Office 365 Compliance Issues: What can be done to bridge the gap?
CIOREVIEW >> Compliance >>

Office 365 Compliance Issues: What can be done to bridge the gap?

By CIOReview | Tuesday, August 9, 2016

Apart from keeping the business workflow consistent and transparent, Microsoft Office 365 increases simplicity and yields greater productivity. It provides robust security and reliability for IT teams as a part of maintaining business efficiency in Microsoft ecosystem. However, IT Managers expecting huge productivity, simplicity, and licensing gains just by entering an Office 365 automated environment are facing unexpected compliance issues. Because of which, getting buy-in from key stakeholders across the business, such as compliance team, often proves to be a difficult and time-consuming task.

The platform comes with legitimate questions and concerns around compliance. So what are these compliance issues and what can the IT Managers do to bridge this widening-gap?

Risks and Limitations of Office 365 for Compliance

Though compliant with global standards and regulations like European Union data protection laws and the Health Insurance Portability and Accountability Act and ISO 27001, Office 365 only supports organizations with basic compliance requirements. Those with more stringent requirements find the compliance capabilities in Office 365 to be inadequate.

An argument against tightly linked systems

A single, integrated system design that fully handles the conflicting requirements of short-term day-to-day communication is supported by Microsoft. The design also combines a long-term, multi-year compliance mandate under which organizations operate. While those changes have been good and helpful on one level, it doesn’t inspire confidence in Microsoft’s ability to offer a compliance system. The tightly linked design between communication and compliance also leads to some severe implications in order to access BCC addressee information, and expanded distribution list information, a sender’s mailbox must be on legal hold.

Sending large files

Office 365’s inability to seamlessly handle large file transmissions causes employees resort to alternative, consumer-grade file sharing and transmission services. This workaround creates compliance problems for organizations as the message may contain sensitive information that should be encrypted. Further, the message cannot be captured for archival, classification, and retention in the corporate content management system or archive.

Exchange online archiving issues

Microsoft offers an archiving solution for Exchange Online. It provides automated archiving, retention, and deletion features to a user. However, Exchange Online Archiving lacks a number of essential capabilities, such as tamper-proof storage, the ability to export eDiscovery search results in a form suitable for importing into third-party review tools, collaborative review of discovered content, and the ability to cull a document collection to reduce legal costs. These missing capabilities make the issue of compliance burgeon even further for an organization.

Lacking Sharepoint archiving

Exchange Online Archiving feature of the Office 365 platform does not provide archiving capabilities for SharePoint Online, files, or Yammer conversations. The inability of Office 365 to archive its own Yammer service pushes all firms immediately out of compliance. For all other firms for which archiving of content in SharePoint team sites, Lync meetings and messaging threads, and Yammer conversations is required, what is available with Office 365 is not sufficient.

What can be done to bridge the gap?

Office 365’s compliance capabilities can significantly be increased by leveraging third-party tools. Many capabilities are presented by a number of vendors offering third-party tools. Let’s look at the broad categories of these capabilities.

A Compliance System Built for eDiscovery

Third party tools help organizations establish a compliance management system that is separate from the day-today messaging and communications environment. This offers risk mitigation to organizations that decide to shift from Office 365 to another system. This feature also handles archiving, legal hold, and policy-based mandates in a much appropriate manner.

Compliance beyond Office 365 Data

The data of an organization hosted by its historical and other current systems can be managed by using third party tools. The data is managed according to compliance requirements, such as previous messaging systems, social media properties, and Yammer. Vendor tools provide a single cohesive, integrated compliance system to an organization that can incorporate Office 365 data alongside other equally valid data sources.

Mobility solutions

A third party container solution can enable organizations to separate and protect business data and apps on the device. This in turn ensures that compliance is maintained on mobile devices. Container solutions encrypt all the data at rest, in use, and in transit which restricts the data leakage to unsecure applications.

Sending large files

Third-party services offer the ability for transparent distribution of large files directly within Office 365, while still being subject to the organization’s compliance policies. This feature is not available in the Office 365 platform. Large file transfers are handled through a separate secure service, as opposed to using Exchange for delivery.

Message encryption

Vendor tools have features that offer the organizations with ability to establish policies that trigger which messages are subject to encryption, and automatically apply the required encryption level without requiring manual intervention by users. The ability to revoke encrypted messages that have been sent to the wrong person is also offered by the advanced third  party encryption services.

Email archiving

Using third party tools, archiving, and retention of email without the ability for users to simply override the policy settings at will can be carried out in a policy based manner. Separating the day-to-day transactional communication through email and the compliance repository helps in compliance management. Journaling of communications from Exchange to a separate archive is a well-established approach to the creation of a compliance repository.


Compliance can be the force that makes the swing to go to-and-fro, or it can be the opposite wind gushing in and making your swing to slow. With the new report from Osterman Research slamming Office 365 compliance features, organizations needs to buckle up and be compliant with the industry standards.

See Also: Top Risk and Compliance Solution Companies