Office 365 Compliance and Regulations

Office 365 Compliance and Regulations

What does Office 365 compliance mean to you?  If you're in a highly regulated industry like a lot of our clients you might have some real challenges with everything to do with the cloud.  Good news!  Office 365, which includes cloud-based services, is being put in a bucket with “cloud” which is really perhaps a bit unfair.  Office 365 is much more than just cloud.

What IS Office 365?


This table below outlines what Office 365 is and is not:

Office 365 ISOffice 365 is NOT
A suite of hybrid on-premises and cloud-hosted services and software:


  • Exchange
  • SharePoint
  • Lync
  • Microsoft Office
JUST e-mail in the cloud
A highly-available service developed for businessA consumer-grade e-mail solution designed for end-users
Private and transparentA vehicle for generating more advertising revenue
Compliant to regulatory requirementsAn all-in cloud solution unable to handle on-premises data requirements
Secure – both for physical and logical accessAlways a valid answer for every security requirement
A licensing vehicle for flexible access to the Microsoft Office suite of applicationsA replacement for your EA licensing agreement with Microsoft
A great solution for businesses that need the flexibility to go to the cloud on their own terms and at their own speed.Just for business – education and government organizations at all levels are using Office 365

Compliance Through Hybrid Solution Flexibility

Okay… so how do organizations with complex compliance requirements test the waters of Office 365 without jumping in head-first with all of their data?  One word says it all… “hybrid.”

Office 365 Blog Cloud Computing Diagram
Typical Components of Cloud Computing Systems (Photo credit: Wikipedia)

Some industries with big cloud challenges include: finance, power and utilities, healthcare, government and education.  They tend to have complex, highly regulated systems that include multiple architectures, platforms and applications.  How do you account for these challenges in a public cloud?

The answer is “don't move it all at once.”  The real benefits to the solutions that Microsoft provides are this: you get to move at your own pace and only as much as you're comfortable with.

The trick with compliance in cloud computing and with Office 365 in particular is to break down your organization and systems in to multiple buckets.

Make sure to read your regulations carefully and fully understand the compliance requirements.  Splitting some workloads off for the cloud may address the requirements, but don't just assume this is the case.  Most regulations do not stipulate that data cannot reside in the cloud at all… just that it must remain under your direct control or be “secure”… an important distinction.  If you can prove you have sufficient controls in place but do not own and self-host the infrastructure you may be okay.

How Hybrid Works

Hybrid configurations take the best of on-premises and cloud-hosted systems and tie them together.  While hybrid configurations can be more complex than standard e-mail migrations they also afford much greater flexibility and functionality.

In the following diagram, an Exchange 2010 on-premises infrastructure has been extended using Office 365's DirSync capability to copy Active Directory objects to the cloud.  ADFS has been added to allow for single-sign-on using existing on-premises user credentials.  Finally, an Exchange 2013 hybrid server has been added to bridge the existing Exchange organization with the cloud-hosted Exchange Online organization.

Not all Office 365 customers decide to use DirSync, ADFS and hybrid Exchange, but doing so provides a few very significant perks.  Here's what you get in a full hybrid Exchange system:

  1. Single pane of glass management (mostly) using the traditional Exchange Management Console (EMC) or Exchange Administration Center (EAC).
  2. Move mailboxes to and from Office 365 using the integrated console's “Move Mailbox” functionality… along with the ability to pre-cache the mailbox move and complete it later… and without user interruption.
  3. Single-source inbound mail delivery – receive all on-premises and cloud mail either through existing systems or through Exchange Online Protection (EOP).  E-mail destined for non-local mailboxes is forwarded as necessary just as with Exchange systems with multiple mailbox servers.  This means you could use your existing mail hygiene software to handle all inbound mail… but you'll also be single-threading mail delivery through your on-premises infrastructure.
  4. Move mailboxes at your own pace… moving groups together that work together.
  5. Treat different use cases in different ways… move only those to the cloud for which it is appropriately secure and functional.  The rest can remain on-premises with full functionality.
  6. Interact between on-premises and cloud-based mailboxes with high fidelity.  There are only a few limitations with regards to cross-premises permissions and how they migrate and a requirement for Exchange 2013 on-premises to enable remote Public Folder functionality.

Risk Management

Internally, Microsoft categorizes data based on the business impact / risk – High (HBI), Medium (MBI), and Low (LBI) – associated with the assets you protect.  Here's how that might look for your organization:

High Business Impact: data that can never, ever live in the cloud.  Loss would be catastrophic and or directly break specific mandatory compliance or regulatory requirements.

Medium Business Impact: data that can live in the cloud in certain circumstances… for instance if the data is properly encrypted from end to end and with sufficient permissions on control to the data.

Low Business Impact: data that can live in the cloud unencrypted and with minimal considerations with regard to regulation and compliance.

(A good overview of this risk management model can be viewed here and in The Security Risk Management Guide – a Microsoft Solution Accelerator.)

Example – Power & Utilities

Once you've categorized your data / systems / users you can begin to assess whether and what type of cloud solutions might be appropriate for your organization.  For instance, let's look at a fictional power & utility industry company:

ACME Electric and Gas (AEG) has 1,000 users and serves a medium-sized metropolitan area of 500,000 customers.  The utility has assets in coal, gas, wind and nuclear.  Regulators include:

Each of these institutions may define different risk mitigation strategies that may be mandatory or not and include various regular audits and compliance reporting.  Looking at ACME, it appears that data for most of the organization's nuclear program must remain self-hosted and on-premises – at least until regulations change.  This sensitive data may include secret information with national security implications.

However, much of the rest of the business can selectively engage in work with the cloud.  Take the case of field service line-workers that complete repairs on damaged utility infrastructure.  They use e-mail and collaboration software to communicate with their dispatch centers.  No HBI data is utilized in these interactions and mitigations for MBI data include:

  • Virtual private network (VPN) access
  • PKI certificate infrastructure
  • Rights Management Software
  • Granular, role-based, permissions
  • Two-factor authentication
  • Data encryption during transmission and at rest

All of these help to secure access to and storage of customers' personally identifiable information (PII).  In this case, the requirement is to protect customer privacy rather than protect from the potential loss of highly confidential secret nuclear program data, the capabilities of Office 365 to address needs in this business case are sufficient.

Cross-Industry and Cross-Premises Solutions

Similar cases exist across most regulated industries.  This isn't just a story about the power and utility industry.  Healthcare, financial, and government organizations have similar challenges and similar answers.  The real benefit of Office 365 is to empower customers with various levels of compliance and regulatory standards to adhere to.  With the ability to architect a technology infrastructure that includes a combination of on-premises, traditional systems and tie in cloud-hosted systems across multiple use cases, Office 365 offers flexibility and features that other service providers cannot.

I like to tell customers that Microsoft will take your money any way you want to give it to them… for on-premises software, cloud-hosted services, consulting services, consumer hardware… they don't care!  They operate across all of these and it is in their interests to ensure their solutions are integrated together and offer portability across platforms so that customers can purchase services how THEY want to, rather than how Microsoft wants to sell them.

This is a critical change at Microsoft, recently personified in the new CEO, Satya Nadella.  After Satya took the top position at Microsoft, the iPad version (that had been sitting on the shelf for months!) was released.  Microsoft wants the business wherever it is… on their own platforms or on their competitors… on-premises or in the cloud.

A Cloudy Challenge!

So, here is my challenge to you:

  1. Set aside your preconceptions about cloud (at least temporarily…)
  2. Do some research on the regulations that apply to your organization.
  3. Understand the capabilities and features available in the on-premises and cloud-hosted Office 365 services as well as how they function in hybrid configurations.
  4. Categorize your systems, users, data, etc. according to a risk management methodology such as I demonstrated.
  5. Look for portions of your infrastructure that could live in the cloud.
  6. Start a proof of concept.
  7. Evaluate the capability and functionality objectively, comparing your existing solution's cost and features.
  8. Put something in to production in the cloud – one department, a development and testing environment, or a service like two factor authentication.

Many consulting businesses will assist organizations with both the initial evaluation of Office 365 as well as the hybrid configuration of solutions deployed across both traditional and cloud-based solutions.  The best time to engage these companies is after you understand your regulatory requirements and as you are beginning to learn about Office 365 and categorize your assets.  Keep in mind that hybrid configurations cross many skills sets and can be complex to configure.  The good news is that you only need to build it once to gain an efficiency of scale you just cannot build on your own.

The last thing is this… your competitors and peers (both for your organization and for you professionally) are considering cloud.  If you're not building solutions that include the efficiencies of public and/or private cloud and developing the skills to manage and work in the cloud, you're falling behind.


About Oakwood

Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems.  We bring world-class consultants to architect, design and deploy technology solutions to move your company forward.   Our proven approach guarantees better business outcomes.  With flexible engagement options, your project is delivered on-time and on budget.  11,000 satisfied clients can’t be wrong.

Like what you've read? Please spread the word!

Leave a Reply

Your email address will not be published. Required fields are marked *