Tuesday, July 29, 2014

Cloud Compliance and Regulatory Challenges with Office 365!

Are you in highly a regulated industry?  Do you have issues with "the cloud" and compliance and regulatory challenges?  Let's talk about how Office 365 IS and IS NOT just "cloud."  Once we've cleared the air a bit, you should take another look at Office 365 with a fresh set of eyes and reconsider Office 365 for at least some of your workloads.

I recently blogged extensively on this topic on the Oakwood Insights site.  In the future, I'll be posting complimentary articles there and here and will link them together.

What Office 365 IS NOT:

Everyone talks about what Office 365 IS.  I'd like to contrast that with what Office 365 is NOT:

Office 365 IS Office 365 is NOT
A suite of hybrid on-premises and cloud-hosted services and software:
JUST e-mail in the cloud
A highly-available service developed for business A consumer-grade e-mail solution for end-users
Private and transparent A vehicle for generating more advertising revenue
Compliant to regulatory requirements An all-in cloud solution unable to handle on-premises data requirements
Secure - both for physical and logical access Always a valid answer for every security requirement
A licensing vehicle for flexible access to the Microsoft Office suite of applications A replacement for your EA licensing agreement with Microsoft
A great solution for businesses that need the flexibility to go to the cloud on their own terms at their own speed. Just for business - education and government organizations at all levels are using Office 365

Addressing Compliance and Regulatory Requirements

Office 365 addresses a comprehensive list of requirements including:

  • Data Processing Agreements (DPA)
  • Federal Information Security Management Act (FISMA)
  • ISO 27001
  • EU model clauses
  • U.S. - E.U. Safe Harbor

And here are some of the security and privacy tools used to address compliance and regulations:

  1. Restricted physical data center access
  2. Encryption at rest and during transmission
  3. No use of customer data for advertising
  4. Regular back ups of data
  5. Enforcing "hard" passwords
  6. Data Loss Prevention (DLP)
  7. eDiscovery
  8. Granular, role-based permissions
  9. Transparent operations - know where your data is and who has access
  10. Visibility in to availability and a 99.9%, financially-backed up time guarantee.

Some of the industries with the heaviest requirements (finance, healthcare, power and utility, government and education to name a few) have just written off the cloud entirely and I think that's a big mistake.  On a quarterly or even monthly basis, Microsoft is improving the service, continually adding capabilities and looking at additional security and management features.  Frankly, investing in the types of features and controls that Office 365 provide in an on-premises environment can be very expensive and labor-intensive and most small and medium sized organizations struggle to comply with complex and intrusive regulations.

So, I hear a lot of: "we can't move anything because we can't move everything."  Organizations assume that if they have one workload or one class of user that requires high-security or is highly regulated that they cannot move any of their workloads or users.  This simply isn't true in most cases.  Microsoft has invested much effort in developing products that offer "Hybrid" on-premises / cloud functionality.  Let's talk about that next...

What Hybrid Does for You

English: Diagram showing overview of cloud com...
Typical Components of Cloud Computing Systems
First, what does "Hybrid" mean?  Hybrid configurations take the best of on-premises and cloud-hosted systems and tie them together.  While hybrid configurations can be more complex they also afford much greater flexibility and functionality.

Here's what that means: you can selectively choose workloads that are more appropriate for the cloud and move just those while leaving the remainder of your IT infrastructure on-premises where you have full control of it.  Take advantage of the scale and pricing efficiency you get in the cloud but do so only for those users and data for which it is appropriate.

The real trick is categorizing your data, users and business processes to understand which platforms are best suited for them.  The same way you now evaluate storage... tier 1/2/3... you need to evaluate platforms.  Consider on-premises traditional, public cloud and private cloud options and make a chart for each use case and where that workload belongs.

Learn More About My Cloudy Challenge!

Visit my article at Oakwood Insights for more:

  • How Hybrid Works: what are DirSync, ADFS and Hybrid?  And how do they change the Office 365 conversation?
  • Risk Management: how Microsoft categorizes data and how you can use their model to evaluate what does and doesn't belong in the cloud.
  • Power and Utilities example: how a power and utility company might selectively choose a workload for Office 365 and mitigate some of the security and data ownership challenges they face.
  • Microsoft is crossing platforms... Windows, iOS, Android... they just want to sell you services now and don't care where you access from or how.
  • My Cloud Challenge!  Reevaluate Office 365 and start a pilot... for something, no matter how small.  Your peers are looking at the cloud... you need to be as well.

Related articles

No comments:

Post a Comment

Due to excessive spam, only registered users may post comments. Comments are unmoderated and post immediately but they are monitored. Inappropriate content will be removed promptly and will get you banned.

If you wish to communicate with me outside of this blog please e-mail me at

Related Posts Plugin for WordPress, Blogger...