Head in the Clouds
Assessing an Office 365 Environment for Information Governance

The IT “cloud” is not unlike the ones we see over the sky each day, changing from one second to the next.  What once appeared to be a young child running may turn into a woman with hair billowing in the wind, just as one cloud offering can evolve in features and scale.

The cloud as we have come to know it is not drifting away; it seems here to stay. But not all clouds have a silver lining. Organizations, particularly large ones, are still struggling to determine how the cloud will fit into a true long-term information governance strategy.  And, much like the ones that we see in the sky, they come in many shapes and sizes.

This is increasingly true as the cloud is adopted for end-user business applications that traditionally were on-premise. Perhaps the most compelling enterprise example of this is Microsoft Office 365. The Office 365 suite includes all of the traditional Office productivity applications – such as Word – as well as cloud-based Exchange, SharePoint, and Lync. For many organizations, Microsoft is a primary enabler of business transactions and communications.  As companies struggle to reduce costs, the allure of the cloud is undeniable, because it promises information flow and access to data that help people get more work done with fewer barriers. Who doesn’t like that?

Risk guardians and legal teams, to name a few. After the initial hype around the cloud in the early 2010s, firms are becoming more aware of the governance challenges involved with storing data primarily in the cloud. It’s not to say that the cloud doesn’t have immense potential… it’s just that large organizations are having growing pains in their quest to adopt cloud infrastructure while also maintaining control over their data. Data that you store on-premise is yours; it’s static. Data that you store exclusively in the cloud may technically also be yours; however, a closer review of ever-evolving terms of service may reveal a mile-long list of “gotchas.” These catches may add significant cost and difficulty over a long-term governance strategy.

Microsoft has addressed the governance problem, or at least made a good faith effort to. It isn’t something they can afford to ignore; according to Microsoft, 1 in 4 of their enterprise customers is already using Office 365, and adoption is increasing. Enterprise users of the suite questioned some of the issues with governance, particularly with regard to eDiscovery and legal holds. Workarounds to satisfy minimum requirements were worked into the platform, but many large-scale organizations have realized that those fixes do not scale efficiently, particularly for serial litigants. Some organizations are raising eyebrows by asking about reliable records retention policies in O365, specifically around defensible disposition. Others, too, have questioned the solution’s scalability for locating information in a timely fashion: whether for business repurpose and reuse, or for data analytics.

Microsoft’s Office 365 native archiving and governance offerings are currently being marketed at a price point some might call dirt-cheap, and current O365 users can’t be blamed for being allured. However, there are some serious questions a business must answer before proceeding. The ability to accurately self-evaluate before adoption will potentially save millions in time and dollars, even if that means looking at alternative cloud offerings, comparing on-premise solutions, or even implementing an entirely separate governance platform.

Some things to consider:

• What unstructured data lies outside of the Office enterprise environment?

For most organizations, eDiscovery encompasses much more than Microsoft content. Office 365 can only preserve Lync messages, Exchange emails, and SharePoint items. All other content, such as on-premise file shares, are excluded.

• What is the tolerance for end-user manipulation of data?

Office 365 archiving does not natively conduct journaling on messages. This means that in order to archive an instantaneous, indelible archived copy of a message, the business must implement a third-party archive. Otherwise, there is a potential for messages to be erased or modified before the next data crawl is performed.

• How quickly must ECA be conducted in the average course of litigation?

In early case assessment (ECA), speed and scope is critical to the subsequent outcome of litigation. Office 365 has limited search capabilities: it has relatively few metadata filter options and it frequently errors-out with large lists of terms/phrases. Search results must be reviewed either in the simplistic Outlook interface, or be exported to a third-party review tool.

• Will the enterprise be exporting data to a separate review tool?

With export speeds of only 1.25 to 2.00 GB per hour, a case with wide scope might take weeks to export to another tool: effectively preventing fluid iterative review and identification. The export speed is further compounded by the broad search criteria, since there are not many tools for granular filters or specification. Broad search tools result in larger batches of data, which then must be exported and reviewed.  Thus, potentially reducing the benefits of the O365 initiative all together.

• How does the organization implement retention policies?

 Because of Office 365’s lack of journaling functionality, users can permanently alter or remove a piece of data between crawls. For all users to have an indelible record of email activity, the entire organization would effectively need to be on a permanent legal hold. This would ultimately defeat the purpose of retention and disposal timelines, and data would build up indefinitely without record management functionality.

• What is the business expectation for enterprise search speeds?

Fast search isn’t just about ECA; it’s about enterprise-wide productivity. Most knowledge workers spend a significant portion of time just looking for the existing enterprise content they need across email and file shares. Office 365 offers search only in the O365 data environment, and has caps on large-scale searches. For eDiscovery searches, only 10,000 mailboxes may be searched at a time, and if keyword statistics are desired, that cap drops to 100.

At the end of the day, it’s essential to remember that Office 365 was originally built to create data, not to necessarily manage it. Longer-term governance functionalities were built in gradually over time, in response to business demand. And while Microsoft has made strides on the “single repository” storage front – particularly with the new Azure Data Lake Store – the fact remains that foundational governance functionality is lacking. Data that goes uncleansed and unmanaged wastes money and effort in the long-run, both for eDiscovery and proactive initiatives such as analytics.

When selecting a data management strategy, the organization is the one that knows itself best. There is no one-size-fits-all governance approach, especially with regard to products and vendors. The path of least resistance during the sales cycle may lead to a much rockier path as the trail progresses through deployment and use.

 Don’t allow the cloud to lead to a “perfect storm” for enterprise data. As more and more business information is managed, controlled, and held in a single data environment outside of the enterprise’s control, important questions need to be asked in order to maintain access and ownership. What questions will you ask today?