Office 365 compliance features keep data locked down

Master the Office 365 Security & Compliance Center

Until recently, Office 365 mirrored its on-premises counterpart -- IT managers administered and managed compliance within each individual service. To keep data in Exchange Online, the admin would adjust settings in the Exchange Admin Center with terminology specific to Exchange. It works the same with SharePoint Online.

The Security & Compliance Center changes all this. It uses a unified portal to manage compliance functionality across the Office 365 suite. Admins use the portal to create policies for all data within the Office 365 tenant. Admins also use this section to perform discovery and searches across multiple services within Office 365.

Admins use the Security & Compliance Center to manage data in several areas. Your organization might need more than one of these Office 365 compliance features.

• Data loss prevention (DLP): This section identifies sensitive content automatically and prevents users from uploading or sharing the data externally or internally.
• Data governance: This area sets policies across Office 365. It works to define how long to keep, and when to remove, data. Admins can also archive data or mark it for supervision review.
• Classifications: This section lets admins define labels to tag content in OneDrive, SharePoint and Exchange services. These labels work with the data governance function to categorize data and apply preservation rules.
• Sensitive information types: These definitions automatically match data, such as credit card or Social Security numbers. Built-in definitions cover most financial, medical, health and personal data, and admins can also add customized definitions. DLP functions and classifications use these definitions to auto detect sensitive data.

Understand the capabilities of Office 365 compliance features

An enterprise's most common compliance requirement is to keep all data for a certain amount of time. Most organizations must retain data for five to 10 years, although the requirement is longer for some.

With an on-premises mailbox server, organizations typically use email journaling for compliance purposes. An email journal makes a copy of every email message -- this includes the message envelope and BCC recipients -- on a separate system. The business retains the copy for as long as necessary.

Organizations on Office 365 do not need a product that copies and stores data from Exchange or SharePoint. If a worker alters or removes data from the mailbox, SharePoint sites or OneDrive for Business, data governance keeps the original in Office 365.

In Figure 2, an admin creates a policy that targets all Office 365 data. The preservation lock feature prevents the Office 365 administrator from removing the policy to add an extra layer of security.

Use DLP to hinder leaks

Many organizations with on-premises messaging servers try to prevent disclosures of sensitive data in email with edge-based DLP tools. But edge-based DLP tools only defend the email gateway and do not account for other ways users share sensitive information. Unless it integrates with OneDrive or SharePoint, an edge-based DLP tool does not scan documents included as a link, rather than an attachment, in email.

Office 365 DLP works across both Exchange and SharePoint and prevents sensitive data from being uploaded and shared. For example, admins can configure Office 365 DLP to prevent users from sending a list of credit card numbers to a OneDrive for Business account. Alternatively, admins can set a DLP policy to stop users from sharing credit card numbers with external guests.

The classifications feature identifies and marks this sensitive data for retention and removal. Autolabel policies can search for data across Exchange, SharePoint and OneDrive by keyword. The admin can further adjust settings in sensitive information types to mark data and remove it.