Compliance is a way of life for any organization that has a digital footprint. I know it seems like a lot of information, but IT administrators need to fulfill our roles as custodians of information and help organizations manage information to ensure it is in compliance with the new data breach and privacy laws, such as the CCPA. Where a data breach is assumed to have happened, it is now up the IT professional to prove that the breach did not happen.
In this chapter, we will review the areas that we have not already reviewed in this book. Specifically, we will be looking into the data governance, defining what it is and how to use it. Our review will look at the threat management systems and how to use the threat dashboard and the different activities with mail flow analysis and Exchange Advanced Threat Protection. We will look into data privacy, and finally we will walk through requests for production with eDiscovery in the Search & Investigation Center. The eDiscovery capability allows you to search and compile information to satisfy requests for production (in response to document requests from court-ordered subpoenas). This is where we will investigate user messages and document content for compliance. Let’s begin our investigation into the capabilities of the Security & Compliance Center.
Overview of Office 365 Security & Compliance Center
Security is built from the ground up. When you look at the Microsoft Cloud (in other words, the core Microsoft infrastructure that hosts Office 365, Azure, and other services), you’ll see it meets all current and future compliance and security regulations. When you build a cloud infrastructure that has a security mind-set, the applications and services that run on it have the same mind-set. Likewise, if you are building a set of services designed to sell information, then any application that is built on those services has inherent security flaws built into it for the simple reason that the core service is to sell information, not to protect it.
There are two parts to compliance in the cloud with Office 365: your business processes in the management of your Office 365 data and Microsoft’s management of Office 365 and Azure services. Earlier, we talked about the service trust with Office 365. Microsoft has published the standards that are used to meet its side of the compliance issue on the Microsoft Trust Center (see Figure 6-7). If you are looking for a Health Insurance Portability and Accountability Act (HIPAA ) of 1996 business associate agreement certification or want to request a copy of the service audit logs, you can request them directly from Microsoft. Microsoft is transparent in its process on Office 365 and built the service around protecting your company information. This is in contrast to other cloud services that require an intellectual property rights assignment, which allows them to use your information to sell advertising, among other things. The business process starts with your organization and specifically with your business processes that you use to manage Office 365. The best guide for all business to use to meet your portion of the compliance requirement is for you to deploy the Compliance Manager from the Service Trust Portal ( https://servicetrust.microsoft.com/ ).
Once you have started the process with the Compliance Manager, the next step is to deploy the various alerts of organization changes that you need to follow to ensure that your organization has the necessary processes in place.
Compliance Settings
- Compliance (HIPAA as an example)
Rights management and the protection of personal information
Encryption of personal information external to your organization
Document classification and encryption
- Information review (regulatory like the Financial Industry Regulatory Authority [FINRA]) or judicial order
Litigation hold and eDiscovery
E-mail review to meet FINRA requirements
- Business data retention
Business processes on age of data
Data management: how to archive, how to delete
In the discussion in this chapter, we will group information into these categories. For example, HIPAA requires you to manage certain types of data in a way to protect information. To meet HIPAA requirements, you must protect personal information by encrypting the information before it is sent externally to the organization. One of the HIPAA requirements is that the service you are using provides a Business Associates Agreement (BAA ) for the services you are using. If you are subject to HIPAA, you need to ensure that you have completed a yearly a HIPAA assessment audit to make sure you comply with the regulations. The fines are significant, and the federal government is looking into business of all sizes to make sure the business complies with the regulation.
Information review typically means that the information is subject to an audit and is immutable—meaning it cannot be changed or deleted by the users or the organization—prior to review. Any type of regulator review requires that the data is immutable. The most common is litigation. When an organization enters into litigation, all information is frozen at that period in time. We refer to that as a litigation hold . Regulator reviews such as FINRA and SEC are nothing more than an extension of a litigation hold in conjunction with business process reviews.
Business data retention is nothing more than the business processes used to maintain information, subject to the regulatory requirements. As an example, if the business policy (or user policy) deletes information subject to the retention policy, the information is deleted from the user perspective but may be kept for a very long time subject to the compliance needs of the organization. The user may delete information, but the compliance setting keeps the information in an area where it is immutable and fully searchable and hidden from the user.
The Office 365 administrator has complete control over the configuration of the compliance and retention polices. The administrator can enable these settings, and all actions are auditable. The settings can be changed by using the Security & Compliance Center or by using PowerShell commands. As Microsoft enhances the Office 365 service, these settings will be simplified in an easy-to-use graphical interface. The rest of this chapter discusses these concepts for data governance and provides a step-by-step implementation with examples of data loss protection (compliance), regulatory review (discovery), and business data retention policies.
Best Way to Proceed
The best way to understand the Security & Compliance Center is to look at the Trust Center. After looking at the Trust Center, the next step is to review NIST-CSF, the cybersecurity framework, and to review the NIST-800-35 compliance framework. There is a lot of work to be completed.
Note
There are three sets of logs that you need to collect monthly: the Azure login logs, the Azure sign-in logs (located in Azure Active Directory), and the audit logs located in the Security & Compliance Center. These logs need to be stored in a SharePoint site for future analysis.
The Security & Compliance Center gives you a focal point for the security process in the organization. However, security starts with your IT team. If your IT team lacks the capability to do the necessary work, you need to address this quickly and either fix the internal problem or contract the security services externally. This book was designed to help you determine what you need to do and how you should do it. If you consciously choose not to secure your Office 365 environment, you are the breach. The ownership is with you and your IT team and not your license provider. Let’s continue our journey through the Compliance & Security Center.
Data Governance
Governance has taken on a new meeting in the cloud. The best way to look at governance in the cloud is in the role of cloud custodian. In today’s model, the polices are put in place to manage the business operation and roles and controls. Once governance is put in place, then developers and the operation teams can implement the necessary changes and help drive the business to be more innovative. This is cloud governance in Office 365 and Azure. This is to make sure the right people have access to the right resources and the behavior is governed by a set of rules and polices that is baked into the platform.
The best way to view Microsoft governance is to think of a road with guard rails. As you drive down the road, you are kept from going off-track because the guard rails are there to keep you aligned on the role. The Security & Compliance Center and the governance activity are guiderails for organization policies. This applies to older resources and new resources. The difference with governance today is that the polices that are deployed are consistent with the policy that is deployed for the organization. The enforcement of governance in Office 365 begins with the Security & Compliance Center and through the Compliance Manager and the new Azure Blueprint platform. The goal is to build compliance into the Azure and Office 365 subscriptions that are the base of all activities. The new strategy is to use management groups, which are container groups on top of a subscription (or a resource group). This allows a policy to be deployed as a management group with full access and control. This is the only way an organization can scale and empower the individuals in the organization to innovate. Governance in the Microsoft Cloud was built into the core of the platform, not as an afterthought like with the other major cloud providers.
Data Governance Concepts
Data governance provides a policy-based management service on Office 365 that meets or exceeds the regulatory compliance. The policy-based service is applied across subscriptions and aligns with the Azure policy manage process. The data in Office 365 (and the subscription types) is managed and owned by the company. The Office 365 business owners need to look at the business and decide what makes business sense based on the needs of the business. To put this in perspective, when an external entity looks at e-mail storage, it is considered modifiable by the user and is noncompliant to certain regulations. A compliant system requires that the email and document storage systems must be incapable of being modified, or immutable. The owner of a mailbox must not be able to go in and delete information or documents. These capabilities are options in the Office 365 enterprise plan and are included at no charge in some of the subscription suites (such as the Enterprise E3/E5 subscription).
You are probably familiar with the various CSI and NCIS shows on TV. A key message that these shows highlight lies in the evidentiary collection of information and that there must be a “chain of custody” regarding information collected. Think of data governance in the same context. It is all about chain of custody. Data governance on Office 365 is the same. Access to information that is under discovery or access cannot be tampered with. Further, access is recorded and auditable for all those who access the information. This is the data governance model of Office 365.
Traditional approaches, such as journaling, record information external to the organization structure and mostly just contain copies of the e-mail communications. This archaic journaling approach does not address the changing landscape of data governance and data management. Journaling does not link data from storage sites and draft documents in an integrated form. An archive is nothing more than another mailbox that is used to store information.
Immutability, audit policy, archive/retention, and data loss prevention are all part of the Office 365 data governance structure. It is designed around chain of custody and the preservation of information. If information is tampered with, then a full audit trail of access, as well as the original information that was modified, is created.
Before we discuss the practical aspects of the configuration of retention policy and eDiscovery, we need to frame the discussion with a definition of each of the four key areas of data governance to put them in perspective. There has been much written about information immutability, and there are many misconceptions as to what this is and how it is managed in Office 365. The definition is simple: the preservation of data in its original form cannot be changed and is kept in a form that is discoverable.
Recall the discussion of chain of custody. The information that you are accessing and providing for data governance needs cannot be changed, and you must not have the ability to change it. In addition, any access to the information must be fully traceable. If you access information, the information that you extract will not change the underlining information.
When we refer to compliance, we are referring to our ability to access communications and documents that are immutable. Retention rules are based on business policies in the management of e-mail communications, specifically what e-mail is visible to the user in the mailbox and what is kept in the archive. For example, you may have a business policy that dictates the movement of e-mail from a user mailbox to an archive if the e-mail is too old or if the user deletes an e-mail. One company has a retention policy of 90 days; after 90 days, a user’s incoming e-mail is moved into the compliance archive. These retention rules move the mail from the user mailbox (or delete folder) into the archive. These rules can be systems level (the user has no control), they can be local level (the user has complete control), or they can be any combination thereof.
A litigation hold is an action that is placed on a mailbox to meet compliance requirements for future discovery and searching. What a litigation hold does is to ensure that the data in a user mailbox is immutable. As an example, if the user tries to delete an e-mail, the e-mail is deleted (or purged) from the user’s view, but the litigation hold function blocks the e-mail from being deleted in the system and is fully discoverable by the administrator (or compliance officer).
Note
When data is placed under litigation hold, the data is locked from deletion. Once the litigation hold is lifted, the data will automatically be deleted subject to the retention tags. If your policy is to stop data from deletion, then set up the retention policy to move data to the online archive after deletion.
Referring to Figure 6-11, we see the life of an e-mail in a user’s mailbox. In Figure 6-11, the user only sees the message in steps 1–3. The compliance officer has access to all transactions in steps 1–6. When a discovery action—a search—is executed, all information is displayed in the search request, including the information in the deleted items, purges, and draft folders.
Audit Policy
Verify that their mailbox data isn’t being accessed by Microsoft
Enforce compliance and privacy regulations and access by nonowners
Have the ability to determine who has access to data at a given time in a specific mailbox
Have the ability to identify unauthorized access to mailbox data by users inside and outside your organization
Date of access
IP address of the access
User who performed the activity
Activity performed
Detailed description of the item
Detailed description of the activity (usually the object’s name such as a file name)
The first step in setting up a compliant organization is to enable the audit capabilities to ensure that you have a complete record of all accesses to user mailbox data by nonowner users. This information is used to supplement future reports.
Note
Earlier we mentioned that the organization needs to have a policy of collecting the primary three logs and archiving them in a SharePoint site for future forensic analysis. This is extremely important. Every month you need to download a copy of the audit logs, the Azure sign-in logs, and the Azure audit logs.
Information Immutability
The configuration of the eDiscovery search is robust and allows you to specify the areas and mailboxes that you need to search. The scope of the discovery is reduced to the specific set of key words and mailboxes (see Figure 6-14) and can be easily restricted to a few users in question. It is not uncommon that an eDiscovery request on Office 365 would cost 90 percent less than an eDiscovery request using an older journaling system for e-mail communication management.
As you read the rest of this chapter, the discussion on archive and retention polices is built around data immutability to manage an organization’s compliance needs. In Office 365, this is referred to as compliance management . Administrators are enabled to set up controls based on the business polices of the organization.
Office 365 Archiving and Retention
The term archive is overused. It often implies more than what it really is. An archive is nothing more than a second mailbox designed for long-term storage. The relevancy of an archive is based on the business process rules that are used to manage it. This is where immutability and retention policies come into play. Immutability refers to how information is retained (in a form that can’t be changed) in the mailbox and the archive. Retention policies describe the length of time you need to keep the data that is not subject to any legal action (legal hold to guarantee immutability).
There are two types of archives in Office 365: personal archives and Office365 Exchange server mailbox archives. The Office 365 Exchange server archives can be immutable (meaning they can be configured to ignore any change via a litigation hold or in-place hold). Personal archives are stored locally on the user desktop and are not immutable (users can change the contents). The retention policies refer only to the moving of data from the user mailbox to the archive. To make an archive and retention policy work, you need to enable the archive in the Exchange admin console (edit the mailbox in the Exchange admin console and select Enable for archive; this is discussed in Chapter 8). This feature will be moving to the Security & Compliance Center at a later date. Litigation hold (or in place hold) locks the Office 365 Mailbox from having contents deleted - regardless if it is in the main mailbox or the archive mailbox. Users will see data being deleted, but administrators can access data in the Security & Compliance center under Search and Discovery.
Retention Policy
Default | The default policy applies to all items in a mailbox that do not have a retention tag applied. |
---|---|
Policy | Policy tags are applied to folders (inbox, deleted items, and so on) and override the default policy tags. The only retention action for a policy is to delete items. |
Personal | Personal tags are used only for Outlook clients to move data to customer folders in the user’s mailboxes. |
Keep in mind that a retention policy directly affects the amount of information kept in a user mailbox. A retention policy requires that an archive mailbox is enabled. The default configuration of Office 365 is to have the archive mailboxes disabled. Retention tags (which make up the retention policy) are just another tool used for information management. Depending on your business needs, you may have different retention polices to manage information of different groups in your organization. In one organization we managed, the data retention policy was 90 days, unless the mailbox was placed on an in-place hold for litigation or discovery.
Alert Structure
Looking back over any of the NIST compliance reviews, there is one requirement that will need to be deployed, and that is alerts to provide an early warning of potential problems. The type of alerts depends on the business and what processes you need to examine. The place to start is with the alert dashboard. To add a new threat, just add a new threat policy, and the wizard will walk you through the threats and what to add. Looking back to our NIST-CSF discussion, one of the pillars is to detect the security incident. In Figure 6-20, we have a couple of different threat detection ranging from accessing data to forwarding e-mail.
Alert Types
There are different alert types that you can create or add. Some of the alerts are system-wide and are enabled based on other dashboards. The alert dashboard is a data aggregation dashboard in Office 365 (see Figure 6-20) with integration to other services. “Manage advanced alerts” is a link to Cloud App Security (CAS). Depending on how you configure CAS, you can have a number of alerts that show up in the alert dashboard. Figure 6-19 shows the alert dashboard with two types of alerts, those that are from other services (not highlighted) and those that were created in the alert dashboard (highlighted with an on/off slider). As the compliance officer in Office 365/Azure, you want to enable alerts to help you manage the environment for the necessary processes.
Name and description
Severity
Class of alert
The processes that you use to create and review the alerts are the same. As you expand your security polices, you will establish different capabilities on access and how you want to enable the tracking in the environment. Alerts give you an early warning. You leverage information that is in the Security & Compliance Center along with the security information located in the Azure Security Center.
Threat management
Once you have defined the alerts, the next step is the configuration of Threat management for the threat dashboard . The threat dashboard is a summary of the different threats that are active in your Office 365 tenant. The threat dashboard is another data aggregation function that allows you to see data differently. Threats are about having multiple eyes on a group of systems.
Threat management provides an overview of the threats that are affecting the Office 365 organization. The trend analysis can let you know which users are being targeted and what approach is being used. If this is a coordinated attack, you will see a number of attempts to attack all users in your 365 tenants. In this case, we have a limited attack, probably based on e-mail addresses that we captured in sites that were attacked (see Figure 6-24).
As an example, let’s select the prize campaign. This campaign is about harvesting user credentials. To make the campaign effective, you have the option to modify the text in the campaign. If you wanted, you could build this as an Amazon campaign or even mirror a gift campaign that one of your businesses sends out in your local community. Executing the campaign is easy; just follow the steps outlined next.
Step 1: Select the Campaign
Step 2: Customize the Offer
Step 3: Select the Distribution List for the Campaign
Step 4: Select the Distribution List for the Campaign
Step 5: Customize the E-mail
The best e-mail to use is one that you have received. Figure 6-32 shows one that I received from a vendor on a survey for IT services.
Step 6: Execute the Campaign
Search and Investigate
My philosophy on eDiscovery issues when using the Security & Compliance Center is to upgrade the subscriptions to an E5. This will give you access to all of the advanced eDiscovery tools available in Office 365. There is an additional cost, but it is significantly less than the sanctions, fees, and penalties associated with losing a case because of poor discovery in the document production phase. As an IT professional, your job is to provide all the information requested as soon as possible.
Note
Figure 6-5 shows two different types of eDiscovery search tools: Search Content and eDiscovery. These tools are similar but different. Search Content is a scalable eDiscovery tool that can handles large amounts of data, searching SharePoint, OneDrive for Business, and multiple mailboxes (no limit). The eDiscovery tool does similar functions but is limited in scope. What I do is create a blanket search in eDiscovery to lock the mailboxes under legal hold and perform searches in Content Search.
The Security & Compliance Center roots are in the eDiscovery process. Organizations have discovery requests from presiding authorities, and as part of different request, they need to product documents. Sometimes these documents are covered under a protective order, and sometimes they are not.
Setting Up an Office 365 Discovery and a Retention Policy
Office 365 is flexible in how the different policies for the management of information can be set up. The problem is where to start. Earlier, we reviewed the different capabilities that you have in Office 365. There are three different areas that need to be configured before you can begin to use the services. The following section outlines the steps required to set up the 365 organization for a compliance, discovery, and retention policy. Follow the steps to set up the different features. Note that you will find additional details about compliance steps in the section “Configuring Compliance.”
Discovery Walk-Through
The discovery process seems daunting at the start. The simplest way to understand the eDiscovery process is to walk through an eDiscovery search; then we can look at the process to set up the search. I have found that if you understand the end game, then it is easier to understand how to create an advanced search. To frame the situation, you are a compliance officer and your IT pro has set up your Office 365 site with the correct permissions and access. The IT pro has sent you an e-mail with a notification that your site is set up. Your response (like many of us) is simply, “Great, what do I do now?” Let’s walk through the process on what do you do next to put our mind at ease. Discovery is not that difficult; it just takes time.
Step 1: Log In to Office 365 and Click the Security Icon
To access the Security & Compliance Center, log in to Office 365, and click the Security & Compliance Center icon. Users need to be an Office 365 global administrator or a member of one or more Security & Compliance Center role groups. The Security & Compliance role groups are different than the Exchange Online Organization Management role group. These permissions are not shared.
Step 2: Select Search & Investigation, and Review Logs
Earlier, the IT support staff added us into the group where we have the correct permission to access the features in the Security & Compliance Center. Our job is simple; it is to perform a search on the data that we were requested to provide. In Figure 6-40, we expand Search & Investigation to begin our query on the eDiscovery process. There are three areas that we focus on: Content search, Audit log search, and eDiscovery.
Once you are satisfied, the next step is to review that a hold has been placed on the data for the content search.
Step 3: Verify That a Case Has Been Created to Place Data on Hold
If the data has not been placed on hold, a case needs to be created to lock the appropriate mailboxes and SharePoint sites and put the user’s OneDrive for Business sites on hold. Once this case is in place, our focus will be on using the Content Search tool.
Note
If you do not see a case, create a case and place the accounts you want to search on hold to protect data from accidently being deleted. If you make a mistake and delete the hold, the data will be deleted according to the retention policy. The case in this example has two mailboxes selected, and all data has been placed on hold. The hold is visible only to users who have permission to view the case (more about this later).
Step 4: Start the Content Search
The next step is to start the search for data and export the data for review. So far we have the data on hold (step 3), and we are searching for specific information. We select the content search and look for an existing case. If we do not see one, we create a new case and begin our search for information.
Step 5: Preview the Data
As the content search engine crawls the mailboxes, the information is displayed on the number of items and size of the items. The compliance officer can add additional searches as needed.
Note
The compliance officer can add and delete searches as needed. Therefore, it is important to have a case created with all of the content under hold for eDiscovery. In the case of a content search, when the content search is deleted, the hold is also removed, unless you have another hold in a content search or under a case in the eDiscovery Center.
If your access is blocked at the preview stage, you need to request permission from the admin on the Security & Compliance Center to give you access to the search results. Otherwise, your results on the search preview will be displayed as shown in Figure 6-44. Keep in mind that search preview is limited. Complete review will require you to export the documents.
Step 6: Export the Documents
Click Export, which will start the document export wizard. The first step is to confirm the export and destination. Because of the privacy concerns, documents exported are encrypted, and you will need to keep a copy of the key to decode the documents.
Select the Export tab and then select the job that was created (see Figure 6-47). This will start the data export process. The data will be downloaded to your PC in the format you specified earlier.
Note
If you are responding to a request for production (RFP) on a court order discovery order, you want to export all documents from the eDiscovery Center after you place the documents on hold. I have found it better to give all documents requested and not duplicate information. Most likely you will be using a third-party tool to process the documents and stamp them. We will look at document production later in this chapter.
The export wizard handles large downloads. I completed a recent eDiscovery project where the export PSTs were over 30GB in size (about 407,000 e-mails and attachments.). To export the documents, select “download export results” to download the documents to your local system. When you download the documents, the documents are encrypted in transit (se Figure 6-48). Make sure you keep a copy of the key. You will need this key on the client to remove the encryption to access the PST files.
Note
If you are searching for information, the best way to search for information is to use the Content Search Center. In a discovery request, what I have found works is that you define a new user account for the response to an RFP, and you upload the data into the OneDrive for Business. This way you can use the Content Search tool to look for data. Also, if you are building bates-stamped documents, upload them to your OneDrive for Business account. This way you can search for the original document and find the bates-stamped document that matches your search. This saves a lot of time in preparing for litigation.
Step 7: Bates-Stamp the Discovery Production
The documents are produced with the necessary header and footers for your discovery project. Bates Express produced documents similar to those in Figure 6-53. The bates stamp I use in this production request is the string “Confidential - <case number> - < document ID>.”
Note
Every document that will be produced will need to be bates-stamped, and the document header “Confidential” may be optional but is subject to the production order. In some cases, there will be material designated as “Attorney Eyes Only.” In this case, “Confidential” is replaced with “Attorney Eyes Only.”
Building Discovery Searches
In some cases you may want to delete e-mails; in others you may want to preserve them in the long term. When you are experimenting with retention policies, use a mailbox with a trial set of sample data. If you are afraid of deleting information, then enable a litigation hold (or in-place hold) on the account that you are setting up the retention tags for. If the retention tags are not set up correctly, information will be deleted.
Before we address any of the examples, we need to step back for a brief review of advanced query strings (AQS ). The syntax can become complex. AQS is provided by the Windows operating system using Windows Desktop Search (WDS ). All AQS searches must be fully qualified. A fully qualified search requires that you add parentheses every time you add a Boolean operator (AND OR NOT) to a search query. (The queries are processed based on the location of the parentheses.) There is a good description of AQS queries at https://docs.microsoft.com/en-us/windows/desktop/lwef/-search-2x-wds-aqsreference .
Sample AQS Query for Financial Review
Summary
The focus of this chapter was on the Security & Compliance Center as well as on data collection and analysis of the data via the different discovery tools. The Security & Compliance Center is a hub or data aggregation service that contains a repository of the different types of information used in security analysis tools. As an example, the eDiscovery Center has become a key compliance tool used to show that a company has complied with federal and state regulations. This is the audit logs that we enabled in chapter 2 in our initial configuration of the Security & Compliance. The stored logs can be exported and analyzed via tools like Power BI.
- 1.
Download and archive the Office 365 Compliance & Security Center audit log on a monthly basis.
- 2.
Download the archive of the Azure Active Directory log on a monthly basis.
- 3.
Download and archive the Azure audit log on a monthly basis.
Where do you store the logs? Create a SharePoint collaboration site and upload the logs to that site. At KAMIND IT, this is what we do for all of our customers who are on one of our security plans. The logs are available for forensic analysis. If you are looking at an automatic way to store logs, you can configured this features in the Azure log analytics site. In this case the logs are uploaded to an azure data storage area. This is no longer just nice to have; it is a requirement to be compliant - you need long term archive of the logs.
References
There is a lot of information about Office 365 on the Web—the issue is finding the right site. The information contained in this chapter is a combination of my experience doing deployments and of support information that has been published by third parties.