Compliance features in Exchange Online

Bharat Suneja, Senior Technical Writer with Exchange, follows up on his blog post: Trustworthy Compliance in Office 365

Let’s take a high level look at some of the compliance features available in Office 365.

Manage email lifecycle using retention policies

As your users continue to accumulate email, you must plan for managing the email lifecycle. Driven by business requirements or regulation, many organizations have policies to retain messages for a certain period. Exchange Online supports Retention Policies for messaging retention management (MRM). Retention policies consist of one or more retention policy tags (RPTs) that allow you to specify how long a message should be retained in different folders in a user’s mailbox, and the action to take on a message when that period elapses. For example, you can create a retention tag to permanently delete items in the user’s Junk Mail folder in 7 days and another tag to delete messages in the Inbox after 3 years.

You can also create personal tags with different retention settings and add them to the users’ policy. Your users can apply these Personal tags to folders that they create and also individual items. Retention tags can be configured to either delete a message, which allows the user to still recover the message for 14 days, or to permanently delete the message, which purges the message from the mailbox store. Additionally, you can also configure retention tags to archive messages to the user’s Personal Archive. For more details, see Set Up and Manage Retention Policies in Exchange Online.

When planning for email lifecycle management, it’s important to note that MRM allows you to configure a time period when Exchange Online automatically archives or purges email. It does not prevent users from deleting their email from their own mailbox. If your organization requires messages to be retained for a certain period, even if the user deletes it before that period has lapsed, you can extend the Single Item Recovery period, also known as rolling legal hold, to meet this requirement. You must call customer support to make this change. Ability to extend the Single Item Recovery window varies with the plan. For example, if you want to retain messages for at least 7 years, setting the deleted item retention period to 7 years will help you meet this requirement. Even if the message is deleted by a user as soon as it’s received, it will be retained in the Recoverable Items folder for 7 years. During this period, messages will be returned in any Discovery searches conducted by authorized discovery managers.

Conversely, if your organization requires retention for a maximum of 7 years from the day it’s received, this setting will not fulfill the requirement because deleted item retention is calculated from the time an item is deleted.

One final but important consideration when planning for MRM: it can take Exchange Online up to 7 days to process all mailboxes in your organization. For example, if you have a retention policy that purges messages after 7 years, the messages may not be purged until 7 years and 7 days.

In-place archiving using Personal Archives

Personal archives allow your users to store older messages which are accessed less frequently in their mailbox. It allows your organization to retain messages in users’ mailboxes for as long as required to meet your message retention needs. By allowing users to keep their message in their Exchange Online mailbox or archive, as opposed to storing messages on their computer in a .pst file, you get the following benefits:

  • Messages in the mailbox are retained based on your organization’s retention requirements
  • Your organization is protected from data loss when incidents like lost or stolen laptops or mobile devices or drive failures occur
  • Your organization is also protected from data theft when users which can result from stolen or lost laptops, mobile devices, or storage devices
  • Messages in users’ mailbox or archive are searchable by authorized records managers in your organization

When you enable an archive for a user, messages older than two years are automatically moved to the archive by the Default MRM Policy.

Your users can use Outlook 2010 or Outlook Web App to access messages in their archive and to move or copy messages between their archive and primary mailboxes. Outlook users can also move messages between their archive and .pst files. They can also apply a different archive policy, which is a personal retention tag with the move to archive action, to move messages at different times.

Depending on the Office 365 plan you’re subscribed to, your users have a 25 GB to unlimited GB storage limit, which allows users to store many years’ worth of email and attachments. This reduces the need for users to have to copy messages to .pst files.

For more details, see Enable an Archive Mailbox.

When planning to use personal archives, note that users can only access them when they’re connected to Exchange Online. Although Outlook users have access to a local copy of their mailbox when using Cached Mode, their archive is never cached locally. Although it’s possible to move all email to the archive as soon as it arrives, the archive is intended to store messages that are older, and thus not accessed as frequently, but messages that you still need to retain for a certain period due to your organization’s retention requirements or because the messages still have some business value and may need to be accessed for a certain period.

In hybrid deployments, you can provision users who have an on-premises mailbox with a cloud-based archive using Exchange Online Archiving. In this case, using archiving policies, messages are automatically moved from the user’s on-premises mailbox to their archive in the cloud. Users can also manually move messages between their mailbox and the cloud-based archive, or use Inbox rules to move messages.

Archive messages in an on-premises archiving system or a third-party service

Your organization may be in an industry that has specific long-term retention requirements which require that messages be removed from the user’s mailbox and stored in a separate email archiving system, either deployed by your organization on-premises or operated as a service by a third-party. If your organization is subject to such requirements, you can use journal rules in Exchange Online to feed such archiving systems or services.

Journal rules allow you the flexibility to specify the scope – internal messages, external messages or both, the recipients – individual users, contacts, distribution lists or all messages, which are then attached to a journal report and sent to the archiving system or service via SMTP. Journal reports contain metadata about the message, including the MessageID, sender and recipients, subject, timestamp, etc., which meets the compliance requirements of many customers.

In hybrid deployments, if you do not use external archiving systems or services, you can also store journal reports in an on-premises journaling mailbox. Messages in a journaling mailbox in your on-premises Mailbox server, are also searchable by Discovery.

For more details on how to set this up, see Journal Rules.

Preserve messages for discovery using Litigation Hold

Many organizations are required to preserve email to fulfill legal discovery requests or similar requirements. This requires that you prevent email from being destroyed or purged automatically based on retention policies, and also protect messages from being deleted by the user, knowingly or inadvertently. Additionally, you must protect messages from being tampered with or modified. Exchange Online helps you preserve messages using Litigation Hold.

Litigation hold is transparent to the user. When you place a user on litigation hold, retention policies continue to apply to the mailbox and messages continue to be deleted based on those policies. The user can also delete or purge messages as they normally would. However, for as long as the user is on litigation hold, instead of purging messages, Exchange Online simply moves them to the Purges sub-folder, a hidden mailbox folder that’s not accessible to the user. Think of it as a lockbox. Messages can only be deleted from this folder if the hold is removed from the user’s mailbox by an authorized records manager.

Additionally, when a mailbox is on litigation hold, Exchange Online protects messages from tampering by making a copy of the original message before any changes are saved. The copy is stored in the Versions sub-folder in that same lockbox, inaccessible to the user.

Messages in the Purges and Versions subfolders remain searchable by Discovery, helping you meet your legal discovery obligations and similar requirements.

For more details, see Put a Mailbox on Litigation Hold.

Note: Organizations in highly regulated industries may have specific requirements for storing mailbox data in an immutable form. Many organizations choose to store messaging data and other electronic records on WORM drives to maintain immutability. To find out how you can leverage Exchange Online to meet this goal, see Achieving Immutability with Exchange Online and Exchange Server 2010. You must determine the regulations applicable to your organization and whether litigation hold meets your requirements.

Perform discovery using Multi-Mailbox Search

Responding to discovery requests as part of a pre-trial procedure or to meet business requirements is an important part of compliance requirements. In Exchange 2010, we introduced Multi-Mailbox Search to help you fulfill discovery requirements. Our customers love the ability to allow authorized members of their legal, records management or HR teams to perform discovery searches by using an easy, web-based console. This powerful discovery functionality is also available in Exchange Online. You can assign limited permissions to authorized users by adding them to a Discovery Management role group, allowing them to place users on litigation hold and to perform discovery searches. Using RBAC scopes, you can also restrict a discovery manager to performing discovery searches on a sub-set of mailboxes – for example, members of a specified distribution group or users from a particular department or country.

Messages returned in a discovery search are copied to a special type of mailbox known as a discovery mailbox, which can be accessed by discovery managers. You can also allow another user to access a discovery mailbox and reviews messages in it by assigning permissions.

Learn more about discovery in Multi-Mailbox Search.

Apply uniform messaging policies across your organization using transport rules

Another area of concern when leveraging the cloud is the ability to apply your organization’s messaging policies. For example, many customers append a disclaimer to all outgoing messages or messages sent from or to certain recipients or distribution groups. To meet regulatory or business requirements, many customers create an ethical wall to restrict communication between two groups of users within their organization. To implement an ethical wall in Exchange Online, you can create a rule to prevent messages sent between users in two groups, for example brokers and bankers, and use a custom bounce message (aka Delivery Service Notification or DSN) indicating the restriction. Many customers use transport rules to block objectionable content from reaching their users or to block messages containing certain keywords from being sent outside the organization. Transport rules allow you to inspect various parts of a message – sender, recipients, message headers, scope (internal messages or messages sent to or from recipients outside the organization), keywords in message subject, content or searchable attachments and take appropriate actions on messages that match the conditions. Learn more in Organization-Wide Rules.

Note: If you’re in a hybrid deployment, you can apply the same set of transport rules that you apply in your on-premises Exchange 2010/2007 organization and your cloud-based organization.

Prevent data leakage and apply persistent protection to messages using Information Rights Management (IRM)

Preventing leakage of high business impact (HBI) information or personally identifiable information (PII) is at the top of the priority list for most organizations. When planning to use a cloud-based service, this becomes even more important.  Client-side email encryption methods such as S/MIME and PGP have existed for long, and work for many customers. Microsoft Outlook supports S/MIME for signing and encrypting and messages. However, client-side encryption comes with its own set of considerations, including management of encryption keys and the organization’s inability to scan message content and apply messaging policies.  Moreover, once recipients receive a message and have access to the decrypted content, the sender or your organization have no control over what they can do with it.

With Exchange Online, your organization can use Information Rights Management (IRM) to IRM-protect messages, which allows you to specify what recipients can do with a message. You can prevent a recipient from printing a message, forwarding it, replying to it, or sending it outside the organization. These settings are configured in RMS templates. You can create different templates to meet different business or regulatory requirements.  IRM protection can be applied to messages automatically in Exchange Online using transport protection rules you create. Your users can also IRM-protect messages when composing messages using Outlook or OWA.

An important consideration for implementing IRM – Exchange Online uses your on-premises Active Directory Rights Management Server (AD RMS). Not only does this allow you to control the encryption keys used to IRM-protect email, but it also ensures IRM-protected messages can’t be accessed by anyone, including our datacenter operations and engineering staff. Learn more in Set Up and Manage Information Rights Management in Exchange Online.

Note: AD RMS is a Windows Server feature that can be added easily to your on-premises Windows server. We recommend that you use Windows Server 2008 R2 SP1.

Audit mailbox access and admin actions

Ability to track mailbox access, particularly by users other than the mailbox owner, is an important compliance and security concern that also rises to the fore when data is stored in the cloud. By default, nobody except a mailbox owner can access a mailbox. However, your IT personnel authorized as administrators for your Office 365 subscription can assign mailbox access permissions to other users, or to themselves, and thus gain ability to access the mailbox. Users can also assign permissions to delegates like personal assistants, colleagues or managers to access their mailbox.

Using mailbox audit logging, you can easily track such non-owner access to a mailbox, and actions such as deletion of messages. Additionally, this also provides the capability to audit access to your mailboxes by Microsoft datacenter staff.

Mailbox audit logging is not enabled by default. You must enable it for all mailboxes in your Exchange Online organization that you want to audit.

On the other end of spectrum, your organization may want to audit actions such as creation, removal or modification of mailboxes, grant or removal of mailbox access permissions and creation of transport rules taken your IT personnel. In Exchange Online, you can use administrator audit logging to audit and report on such actions.

Learn more about Exchange Online’s auditing features in Use Auditing Reports in Exchange Online.

Exchange Online offers some very useful features to help you meet your compliance and security requirements, allowing you to protect, control and track access to your data, manage email lifecycle, apply your organization’s messaging policies, and fulfill discovery obligations.

In a future post, we’ll take a look at similar features available in other Office 365 services.