings that includes Exchange Online (mst accunts ffer 50-gigabyte mailbxes), SharePint Online, Lync Online, and desktp and Web-based versins f Micrsft s prductivity applicatins. The varius cmpnents and fferings in Office 365 are shwn in Figure 1. Office 365 represents Micrsft s newest fray (in quite a lng line f them) int the clud-based and cllabratin space. Figure 1 Versins and Csts fr Office 365 (US pricing) Versin Includes $/User/ Mnth Office 365 Small , nline cnferencing, public Web Business site, file share, Office Web apps $5.00 Office 365 Small Same as abve plus desktp versins f Business Premium all Office applicatins $12.50 Office 365 Midsize Same as abve plus Active Directry Business integratin $15.00 Exchange Online Plan 1 , Active Directry integratin $ Osterman Research, Inc. 1

3 Figure 1 (cncluded) Versins and Csts fr Office 365 (US pricing) Versin Office 365 Enterprise E1 Office 365 Enterprise E3 Office 365 Enterprise E4 Surce: Micrsft Includes Same as abve plus file sharing, nline cnferencing, enterprise scial, Office Web apps Same as abve plus desktp versins f all Office applicatins, ediscvery Center Same as abve plus Yammer Enterprise, ther features $/User/ Mnth $8.00 $20.00 $22.00 Organizatins are migrating t Office 365 because f its advantages, which generally apply t clud-based and cllabratin systems: Lwer and mre predictable csts f wnership Faster deplyment f new services The ability t upgrade r dwngrade capabilities quickly and easily The ability t free IT staff fr ther tasks The ability t add new capabilities that wuld require either the additin f new staff members r access t expertise that is nt readily available internally GROWING USE OF OFFICE 365 Office 365 grwth has been quite rbust: Micrsft reached ne millin Office 365 Hme Premium subscribers in May 2013 i, tw millin by Octber 2013 ii and 3.5 millin by early 2014 iii. Micrsft claims that mre than ne millin US gvernment emplyees use Office 365 iv. Micrsft estimates that mre than 15% f its Exchange installed base is nw using Office 365 v. Mst rganizatins plan t migrate sme r all f their users t Office 365 in the near- t midterm. In 2014/Q2, Micrsft reprted that it mre than dubled its cmmercial clud services revenue vi. As shwn in Figure 2, the Osterman Research survey cnducted fr this white paper fund that mst rganizatins plan t migrate sme r all f their users t Office 365 in the near- t mid-term Osterman Research, Inc. 2

4 Figure 2 Organizatin s Plans fr Migrating t Office 365 Amng rganizatins that are cnsidering a migratin t Office 365 Surce: Osterman Research, Inc. OFFICE 365 CAN BE USED IN REGULATED ENVIRONMENTS Althugh Micrsft has been prviding clud-based fr a number f years, the current versins f their clud fferings are quite rbust and ffer a number f enterprise-grade features and functins. In additin, Micrsft has made Office 365 cmpliant with a number f imprtant standards and ther requirements as verified by varius third parties vii, further enhancing its ptential fr use by enterprise custmers: The Federal Infrmatin Security Management Act (FISMA) Business Assciate Agreements under the Health Insurance Prtability and Accuntability Act (HIPAA) The Gramm-Leach-Bliley Act (GLBA) The Family Educatinal Rights and Privacy Act (FERPA) Micrsft has made Office 365 cmpliant with a number f imprtant standards and ther requirements as verified by varius third parties. Title 21 CFR Part 11 f the Cde f Federal Regulatins The Federal Infrmatin Prcessing Standard (FIPS) Trusted Internet Cnnectins (TIC) Internatinal Organizatin fr Standardizatin (ISO) Eurpean Unin (EU) Safe Harbr and Data Prtectin Directive Mdel Clauses The result is that Office 365 may be used in regulated envirnments, such as healthcare, gvernment and als in the Eurpean Unin. Micrsft als benefits frm supprt fr a hybrid mdel given that it has a cmmanding market share fr desktp prductivity applicatins and its dminance in the business market thrugh Exchange. This gives Micrsft an advantage that many cmpetitrs cannt enjy Osterman Research, Inc. 3

5 WHAT ARE THE DRAWBACKS OF OFFICE 365? Althugh there are a number f advantages assciated with using Office 365, there are sme limitatins abut which decisin makers shuld be aware: ARCHIVING LIMITATIONS Migratin t Office 365 has been prblematic fr sme rganizatins, particularly thse that want t maintain a hybrid deplyment f n-premises and cludbased users. Micrsft s In-Place Archive (frmerly knwn as the Persnal Archive) is a secndary mailbx that can be deplyed n the same r a different server frm a user s primary mailbx. The In-Place Archive r retentin plicies require either an Exchange Server accunt r an Exchange Online accunt tgether with an Exchange Server Enterprise Client Access License and nly certain Outlk licenses. In additin, sme Outlk versins are nt supprted viii. The archiving functinality in Office 365 has sme additinal limitatins, including lack f supprt fr Exchange Online archiving with Outlk 2011 under Mac OS X ix, as well as lack f supprt fr accessing archived s via Andrid and iphne devices. Accrding t Micrsft, Yu can't designate an Office 365 mailbx as a jurnaling mailbx fr n-premises mailbxes. If yu re running a hybrid deplyment with yur mailbxes split between n-premises servers and Office 365, yu can designate an n-premises mailbx as the jurnaling mailbx fr yur Office 365 and n-premises mailbxes. x Sme versins f Office 365 d nt archive instant messaging cntent, cnference cntent, r cntent frm applicatin-sharing r desktp-sharing sessins xi. Sme versins f standalne Lync Online plans d nt prvide instant message and file filtering, instant message cntent archiving, r cnference cntent archiving xii. SharePint Online ffers ediscvery, cmpliance with varius regulatry bligatins and ther capabilities, but it des nt archive cntent. Because f the grwing prprtin f cntent that is stred in SharePint within the rganizatins that have deplyed it, the ability t archive SharePint cntent is essential. End user search capabilities in sme versins f Office 365 are smewhat mre limited than they are with many cmpeting clud-based and n-premises archiving slutins. Migratin t Office 365 has been prblematic fr sme rganizatins, particularly thse that want t maintain a hybrid deplyment. Office 365 includes n native surveillance features that allw mnitring r sampling f cmmunicatins. This is an imprtant capability fr highly regulated firms, such as brker-dealers that must sample cmmunicatins per FINRA Regulatry Ntice xiii. Fr rganizatins that need t jurnal cntent int Office 365 such as Salesfrce Chatter cntent, instant media, scial psts, etc. a third party archiving slutin will be required, since jurnaling within Office 365 des nt supprt imprt f external, nn-lync cntent. RETENTION LIMITATIONS Only Office 365 Plans E3 and E4 include the ability t search acrss Exchange mailbxes and SharePint sites, Infrmatin Rights Management, archiving, litigatin hld capabilities and unlimited strage xiv. The maximum size f the arbitratin mailbx is ten gigabytes xv Osterman Research, Inc. 4

6 Items in the Office 365 Deleted Items and Junk flders can be retained fr a maximum f 30 days xvi. DATA LOCATION LIMITATIONS Micrsft stres Office 365 custmer data in a number f different cuntries based n the lcatin f the custmer xvii. Mrever, Micrsft can mve custmer data withut ntice and will nt guarantee exactly where a custmer s data will be stred. Fr example: Gvernment custmers in the United States: primary data and backup centers are lcated in the United States. Nrth American custmers: primary data centers are lcated in the United States. Mst EMEA custmers: primary data centers fr Office 365 are in Ireland and the Netherlands; Lync Online custmers prvisined befre Octber 2011 may be hsted frm a US data center. Asia Pacific custmers: the primary data centers fr Office 365 data are in Singapre and Hng Kng, but a data center in Ireland is used fr Active Directry and Glbal Address Bk data. Lync Online and Online Prtal data are served frm a US data center. Suth American custmers (except Brazil): primary data centers are lcated in the United States. Brazilian custmers: the primary data center fr SharePint Online is in Brazil; fr Exchange Online custmers after Octber 30, 2011, a Brazilian and US data are used interchangeably as the primary data centers; fr Exchange Online custmer prvisined befre Octber 30, 2011, the primary data center is in the United States. Micrsft ntes that it will nt prvide ntice when custmer data is transferred t a new cuntry and that the requirements f prviding the services may mean that sme data is mved t r accessed by Micrsft persnnel r subcntractrs utside the primary strage regin. Office 365 and Micrsft Dynamics CRM Online data centers are lcated wrldwide and stre data based n the lcatin f its custmers: Office 365 des nt directly supprt the deplyment f redundant spam filters in parallel with Office 365 s built-in spam prtectin. Nrth American and Suth American custmers: US data centers Brazilian custmers: US and Brazilian data centers Eurpean Unin custmers: US, Irish and Dutch data centers Asia-Pacific custmers: US, Singapre and Hng Kng data centers SECURITY LIMITATIONS All Office 365 plans ffer administratr management f the spam quarantine, but sme plans allw this nly via direct access t the Exchange Admin Center management interface xviii. Office 365 des nt directly supprt the deplyment f redundant spam filters in parallel with Office 365 s built-in spam prtectin. Instant messaging and file filtering are nt available with any Office 365 plans xix. Office 365 des nt ffer mre advanced and targeted threat prtectin techniques, such as real-time link fllwing that emulates the cntents fr malware, in additin t reputatin checks. Office 365 des nt supprt taking an actin n an cntaining a link strictly based ff the URL reputatin alne Osterman Research, Inc. 5

7 Office 365 des nt help users n mbile devices determine whether a link in an is safe t click n. MOBILITY LIMITATIONS BlackBerry Enterprise Server (BES) is nt supprted by Micrsft in Office 365, althugh BlackBerry Business Clud Services supprts Office 365 xx. Despite declining supprt fr BES in sme rganizatins, this is a serius prblem fr rganizatins that still have many BlackBerry users (and there are still many f them ut there). Office 365 will wipe nly thse mbile devices that are managed using ActiveSync. Office n Demand, a key feature f Office 365 that permits temprary Office client t be installed n any Windws 7/8 PC, is nt supprted n the ipad, the mst cmmnly deplyed tablet cmputer in the wrkplace. MAILBOX LIMITATIONS Inactive mailbxes (i.e., deleted mailbxes) can have their cntents held indefinitely if an In-Place Hld is exercised befre the mailbx is autmatically deleted. The cntents f a deleted mailbx can be recvered fr 30 days after deletin, but bth the mailbx and its cntents will nt be recverable after 30 days if the hld is nt activated xxi. Micrsft prvides shared mailbxes in Office 365 at n charge, but they cannt be larger than 10 gigabytes and can be created nly with Remte PwerShell. Add t this the fact that a shared mailbx cannt be accessed by users f an Exchange Online Kisk license and cannt archive s frm individual users xxii. OS AND APPPLICATION VERSION LIMITATIONS The minimum supprted versins f Outlk clients that can be used are Outlk 2013, 2010 and 2007 (with sme limitatins in functinality) fr Windws; and Outlk 2011 fr Mac xxiii. Interestingly, Micrsft indicates that Office 365 als supprts Outlk 2008 fr Mac, althugh Office 2008 fr Mac included nly Enturage. Office 365 des nt prvide specific cntrl ver when users will be upgraded nly Micrsft determines when upgrades ccur. Office 365 supprt fr Windws XP/SP3 and Vista SP2 ended n December 31, 2013 xxiv. OTHER LIMITATIONS Office 365 des nt prvide specific cntrl ver when users will be upgraded nly Micrsft determines when upgrades ccur xxv. While single sign-n is supprted in Office 365, it is supprted nly with Active Directry Federatin Services 2.0 xxvi. Backup and recvery f custmer data are cntrlled slely by Micrsft. With an Exchange Server n-premises, admins can access lg files using simple scripting, a feature nt pssible in Office 365. Althugh Office 365 prpses a utility-based mdel fr licensing, autmatic plan assignment r re-assignment as a user changes rles is nt available thrugh DirSync/ADFS, as is als the case fr true single sign-n capability. Clud-based, third party slutins can help t fill this gap Osterman Research, Inc. 6

8 IMPROVING SECURITY IN OFFICE 365 Micrsft prvides a number f security capabilities in Office 365: anti-virus and antispam filtering; physical access cntrls that using multiple authenticatin schemes at its data centers that are managed by Micrsft Glbal Fundatin Services; and emplyee access that is restricted by jb functin; amng ther capabilities. Hwever, there are sme security limitatins that decisin makers shuld take int accunt as they cnsider a migratin t Office 365. These include: The use f a multi-tenant architecture Office 365 emplys a multi-tenant architecture, dictating that multiple custmers envirnments run n the same servers. While this can prvide a secure management envirnment, there are rganizatins particularly thse in heavily regulated industries r thse that manage cnfidential r sensitive infrmatin that may nt find the use f such a shared data envirnment feasible. Althugh Micrsft islates custmer data int sils, the cmpany ffers the ability t stre Office 365 data n dedicated hardware fr an additinal cst xxvii. Additinal security layers may be needed Micrsft Exchange Online Prtectin (EOP) xxviii uses several scanning engines frm leading security vendrs. EOP s Service Level Agreement (SLA) claims t detect 100% f all knwn viruses with updates every 15 minutes. Hwever, sme custmers may want t add an additinal layer f inbund prtectin in rder t imprve abilities fr phishing r spearphishing detectin capability, as just ne example. Alternatively, they may simply want t add anther layer f malware r spam filtering fr additinal prtectin beynd what Micrsft prvides. Graymail capabilities have been added t EOP, but it classifies graymail as spam, leaving it undifferentiated frm actual spam. DLP cmpliance template capabilities have als been added t EOP, but they will nt satisfy all custmers needs. In additin, Lync Online des nt scan files r ther cntent fr malware. Mrever, it is essential t segment phishing cntent frm spam, allwing fr prper management f phishing messages (e.g., nt placing phishing messages in the same quarantine as spam s that end users cannt pen phishing messages and have their PC and the crprate netwrk ptentially cmprmised). Advanced threat prtectin Office 365 may nt prvide the cmplete level f prtectin frm advanced threats that many rganizatins will need. Fr example, if an attacker creates a new URL specifically targeted against a cmpany and links it t malware, EOP may nt scan thse new links and the cntent behind thse links at the time f click in rder t blck thse that are malicius, r blck thse whse intent has been changed t malicius frm the time the message was sent. Because many larger rganizatins will need t wrap advanced security capabilities like these arund Office 365, the basic security capabilities in Office 365 will need t be evaluated in light f decisin makers attitudes tward risk. Micrsft manages all f the backup and recvery f cntent fr Office 365 custmers unless they have implemented their wn capabilities at an additinal cst. Mbility limitatins Office 365 will wipe nly ActiveSync devices. This can be a serius limitatin fr the large number f rganizatins that still supprt BlackBerry devices and d nt want t d s via ActiveSync. Plus, while all versins f Office 365 supprt the BlackBerry Internet Service, nt all versins supprt BlackBerry Business Clud Services. Althugh BlackBerry supprts ActiveSync, there have been sme reprted prblems. An alternative fr many rganizatins will be t deply BlackBerry Enterprise Services, which will ffer supprt fr nt nly BlackBerry devices, but als ios and Andrid devices, but this will add t the cst f Office Osterman Research, Inc. 7

9 Micrsft is respnsible fr Office 365 backup and recvery Micrsft manages all f the backup and recvery f cntent fr Office 365 custmers unless they have implemented their wn capabilities at an additinal cst. Mrever, there are n native selective restre capabilities. While Micrsft s management f backup and recvery is nt necessarily an inherent weakness, custmers must rely n Micrsft t manage this part f the Office 365 experience and t d s in a timely manner. In summary, Office 365 s included security is quite reasnable, but it des nt ffer all f the advanced prtectin features f a dedicated security prvider. Cnsequently, security in Office 365 may nt be the mst suitable security slutin fr every rganizatin. THE OFFICE 365 SLA MAY NOT BE ADEQUATE FOR EVERYONE Micrsft ffers a reasnable SLA fr Office 365 xxix. Hwever, it is imprtant fr decisin makers t evaluate whether r nt this SLA will meet their requirements. Fr example, key prvisins f the Office 365 SLA include: Service Credits are yur sle and exclusive remedy fr any perfrmance r availability issues fr any Service under the Agreement and this SLA. The service credits equal 25% f the service fee nly if mnthly uptime drps belw 99.9% (43 minutes per mnth), 50% if mnthly uptime drps belw 99% (seven hurs 12 minutes per mnth), and 100% if mnthly uptime drps belw 95% (36 hurs per mnth). The SLA des nt apply t factrs utside [Micrsft s] cntrl, that result frm yur r third party services, hardware, r sftware, r during pre-release, beta and trial Services (as determined by us). Micrsft determines mnthly uptime in a way that fairly high levels f dwntime culd be experienced by sme Office 365 users, but nt trigger the payment f Service Credits. Fr example, cnsider a 1,000-user rganizatin with 800 users in Nrth America and 200 users in Eurpe. If the Eurpean custmers dealt with three hurs f unplanned dwntime in ne mnth and 30 minutes f dwntime as a result f scheduled maintenance, but the Nrth American users experienced n dwntime during that mnth, Micrsft wuld calculate ttal uptime fr that mnth acrss the entire rganizatin at 99.92%. The result is that althugh the Eurpean users experienced uptime f nly 99.51% during the mnth, n Service Credits wuld be paid. Many decisin makers d nt cnsider all f their lng-term archiving and cmpliance requirements befre migrating t a clud-based messaging platfrm. IMPROVING COMPLIANCE CAPABILITIES IN OFFICE 365 Many decisin makers d nt cnsider all f their lng-term archiving and cmpliance requirements befre migrating t a clud-based messaging platfrm. Fr example, an rganizatin may nt plan fr the archival f scial media, text messaging r ther cntent types that they d nt archive tday, but might need t in the future as a result f regulatrs r curts decisins. Hwever, when migrating and cllabratin t the clud, a new set f cmpliance cnsideratins becmes imprtant t understand befre any decisins are made. A FOCUS ON KEY ARCHIVING CAPABILITIES Heavily regulated rganizatins have an bligatin t retain varius types f cntent and ensure its authenticity and integrity fr many years, in sme cases indefinitely. The In-Place Archives in Office 365 may nt address specific requirements as well as sme third party archiving slutins, since users can delete cntent frm the frmer Osterman Research, Inc. 8

10 Fr example, nly Office 365 Plans Enterprise E3 and E4 ffer unlimited archive strage qutas and litigatin hld capabilities, which means that users nt prvisined with these mre expensive Office 365 plans may require supplemental archiving capabilities t ensure adequate retentin f their data. Further, the ther plans share strage between the primary mailbx and the archive, whereas the E3 and E4 plans d nt. If supplemental archiving capabilities are required, this will negate sme f the cst advantage f migrating t Office 365. While placing a mailbx n litigatin hld in Office 365 r jurnaling prevents users frm deleting messages, the Messaging Recrds Management (MRM) capability in Office 365 r Exchange Online des nt. Micrsft states that: MRM desn t guarantee retentin f every message. Fr example, a user can delete r remve a message frm their mailbx befre the message reaches its retentin age; MRM isn't designed t prevent users frm deleting their wn messages. xxx The result is that sme rganizatins with strict requirements fr retaining all relevant messages, such as brker-dealers, may need t seek alternative archiving slutins that will ensure retentin f all relevant messaging cntent. GEOGRAPHIC AND JURISDICTIONAL REQUIREMENTS Many rganizatins must satisfy a variety f bligatins t cmply with different jurisdictinal requirements, such as a requirement that data nt leave a particular gegraphic area r that it is nt mved t a natin that des nt ffer adequate prtectin f sensitive data. Micrsft stated in July 2013 that it prvides custmer data [t law enfrcement] nly in respnse t legal prcesses xxxi, althugh the cmpany is certainly alne in ding s. Als, since custmer data can be mved t a variety f lcatins fr day-t-day management r backup purpses, this can create jurisdictinal prblems fr cmpanies that have strict rules abut data lcatin. Sme third-party archiving slutins ffer mre cntrl and transparency abut where custmer data resides, which may alleviate decisin makers cncerns. This is particularly true fr nn-us custmers that may nt want their data accessed especially accessed withut their knwledge under the PATRIOT Act, by the IRS xxxii r by ther US gvernment agencies. One limitatin f Office 365 is that during dwntime perids, the archived cntent is unavailable. Anther imprtant cnsideratin that applies t all clud prviders is the issue f blind subpenas subpenas issued by a gvernment authrity withut the knwledge f the custmer. Because a prvider can be cmpelled t give the gvernment access t custmer recrds withut infrming their custmer f the activity, sme rganizatins may decide that n-premises archiving f clud-based cntent is preferable. Clud prviders that can guarantee strage f custmer data in a nn-us lcatin may be cnsidered preferable fr that small segment f the market that wants this capability. THE ADVANTAGE OF A SEPARATE ARCHIVING PROVIDER One limitatin f Office 365 is that during dwntime perids, the archived cntent is unavailable. The use f a third party archiving slutin independent frm Micrsft s will eliminate this prblem by string data in a separate infrastructure, allwing users t access their archived cntent even while their primary functinality is dwn. This is a key cmpnent f a business cntinuity slutin, allwing users t send and receive s while Office 365 is unavailable. This is nt a trivial cnsideratin, since there have been sme serius utages in the Office 365 infrastructure. Fr example, during ne mnth in 2013, there were fur majr utages that affected Micrsft s nline services. DATA LOSS PREVENTION Micrsft has implemented data lss preventin (DLP) in Office 365, Exchange Online and Exchange 2013 based n Exchange Transprt Rules xxxiii. By using Plicy Tip 2015 Osterman Research, Inc. 9

11 ntificatin messages, Outlk users can be alerted t pssible vilatins f crprate plicies when sending that culd cntain sensitive r cnfidential infrmatin xxxiv. Micrsft has prvided a number f definitins xxxv that can be used in its standard ffering, but allws administratrs t develp and publish custm definitins, as well. As f tday, DLP Plicy Tips used with Exchange Online can be used with Outlk 2013, OWA r OWA fr Devices xxxvi. These DLP plicies wrk fr s sent frm ther clients, but the Plicy Tips feature wrks nly with these platfrms. Advanced capabilities like file fingerprinting are nt available. ediscovery AND LITIGATION HOLD CAPABILITIES The Enterprise E3 and E4 plans prvide built-in ediscvery capabilities thrugh the ediscvery Center, but sme rganizatins will need mre sphisticated and granular functinality. These might include highly cnfigurable legal hlds and rbust case management when perfrming nline reviews, fr example. Sme rganizatins that have sphisticated requirements will find that althugh useful, Office 365 s built-in ediscvery capabilities might nt meet their needs. There are sme ediscvery limitatins in Office 365, such as: Reviewing data that results frm a search can be mre difficult in Office 365 than with sme third party tls. Because search results are cpied t a discvery mailbx and subsequently accessed via Outlk r OWA, this can make the review f a large number f search results r sharing the respnsibility f reviewing cntent acrss grups mre time cnsuming. Insufficiently sphisticated review tls is an imprtant issue fr rganizatins that need t perfrm early case assessments r ther types f peratins acrss the entire rganizatin xxxvii. The In-Place ediscvery and Hld interface in Exchange Online can be used t implement an In-Place Hld fr a maximum f nly 50 mailbxes in a single search. If cntent must be captured fr mre than this number f mailbxes, the prcess must be repeated and cntent stred in batches f 50 mailbxes. An alternative is fr IT t use the Exchange Management Shell cmmand-line interface t manage discvery xxxviii. When the ediscvery Center in SharePint Online is used, a search query acrss a maximum f 1,500 Exchange surces and 100 SharePint is pssible. If mre mailbxes must be searched, then multiple search queries must be run r the Exchange Management Shell cmmand-line interface must be used xxxix. Sme third-party archiving slutins ffer mre granular capabilities than are available with Micrsft s slutins. The In-Place Hld feature will nt capture distributin list membership r BCCs, and s will nt ffer a cmplete recrd f every message sender and recipient. If an emplyee leaves a cmpany, his r her mailbx will be permanently deleted if nt placed n hld within 30 days f its deactivatin. Sme third-party archiving slutins ffer mre granular capabilities than are available with Micrsft s slutins, such as: Tamper-prf strage acrss all Office 365 plans. The ability t perfrm very cmplex searches fr ediscvery r regulatry cmpliance purpses. Output t varius file frmats when exprting cntent t third-party review tls. Better supprt fr EDRM requirements Osterman Research, Inc. 10

12 SOME PLATFORMS AND CONTENT SOURCES ARE NOT SUPPORTED Sme rganizatins maintain several n-premises and clud-based messaging, cllabratin r strage platfrms, and s will require an archiving and cmpliance slutin that will supprt all f them. Micrsft s archiving slutins d nt currently supprt all f the platfrms that an rganizatin might have in place, such as GrupWise, Ntes/Dmin, Ggle Apps, Bx r Drpbx, amng many thers. Fr example, while Micrsft ffers nline archiving fr Exchange, it des nt d s fr SharePint, requiring the use f a third party slutin fr rganizatins that need t archive their SharePint cntent. Fr many rganizatins, this will be an imprtant cnsideratin. Because an ediscvery effrt, fr example, can be made mre cmplicated and mre expensive if an rganizatin must extract cntent frm multiple archiving systems such as ne fr Office 365, ne fr SharePint cntent r ne fr files stred in the clud having ne, crprate-wide archiving slutin fr all cntent will speed ediscvery, litigatin hlds and ther activities, as well as drive dwn their cst. LIMITATIONS IMPACTING STORAGE Many rganizatins stre large amunts f infrmatin as a result f either lng retentin perids fr and ther cntent, r because they preserve dataintensive files like engineering, graphic r architectural drawings. As a result, fr sme custmers, the limitatins in Office 365 s archiving fr the less expensive plans will nt be acceptable. ADDITIONAL ISSUES TO CONSIDER Decisin makers will als need t answer fur basic questins when deciding n whether r nt t migrate sme r all f their users t Office 365 (r any clud-based messaging and applicatin platfrm): 1. Shuld we migrate ur existing archive t Office 365? 2. Shuld we migrate ur active mailbxes t Office 365? 3. If yes t either, shuld we use Micrsft r a third-party t prvide Office 365 services? Fr sme custmers, the limitatins in Office 365 s archiving fr the less expensive plans will nt be acceptable. 4. Shuld we use ne r mre ther third parties t strengthen r prvide ther capabilities? Here are sme f the mre imprtant questins that decisin makers shuld ask internally, f cnsultants and f vendrs as they cnsider a pssible migratin t Office 365: ARCHIVING AND CONTENT MANAGEMENT CONSIDERATIONS D we need redundant cpies f ur archived data in multiple, gegraphically separate lcatins? If yes, why? Fr data prtectin? Business cntinuity? Disaster recvery? What is the relative imprtance f each? D we need t specify in which cuntry(ies) ur cntent will be stred r will nt be stred? D we need t add ur crprate dmain(s) and set up jurnal rules t capture all messages sent r received frm Exchange Online directly within the administratin cnsle? 2015 Osterman Research, Inc. 11

13 What will be the impact f the US PATRIOT Act and ther gvernmental actins n ur ability t prtect infrmatin? What ptins are available fr maintaining an n-premise archive f clud-based cntent? BUSINESS CONSIDERATIONS Shuld we emply multiple prviders in rder t distribute the risk assciated with ging t the clud? Fr example, if we are cncerned abut ging all-in with a clud strategy, will we be better ff using a third-party archiving slutin that will maintain cpies f data at the Office 365 prvider s and the archiving prvider s data centers? Shuld third-party clud vendrs be used t enhance the security f Office 365, including vendrs f security, encryptin, business and cmpliance archiving r Web filtering? Fr example, the Micrsft encryptin slutin is passive and can create prblems frm a risk management perspective. Shuld we deply Office 365 using nly basic services with supplemental capabilities ffered by third parties, r shuld we pt fr mre sphisticated (and mre expensive) services initially, keeping in mind the limitatins in migrating frm less capable t mre capable plans? What are the ptins available fr clud service prtability? In ther wrds, hw easy r difficult will it be t migrate t Office 365, frm Office 365 t anther prvider, r back t an n-premise service mdel? Is the security prtectin ffered sufficient fr the needs f ur business, r shuld we be cncerned abut the risk f targeted attacks and layer an advanced clud security service arund Office 365? What is the current level f internal IT supprt that we culd devte t managing the migratin t and supprt fr Office 365 and third-party fferings? What is the desired level f internal IT supprt fr managing the migratin t and supprt fr Office 365 and third-party fferings? Is Office 365 able t meet ur requirements fr uptime/ availability? Hw will ur rganizatin respnd and stay prductive in the event f an Office 365 service disruptin r utage? REGULATORY CONSIDERATIONS Will the native Office 365 DLP capabilities be sufficient t meet ur cmpliance bligatins and hw well will they integrate with ther DLP capabilities we might have tday r in the future? Hw well will native Office 365 capabilities cmply with ur regulatry bligatins and what are the hles we will need t fill with third party services? SERVICE LEVEL CONSIDERATIONS What shuld ur backup strategy fr Office 365 data be? Is Office 365 able t meet ur requirements fr uptime/availability? Hw reliable are third-party slutins fcused n security, encryptin, archiving, cmpliance, etc.? What metrics d we need t establish with regard t Recvery Time Objectives (RTO) and Recvery Pint Objectives (RPO)? What cmpensatin is ffered by prviders fllwing utages? 2015 Osterman Research, Inc. 12

14 MIGRATION CONSIDERATIONS Are there exit strategies available fr a) migrating back frm Office 365 t sme srt f an n-premise capability, r b) mving frm clud-based archiving t n-premise archiving while leaving in the clud? What services are ffered fr migrating existing, n-premise Exchange mailbxes and security settings t Office 365? What services are ffered fr migrating archived data frm n-premise archiving slutins t either Exchange Online Archiving r a third party, clud-based archiving slutin? What services are ffered fr migrating frm n-premises SharePint t Office 365? D these services include mail rute cntrl, split dmains r blended slutins that can streamline the migratin prcess? T what extent are custmizatin services necessary? DO WE WANT MICROSOFT TO MANAGE OUR ? Shuld Micrsft manage ur services? When we asked this questin specifically abut Micrsft, we fund that many decisin makers and influencers are nt supprtive f having Micrsft manage their crprate , as shwn in Figure 3. Figure 3 Opinins n Having Micrsft Manage the Infrastructure Many decisin makers and influencers are nt supprtive f having Micrsft manage their crprate . Surce: Osterman Research, Inc Osterman Research, Inc. 13

15 MOBILITY CONSIDERATIONS Which mbile platfrms are used tday and which nes will be used in the future? Will Micrsft prvide the needed supprt fr Andrid-based and ios-based mbile platfrms in the future? Hw well will ur mbile users be supprted in Office 365 and by third party prviders? Hw well are users prtected frm malware when reading s n their mbile devices, such as links t malware that are cntained in s? INTEGRATION AND SUPPORT CONSIDERATIONS Hw much supprt will be required initially and lng term? What supprt services are available with the prviders we are cnsidering? Online supprt nly, telephne supprt, chat supprt, cncierge nbarding, USbased supprt? Hw well can a third party vendr integrate with Office 365 frm a user management and Active Directry sync perspective? PROFESSIONAL SERVICES CONSIDERATIONS T what extent will deep prduct integratin with Micrsft services and sftware be required? T what extent will Micrsft-fcused prfessinal services be required t assist in the migratin and/r integratin prcess? Hw much experience shuld a third party prvider have with multiple Micrsft platfrms like Office 365, n-premise Exchange, Exchange Online, SharePint, Lync, etc.? Hw much will prviders be required t knw abut Micrsft s underlying technlgy, including key Micrsft-fcused cmpetencies and certificatins? Hw much d they knw? Will the prvider(s) have direct access t internal Micrsft prduct team internal resurces, training materials and technical cntent? SUMMARY There is n denying that Micrsft Office 365 is a rbust ffering that ffers a wide range f capabilities. Micrsft has taken pains t ensure that Office 365 perates with reasnable reliability and that its features and functins meet the needs f a wide range f ptential custmers. Hwever, as with any mass-market, technlgybased ffering there will be deficiencies in specific aspects f the features and functins that many custmers require. Because n clud-based ffering can be all things t all custmers, many if nt mst Office 365 custmers will require third party prducts and services t supplement the native capabilities f the platfrm. Because n clud-based ffering can be all things t all custmers, many if nt mst Office 365 custmers will require third party prducts and services t supplement the native capabilities f the platfrm Osterman Research, Inc. 14

16 SPONSOR OF THIS WHITE PAPER McAfee is nw part f Intel Security. With its Security Cnnected strategy, innvative hardware-enhanced security, and unique Glbal Threat Intelligence, Intel Security develps practive, prven security slutins and services t prtect systems, netwrks, and mbile devices fr business and persnal use all ver the wrld. McAFEE THREAT PROTECTION FOR OFFICE 365 McAfee Prtectin fr Micrsft Office 365 Exchange Online helps stp targeted phishing attacks and prvides custmizable warning pages t reinfrce user training. Faster threat detectin and reliable cntinuity prvides assurance, while deplyment flexibility enables enterprise-grade security t mve with yur mailbxes, anywhere they reside. The cmbinatin f McAfee Glbal Threat Intelligence which cllects real-time data frm ver 100 millin sensrs acrss file, web, , and netwrk vectrs, multiple antivirus engines, and ver 20 separate filters eliminate ver 99% f spam and viruses befre they hit hsted Exchange. Click-Time scanning f links within detects changes in URL intent between when a message is scanned and when a link is clicked, even n mbile devices. Links are subjected t real-time emulatin and behaviral analysis f URL cntent a technique which has prven t stp ver 95% f zer-day malware and prevent targeted attacks. Graymail messages are clearly identified in end-user spam reprts, allwing fr simple identificatin amngst standard spam. End-user management is available t allw self-selectin f graymail handling, such as denying, tagging, r allwing these messages. Fr the mst advanced threats, McAfee Advanced Threat Defense integrated with McAfee Prtectin can detect stealthy r delayed malware using static and dynamic analysis. Suspicius files fund in are sent t McAfee Advanced Threat Defense and bserved in a sandbx envirnment while simultaneusly disassembled fr thrugh analysis. Cntinuity enables full access t a web interface where users can access during any planned r unplanned utages f their hsted service. McAFEE DATA PROTECTION FOR OFFICE 365 When layered ver Office 365, utbund can be analyzed and acted upn with further granularity than prvided in any ffering by Micrsft, prviding the level f data prtectin needed fr businesses with sensitive r regulated data. Over 100 prebuilt cmpliance templates allw administratrs t take actin upn s which vilate HIPAA, PCI-DSS, SOX, and ther regulatins, including the ability t encrypt messages r blck them frm leaving the rganizatin. Mre infrmatin can be fund at mcafee.cm/ security Osterman Research, Inc. 15

17 2015 Osterman Research, Inc. All rights reserved. N part f this dcument may be reprduced in any frm by any means, nr may it be distributed withut the permissin f Osterman Research, Inc., nr may it be resld r distributed by any entity ther than Osterman Research, Inc., withut prir written authrizatin f Osterman Research, Inc. Osterman Research, Inc. des nt prvide legal advice. Nthing in this dcument cnstitutes legal advice, nr shall this dcument r any sftware prduct r ther ffering referenced herein serve as a substitute fr the reader s cmpliance with any laws (including but nt limited t any act, statue, regulatin, rule, directive, administrative rder, executive rder, etc. (cllectively, Laws )) referenced in this dcument. If necessary, the reader shuld cnsult with cmpetent legal cunsel regarding any Laws referenced herein. Osterman Research, Inc. makes n representatin r warranty regarding the cmpleteness r accuracy f the infrmatin cntained in this dcument. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL Osterman Research, Inc. 16

18 REFERENCES i / ii iii iv v vi PressReleaseAndWebcast/FY14/Q2/default.aspx vii viii ix x xi xii xiii p pdf xiv xv xvi xvii xviii xix xx xxi xxii xxiii xxiv xxv xxvi xxvii Surce: Office 365 TM Security white paper xxviii xxix Service Level Agreement fr Micrsft Online Services, January 1, 2014 xxx xxxi xxxii xxxiii xxxiv xxxv xxxvi xxxvii xxxviii xxxix queries-ha aspx?ctt= Osterman Research, Inc. 17