igor - Fotolia

Manage Learn to apply best practices and optimize your operations.

Office 365 compliance features keep data locked down

Microsoft offers tools in Office 365 to help administrators manage complicated data compliance regulations. These features can protect the business.

Stricter guidelines for compliance regarding messaging retention are forthcoming thanks to rules such as the EU...

General Data Protection Regulation. Administrators new to Office 365 must learn the nuance of this service's features to prepare for these changes.

Office 365 compliance features differ with those of on-premises systems, such as Exchange Server. The tools to identify, retain and remove data are built in to the Office 365 Security & Compliance Center. This portal enables businesses to keep data for as long as necessary without third-party tools or extra storage, and it works across Microsoft's cloud services.

This article looks at the Office 365 compliance features, where they lack and how admins can adjust for these shortcomings.

Master the Office 365 Security & Compliance Center

Until recently, Office 365 mirrored its on-premises counterpart -- IT managers administered and managed compliance within each individual service. To keep data in Exchange Online, the admin would adjust settings in the Exchange Admin Center with terminology specific to Exchange. It works the same with SharePoint Online.

The Security & Compliance Center changes all this. It uses a unified portal to manage compliance functionality across the Office 365 suite. Admins use the portal to create policies for all data within the Office 365 tenant. Admins also use this section to perform discovery and searches across multiple services within Office 365.

Office 365 Security & Compliance Center
Figure 1: Admins use the Security & Compliance Center to handle compliance tasks for data across the Office 365 suite.

Admins use the Security & Compliance Center to manage data in several areas. Your organization might need more than one of these Office 365 compliance features.

  • Data loss prevention (DLP): This section identifies sensitive content automatically and prevents users from uploading or sharing the data externally or internally.
  • Data governance: This area sets policies across Office 365. It works to define how long to keep, and when to remove, data. Admins can also archive data or mark it for supervision review.
  • Classifications: This section lets admins define labels to tag content in OneDrive, SharePoint and Exchange services. These labels work with the data governance function to categorize data and apply preservation rules.
  • Sensitive information types: These definitions automatically match data, such as credit card or Social Security numbers. Built-in definitions cover most financial, medical, health and personal data, and admins can also add customized definitions. DLP functions and classifications use these definitions to auto detect sensitive data.

Understand the capabilities of Office 365 compliance features

An enterprise's most common compliance requirement is to keep all data for a certain amount of time. Most organizations must retain data for five to 10 years, although the requirement is longer for some.

With an on-premises mailbox server, organizations typically use email journaling for compliance purposes. An email journal makes a copy of every email message -- this includes the message envelope and BCC recipients -- on a separate system. The business retains the copy for as long as necessary.

How to build new labels in Office 365
then publish them with a policy.

Organizations on Office 365 do not need a product that copies and stores data from Exchange or SharePoint. If a worker alters or removes data from the mailbox, SharePoint sites or OneDrive for Business, data governance keeps the original in Office 365.

In Figure 2, an admin creates a policy that targets all Office 365 data. The preservation lock feature prevents the Office 365 administrator from removing the policy to add an extra layer of security.

Office 365 policies
Figure 2: This policy protects data in all areas of the Office 365 suite.

Use DLP to hinder leaks

Many organizations with on-premises messaging servers try to prevent disclosures of sensitive data in email with edge-based DLP tools. But edge-based DLP tools only defend the email gateway and do not account for other ways users share sensitive information. Unless it integrates with OneDrive or SharePoint, an edge-based DLP tool does not scan documents included as a link, rather than an attachment, in email.

Office 365 DLP works across both Exchange and SharePoint and prevents sensitive data from being uploaded and shared. For example, admins can configure Office 365 DLP to prevent users from sending a list of credit card numbers to a OneDrive for Business account. Alternatively, admins can set a DLP policy to stop users from sharing credit card numbers with external guests.

New DLP policy
Figure 3: This Office 365 DLP policy sends an alert if the content includes insurance information or passport numbers.

The classifications feature identifies and marks this sensitive data for retention and removal. Autolabel policies can search for data across Exchange, SharePoint and OneDrive by keyword. The admin can further adjust settings in sensitive information types to mark data and remove it.

Next Steps

Office 365 eDiscovery features have ring of familiarity

Admin roles delegate IT work to users

Microsoft fortifies Office 365 with added security

Dig Deeper on Office 365 and Microsoft SaaS setup and management