Compliance in the clouds

With the freedom and flexibility of the cloud come new compliance challenges

If cloud working is the giant liberating party many in the technology industry have been promising for years, then compliance is the person who pins up a notice warning of tomorrow’s possible hangover.

Microsoft 365 offers much to unshackle enterprises; remote working, always-on access, device independence and collaboration in a way that kills geographical issues.  The flip side of this is every security person’s nightmare: users coming from undefined locations on different devices looking to access (and share) highly confidential information.

A shifting burden of responsibility

In most industries, the onus of managing information was originally on the individual company.  However, as the world gradually realised the value and implications of data, attitudes changed, and a new range of legislation was gradually ushered in.

Some are industry specific and some more broad ranging.  Agreed standards and regulatory teeth initially took root in some vertical industries, such as HIPAA (healthcare), PCI DSS (payment card industry) but gradually, of course, legislation such as GDPR became applicable on a wider scale.

Compliance to such regulations essentially mandates how data is managed.  Some of this relates to countermeasures and proactive protection, but also exactly how organisations have visibility of data and their ability to produce an audit trail when requested.

Microsoft 365: integrated suite, disparate information

According to recent research we carried out, this is one of the pressing things on the minds of security teams at enterprises migrating to Microsoft 365.

Whilst the popular cloud service has numerous ‘security centres’ which can track people’s interactions with apps and data services, there is no single central pane of glass covering the entire suite, outside of the top of the range most expensive plan.  In today’s world of multiple cloud applications, where people hop in and out of different SaaS solutions, this means blackspots.

In an environment where a regulator can demand an audit at any point in time, this leaves compliance teams somewhat exposed as it can be an arduous task to stitch together all the necessary information.

Maintain visibility of compliance data at all times

To achieve this task effectively, it is crucial to use a CASB solution which tracks user activity across official enterprise applications, as well as ‘shadow’ apps – those which are used but not necessarily approved.  To bring this all together, a point of aggregation such as a SIM / SIEM solution is necessary.  Without which, full visibility and a comprehensive audit trail across all admin and user activity is impossible.

Once this is achieved, it is crucial admins and regulatory teams have access to data regardless of time of day, device, or where they are in the world.  It may sound obvious, but bottlenecks in compliance caused by administrative, logistical or technical issues are not well tolerated by regulators. Quick, easy access is vital.

To compound this, it is also important to plan for data requests in situations of technical crisis. As discussed in a previous post, Microsoft downtime is not an unheard of occurrence. This begs the question: What happens if ‘the cloud’ is not available and data, especially email where it is estimated up to 60% of information is exclusively stored, is not available?

This is where a compliant tamper-proof email archive is important.  A place where security and compliance teams can turn in the event of downtime, with searchable ‘always-on’ access to email history.  With this, any company stands ready to respond to internal and external audit requests within minutes instead of hours, even in the event of the worst case.

In addition, it is more economic, as typically email archive storage is significantly cheaper than expensive premium mail server storage.

In essence, while compliance can initially feel like a sticking point for successful Microsoft 365 deployments, treated correctly it can become a way of reducing email data risk and optimising storage.  Coupled with an intuitive search interface, privileged users across all business units, not just those with technical experience, will also see increased productivity.  Tackled in this way, compliance requests liberate regulatory and compliance teams, as opposed to generating helpdesk tickets.

For more information on how to achieve this, and other information on protecting Microsoft 365, visit our Defence365 hub.

Defence365 Vlog: How to protect your organisation from data loss and leakage in Office 365

Defence365

Censornet have collaborated with some of the cloud and security industry’s most prominent thought leaders to bring you expert advice, no matter where you are on your Office 365 journey.

Related Insights