Cloud technology is one of the most talked about topics in today’s IT world. With a surge in the number of SaaS companies, we have certainly reached the point where an entire business can be run on the cloud. The big savings, hassle-free automatic software updates, reduced downtime, and many other advantages cloud technology brings to the table should make it a natural choice for most decision makers. But, on the contrary, companies are still hesitant to take the plunge; most cite security and compliance as the main reasons for not jumping on the cloud bandwagon.
Cloud compliance—an oxymoron?
Unlike an on-premises setup, data in the cloud is stored in cloud service providers’ data centers, and companies don’t really know how their confidential data is being managed. With the looming threat of non-compliance, a company might have a plethora of questions for a cloud service provider when it decides to move to the cloud, such as:
- Where is our data going to be stored?
- Who will have access to our data?
- What is your disaster recovery plan?
- What industry regulations do you comply with?
Sadly, in most cases, the answers companies get from cloud app developers clearly indicate the fact that security and compliance aren’t given the importance they deserve.
Office 365—The outlier
Office 365 is certainly an outlier among all other cloud apps when it comes to compliance. This online productivity software suite from Microsoft is a one-stop solution for accessing various applications, including Exchange Online, SharePoint Online, OneDrive, Skype, and the hosted versions of Microsoft Office tools. These services deal with heaps of information, and the burden of securing this data falls on Office 365. Failing to ward off any unauthorized access to this information will only invite non-compliance.
The good news is that, on the compliance front, Office 365 is light-years ahead of its competitors. It is compliant with almost all industry mandates such as PCI-DSS, HIPAA, GLBA, and more. It also boasts of a dedicated security and compliance center, which helps you devise your own strategy to meet the various external and internal rules and regulations that your organization has to comply with. So, does this signal an end to all your compliance-related issues? The answer to this question would be an emphatic “no.”
Here are some areas, with regard to compliance, where Office 365 still hasn’t upped its game:
Compliance—a work in progress: The security and compliance capabilities of Office 365 are still a work in progress. Its current approach to compliance might help only those businesses with few, generic compliance requirements. But Office 365 doesn’t provide many options for organizations that come under the purview of many stringent external IT regulatory bodies and have to audit many specific events and store the logs for specific time periods, for security or compliance reasons.
Audit trails—a 90-day barrier: To improve performance, all user/administrator activities and mailbox audit trails are purged by Office 365 after 90 days. But most industry compliance mandates require companies store these audit logs for years, to facilitate forensic log analysis in case any issues crop up.
Limited reports—a major stumbling block: During audits, organizations are required to produce corresponding compliance reports for auditors to validate the security of confidential information across all applications. But native reports in Office 365 are very limited and don’t provide the level of visibility required to ensure hassle-free compliance. For example, Office 365 doesn’t report on changes made by Exchange administrators, delegates, and non-owners to mailbox properties. Also, Office 365 reports can’t be filtered to meet your needs. So an administrator can view all the accesses to a mailbox, for instance, but not the details pertaining to the accesses made by a single user from different IP addresses.
And here’s where ManageEngine O365 Manager Plus – a comprehensive Office 365 reporting, auditing, and management solution – comes into the picture. With over 200 reports on various facets of your Office 365 environment, and a purpose-built reporting package to meet the requirements of PCI-DSS, HIPAA, ISO 27000, GLBA, and SOX, O365 Manager Plus unshrouds the air of skepticism surrounding compliance. It even lets administrators design custom reports specific to their unique compliance needs. Administrators can schedule reports, export them in the file format of their choice, and have them delivered straight to their inbox.
O365 Manager Plus also monitors and audits every user and admin activity in all supported applications and alerts you of any unusual activity. Furthermore, it lets companies bypass the much criticized 90-day time limit set for audit logs. Yes, you heard it right! Organizations can now store all audit trails for as long as they want and bid adieu to their compliance-related woes. Also, unlike other major players in this field, O365 Manager Plus is an on-premises solution and therefore any apprehensions regarding the safety of confidential data are swiftly brushed away.