El Reg drills into Office 365: The science of compliance
Hands on with Trevor
Review Office 365 may well be the most impressive attempt at providing international information on legal compliance ever attempted.
Microsoft has hired many of the world's foremost experts on the various layers of legal compliance that exist and has created a software solution that helps enterprises meet compliance levels that would be almost impossible to achieve otherwise.
Go big or go home
For all of the problems that cloud computing can pose, it offers benefits through sheer economies of scale that only the most affluent or dedicated businesses could hope to match.
Is Microsoft as cost efficient as Amazon, Google, Facebook or other hyperscale tech megaliths? Frankly, I doubt it; but I promise you it is more efficient than you, me and the overwhelming majority of people who will ever read this article.
Similarly, IT security is becoming a problem. Our industry needs to face the cold hard fact that there is just too much stuff out there for us to possibly keep on top of it all.
Are you willing to bet your career on every edge device being absolutely secure?
Do you understand the latest Java vulnerability? How, exactly, do you defend against it? What about unannounced zero-days?
Are you willing to bet your career on every edge device on your network being absolutely secure? What about your user endpoints? If one of them is compromised, how secure is your network? Do you use IP-based phones? If the network is compromised, how do you dial 911?
Some features are more worthy than others
I am required to manage a geometrically inflating, increasingly inter-dependent fabric of devices, operating systems, applications and services. It could take me days just to write the list of potential security holes in even the small business network.
I know for a fact that there is no possible way I can keep up with each and every security threat, patch, and so forth. I am not remotely convinced that Microsoft – or anyone else, for that matter – truly can either. But Microsoft and other hyperscale providers have rather a lot more resources at their disposal than I do.
When it comes to email, instant messaging, certain classes of website provisioning and similar basic business-critical services, Microsoft will do a better, more thorough job of security than I could hope to.
Don't believe me? Take a look at this Office 365 security whitepaper. These folks have some pretty paranoid people working for them.
Two-factor authentication, encryption at rest, encryption in flight, Active Directory rights management... protocols upon procedures upon compliance checks upon audits. If you sneeze in one of those data centers I am sure the event is logged.
This carries through to legal compliance. Microsoft complies with things like ISO27001, HIPPA BAA, FISMA/FedRAMP and a whole lot more such alphabet soup.
I only vaguely know what some of these standards are. Others (such as PCI compliance) are so vague as to be useless, so hats off to anyone who successfully complies with such foolishness.
It is a level of bureaucracy I am not well suited to enforce. I do, however, have to enforce it. As a systems administrator it is, sadly, my job to know and care about the rules and regulations of the countries in which my clients operate.
Again, we are in danger of disappearing down a rabbit hole. Intellectual property laws alone are mind-bogglingly complex. Canada's foremost authority on the topic, Michael Geist, has made intellectual property law in Canada and the US the focus of his career and even he sometimes gets things wrong.
Federate your communications...and those monitoring you?
Each province in Canada has its own privacy laws; our federal government has some too. The US is the same, and the EU has created a Lovecraftian horror in the form of libraries upon libraries of complex interconnecting law textbooks.
The data all those laws refer to all goes through a computer. As the IT guy, that data is my responsibility. So now I am not only expected to know how to secure more applications and devices than I have installed, I need to know several PhDs worth of law (and possibly accounting) as well.
Stem the data loss
The biggest security threat is not malice but incompetence. The evil hacker boogyman doesn't scare me nearly as much as the random employee attaching a spreadsheet full of credit card numbers to an email and accidentally CC-ing all of China.
In theory, I know how to build a widget that could be tacked on to various layers of communication to scan for different string patterns and try to catch terms like "credit cards", "social insurance numbers" and so forth. Creating the right (and inevitably enormous) list of regular expressions to catch even the majority of oopsies is another PhD.
That is before we look at the widget itself. To match Office 365's functionality I would have to be able to scan not only the email content but attachments as well.
I am pretty sure I don't know how to read the binary blob formats of the older Office documents using any of the scripting languages I am familiar with. I know from experience that trying to parse PDFs is a monumental pain.
Even if I could build said widget, why should any of my clients trust it? If my clients are using Office 365 then a lot more of Microsoft's techno-weenies can get hit by a bus before their business is at risk than if they rely on Trevor Pott's special binary reserve.
Auditing made simple
Different countries have different laws, but especially with regards to anything financial, thou shalt not delete anything.
Auditing: this is a thing you can do
In Canada we can get hit by an audit that would require us to turn up every record we have going back seven years. Given the way some people use email as the dumping ground for every scrap of information they run across, the ability to enforce retention policies across the entire organisation is an absolute must in modern business.
This and various flavours of auditing have been critical components of Microsoft's email offerings for some time. More than any other feature, it is likely responsible for Exchange's cult-like following among enterprises.
Office 365 has all the blue crystals of Exchange 2013 in this regard (not surprising, given the shared code base) but in a dirt-simple interface.
You don't have to be a Microsoft MVP MCITP rah-rah with added PowerShell certificates to turn this stuff on and have it work. Push button, receive retention. You can use the spare time to read some more law books.
Voyage of eDiscovery
I joke about having to learn the law but everyone stops laughing when we start talking about having to teach lawers to use technology. eDiscovery is just that, enabling authorised personnel to search through all communications mediums used by the company.
The concept is more than a little Orwellian
This can be used for evil or for slightly less than evil. Certainly the concept is more than a little Orwellian, papered over by the sweet platitude that you consented to having your every word snooped when you signed the employment agreement.
It can also be a "cover your arse" feature. When a company gets big enough then it will inevitably get into an argument with someone.
Resolving that argument – in or out of court – will almost certainly require finding supporting evidence. This is where eDiscovery comes in.
The Office 365 implementation of this is set up in such a way that you can delegate the ability to use it without granting the eDiscovery personnel full administrative access to the rest of the interface.
It is easy enough for lawyers and HR types to use and might even prevent you from having to learn too many of those law books after all.
Paranoid about privacy
So, Office 365 sounds like it solves a lot of problems. And it does.
The bit that worries me is the bit that Microsoft has no control over whatsoever: privacy. To be sure, Microsoft has put a truly breathtaking amount of effort into ensuring that you can trust it. The company has signed up to the EU Model Clauses bit and registered for US Safe Harbour.
In theory Microsoft treats your personal data with the utmost care. Any third-party data controllers it engages will be held to the same standards as itself.
That is what it has committed to, and I for one believe that Microsoft will do everything possible to live up to the EU-US Safe Harbour and Model Clauses rules.
There is ,however, the minor issue of Model Clauses being kind of crap, that Safe Harbour is poorly enforced, and even if it were not, it wouldn't matter because all your data belongs to the US government.
The issues relating to privacy are a real concern to me. A recent decision by the Ontario Court of Appeal states that Canadian law recognises a right to privacy, putting Canada at odds with the US. As the owner of an Alberta corporation, I am doubly screwed here.
I live in a province with strong privacy protections; our laws are fully compliant with the Personal Information Protection and Electronic Documents Act (Pipeda). Given recent judicial backing of the concept that Canadians have a right to privacy, Pipeda may well be in direct conflict with the US Patriot Act.
width=650 height=376" alt="">
You want to keep my information in the cloud for how long?
Exactly how liable my company could be if Microsoft were forced to hand over the private data of a Canadian corporation or citizen to the US government because we chose to use Office 365 is untested legal water.
My paranoia is a function of company size. I don't have a bag of uber-lawyers on retainer so I have to pick my battles. I have no intention of being the first fellow – or even the thousandth – through that legal minefield.
For the time being any personally identifiable information that my company processes will be on our own servers under the sole jurisdiction of our own nation. I will wait until after the first few major cloud data storage cases have made their way to the supreme court.
If Microsoft were to license the technology to a Canadian, EU or Swiss company (all of whom have broadly similar and fully compatible privacy laws) I would be all over it. Once upon a time there were rumours about such things. I am rather sad they came to nothing.
Office 365 hosted in a privacy-bloc nation by a company with zero ties whatsoever (no employees, no subsidiary corporations, parent corporations) to non-privacy-bloc nations? Yes, please.
Better and better
It irks me to be so paranoid. Office 365 is growing up fast. It is a lot better this year than last, and it seems on track to get better with each passing year.
I believe that on balance, Microsoft can do a far better job of security, legal compliance, retention and discovery than I could ever hope to do on my lonesome.
For all my paranoia, Microsoft claims Pipeda compliance. In fact it seems to comply with virtually every major privacy regulation I can find.
The complexity of networks – and the burdens of management – are not going to decrease. If your organisation has the resources to determine whether Office 365 is a realistic legal possibility, it is worth a look. ®