Making Office 365 More Secure and Compliant

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected]

www.ostermanresearch.com • twitter.com/mosterman

An Osterman Research White Paper

Published December 2011

SPONSORED BY

sponsored by

Making Office 365 More

Secure and Compliant SPON

WH

ITE

PA

PER

SP

ON

sponsored by

sponsored by

sponsored by

sponsored by

Making Office 365 More Secure and Compliant

©2011 Osterman Research, Inc. 1

Executive Summary Microsoft Office 365 represents the company’s latest entry into the cloud-based messaging, collaboration and productivity market. While deciding on which of the many flavors of Office 365 to deploy can be a bit daunting because of the many (and somewhat confusing) options available, it is clear that Microsoft has done quite a good job at creating a robust and scalable platform that can satisfy the requirements of many organizations. That said, there are some organizations that will need compliance and security capabilities not available with Office 365. These include some organizations operating in highly regulated industries like financial services, healthcare and energy; organizations with strict regulatory requirements to protect, archive or sample various types of communications; organizations that operate in countries with strict data protection laws; and organizations with specialized security requirements that are not satisfied by the features built into Office 365. KEY TAKEAWAYS • Office 365 is a solid platform that can meet a variety of corporate requirements for email,

real-time communications and document management.

• Migration to Office 365 requires significant expertise, planning and deployment skills if it is to be performed properly and with a minimum of disruption.

• Despite being a cloud-based solution, many of the more advanced features of Office 365

require substantial on-premise infrastructure or the use of third-party capabilities. • The archiving and compliance capabilities in Office 365, while useful, will not be sufficient to

satisfy many common regulatory and legal data retention, e-discovery and related obligations.

• While Office 365 offers robust security capabilities, it does not permit customers to

implement all options that they might require. Moreover, the SharePoint Online API requires custom code to work with the Microsoft sandbox model.

ABOUT THIS WHITE PAPER This white paper was sponsored by AppRiver, LiveOffice, Proofpoint and Smarsh. Information on each of these companies is provided at the end of this document. TWO IMPORTANT CAVEATS It is important to note at the outset two important caveats about this white paper: • The purpose of this paper is not to denigrate Microsoft Office 365 in any way. In fact, we

believe that Office 365 is a robust platform that will meet the needs of many organizations that want to simplify their IT deployments and/or reduce their overall IT costs. However, as with any cloud-based platform, there are limitations in Office 365 that organizations need to understand and evaluate as they consider migrating their email, real-time communications, archiving and other communications and collaboration capabilities to the cloud.



• The third party services discussed in this white paper are complementary, add-on solutions to Office 365, not replacements for the capabilities offered in Office 365.

Why Office 365? CORE FEATURES AND PLATFORM OVERVIEW Microsoft Office 365 is an integrated suite of cloud-based offerings that Microsoft already offers as on-premises solutions: • Microsoft Exchange Online

Email, calendaring and task management, including built-in archiving services. The basic Office 365 package includes 25 GB of storage per user.

• Microsoft Office

The Office Web Apps are lighter versions of Word, PowerPoint, Excel and OneNote intended to satisfy the requirements of basic users of these applications, and/or to supplement the desktop experience of Office Professional Plus that may be required by more advanced users.

• Microsoft SharePoint Online

Includes document management and collaboration services, Web site development, project management and the ability to develop intranets and extranets.

• Microsoft Lync Online

Includes real-time communications that includes IP-based voice, video conferencing, Web conferencing, instant messaging and presence capabilities. Lync replaces the existing Office Communications Online and LiveMeeting tools that have been offered by Microsoft for some time.

Office 365 is intended to be a mostly cloud-based environment for organizations regardless of their size, replacing the core functionality of on-premises systems focused on managing email, collaboration, real-time communications and desktop productivity. In short, Office 365 is the next generation of Microsoft’s Business Professional Online Services (BPOS), Office Live Small Business and Live@edu offerings. Office 365 is available in various versions that are intended for small businesses through very large enterprises – other plans are also available for educational institutions. Microsoft offers multiple versions of Office 365 ranging from $6 to $27 per user per month, as shown below: • Kiosk plansi

o K1: $4 per user per month o K2: $10 per user per month

• Personal and Small Business Planii

o P1: $6 per user per month



• Enterprise Plansiii o E1: $10 per user per month o E2: $16 per user per month o E3: $24 per user per month o E4: $27 per user per month

DIFFERENCES BETWEEN OFFICE 365 AND BPOS Microsoft BPOS was introduced toward the end of 2008 and has been fairly successful, achieving a customer base of several million seats. At the same time, BPOS has been somewhat controversial with Microsoft’s large ecosystem of hosted Exchange providers because Microsoft’s per-seat pricing for BPOS was significantly lower than many providers’ per-seat pricing for hosted Exchange – prices for BPOS were reduced to $5.00 per seat per month. There are some significant differences in the features, function and design between BPOS and Office 365: • BPOS was built on the 2007 versions of its three key components, Exchange, SharePoint

and Office Communications Server (now Lync Server), while Office 365 is built on the 2010 versions of all three products. The difference is important because the 2010 versions were designed with the cloud as a delivery model while the 2007 versions were not.

• Office Professional Plus is the most significant difference between BPOS and Office 365 –

office productivity functionality of any kind was not included in BPOS. This is Microsoft’s entry into the space that has been dominated by Google Apps and, to a lesser extent, a number of other providers like Zoho, HyperOffice, IBM Lotus and many others.

• While BPOS was designed primarily for smaller businesses, Office 365 has been designed for

enterprises, as well. Office 365 clearly represents Microsoft’s push into the large-enterprise market for cloud-based applications and messaging functionality.

• Office 365 offers a number of enhancements to BPOS, the most notable of which is the

Service Connector designed to simplify desktop management, manage updates and patches, and manage the overall login process.

• SharePoint Online, originally considered to be just a shared document repository, has now

evolved into a true collaboration platform in which enterprises can run enterprise-wide applications. This is particularly advantageous for organizations that rely heavily on their messaging platform to run business applications, such as Lotus Notes customers.

WHAT OFFICE 365 WILL DO Office 365 offers a number of very useful features, including: • Full Web-based email and calendaring functionality • 25 gigabytes of online storage • The ability to send attachments up to 25 megabytes • Document sharing • Instant messaging • Voice conferencing



• Video conferencing • Web-based versions of Word, Excel, PowerPoint and OneNote • Basic archiving • Anti-virus and anti-spam filtering The enterprise versions of Office 365 add a number of other features, including live telephone support, the ability to apply basic legal holds to mailbox items, more advanced voice capabilities, and the on-premise version of Office Professional Plus 2010. Moreover, Office 365 complies with ISO 27001 and EU Safe Harbor standards, while Office 365 data centers – managed by Microsoft Global Foundation Services – support these standards and are also SAS70 Type II- and FISMA-compliantiv. Moreover, Office 365 helps customers with regulatory compliance by adhering to a number of industry standards, including the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), Title 21 CFR Part 11 of the Code of Federal Regulations, the Federal Information Processing Standard (FIPS) 140-2, Trusted Internet Connections (TIC), the Gramm-Leach-Bliley Act (GLBA), and Good Manufacturing Practice (GMP). In short, Office 365 compares quite nicely to similar offerings and offers a robust set of features and certifications. It is important to keep in mind that technology is not compliance. Organizations can employ Office 365 and other solutions to help them meet many regulatory requirements, but they are not a “compliance button”. WHAT OFFICE 365 WON’T DO Despite the many features and functions offered in Office 365, there are a number of capabilities that the solution does not provide or does not provide to the depth that many organizations require, including a number of security and compliance capabilities that are discussed in more detail in the next section. Among the limitations of Office 365 are: • Exchange Online does not offer managed folders or public folders, complicating the

migration process for organizations that currently maintain these folders in their on-premise deployments.

• For Mac-enabled organizations, access to Office 365 applications is not as straightforward as

it is in Windows-based environmentsv. • On-premise applications that require SMTP functionality for outbound communications

require either an on-premise SMTP server or configuration through Forefront Online Protection for Exchange (FOPE).

• Microsoft does not offer a migration path from the P1 to any of the E plans. • Directory synchronization and single sign-on are not available with the P1 plan. • Office 365 Plan P does not permit journaling, a serious problem for some organizations

considering migration. However, Exchange Online Plan 1 does permit journaling. The Exchange Online management console provides journaling functionality and control for all Enterprise Exchange mailboxes.



• Message revocation for encrypted messages (i.e., message recall) is not supported. • Migration in Office 365 occurs only one mailbox at a time (one source indicates up to 10

mailboxes at a time) and the tools available for archive migration are not simple. Migrating legacy archives or .PST files is not a simple exercise in more sophisticated environments.

The Need for Improved Compliance in Office 365 One of the fundamental issues that Osterman Research has discovered in its research is that many organizations do not consider their specific archiving, security and compliance requirements in general. Moreover, many do not consider their long-term archiving and compliance requirements before migrating to a cloud-based platform like Office 365. However, they do so at the peril of being unable to fully satisfy their archiving, security and compliance requirements. In short, implementing new tools comes with a new set of compliance responsibilities. BROADER ARCHIVING OPTIONS One of the most important issues for decision makers to consider is the fact that Office 365 does not offer as broad a set of archiving options as they might need today or in the future. For example, as a result of the revised Federal Rules of Civil Procedure (FRCP) and more recent court decisions, relevant Electronically Stored Information (ESI) must be retained for long periods. ESI typically includes content stored on email servers – a leading source of discoverable content in many legal cases – but it also includes electronic content of various types, including: • Documents stored in SharePoint databases and other repositories • Instant messages and other content generated in Lync sessions • Files generated by Office productivity applications • Social media content

However, Office 365 has some limitations in the context of its archiving capabilities. For example, Microsoft Plans E1 and E2 offer only a Personal Archive option – Plans E3 and E4 offer both Personal Archive and Advanced Archive. Exchange Online archiving is available only with the E3 and E4 bundles and cannot be added as an a la carte option to E1 or E2. While third party archiving tools can be used with all of the Enterprise bundles, the P1 bundle does not provide for journaling control, so there is no real option to add archiving to that offering. Moreover, Plan E1 requires the archive to share the 25 gigabytes of space between each user’s mailbox and their personal archive, whereas Plan 2 allows an archive of unlimited size, although a default quota of 100 gigabytes is provided in Plan 2 – this quota cannot be modified without intervention by Microsoft. It is important to note that for purposes of e-discovery or other, corporate-wide data management requirements, there is a need to capture messages in the Personal Archives. Also, there is a 50-mailbox search limitation with Office 365. Moreover, to enable Microsoft’s e-discovery capabilities requires deployment of the E3 offering, a 50% price increase compared to



E2. Inactive mailboxes, such as those for employees who have left the company, still need to be paid for as if they were active for retention/e-discovery purposes. Another limitation of Office 365 is that if the service goes down for any reason, the archive is also unavailable. Use of a third party archiving solution gets around this limitation by storing data in two completely separate infrastructures, allowing users access to their archive and, as part of a business continuity solution, to send and receive emails while Office 365 is unavailable. This is not a trivial consideration, since there have been some serious outages in the Office 365 infrastructure, including a three-hour-plus outage on August 17, 2011 caused by a “networking interruption”, and another – also lasting three hours – on September 8, 2011 as a result of a DNS issue. RETENTION POLICIES For companies requiring granular control over email retention policies, the mail controls built into Office 365’s Exchange Online Plan 1 with Outlook 2010 may or may not be adequate. In Exchange Online Plan 2 with Outlook 2010, control over email retention policies is granular and flexible. Exchange Online offers retention policies to help organizations reduce the liabilities associated with email and other communications. With these policies, administrators can apply retention settings to specific folders in users’ inboxes. Administrators can also give users a menu of retention policies and let them apply the policies to specific items, conversations, or folders using Outlook 2010 or Outlook Web App. In Exchange Online, administrators manage retention policies using Remote PowerShell. Exchange Online offers two types of policies: archive policies and delete policies. Both types can be combined on the same item or folder. For example, a user can tag an email message so that it is automatically moved to the personal archive in a specified number of days and deleted after another span of days. With Outlook 2010 and Outlook Web App, users have the flexibility to apply retention policies to folders, conversations, or individual messages and can also view the applied retention policies and expected deletion dates on messages. Users of other email clients can have emails deleted or archived based on server-side retention policies provisioned by the administrator, but they do not have the same level of visibility and control. Again, these capabilities will suffice for some customers, but not for others. OTHER LIMITATIONS IN MICROSOFT’S ARCHIVING APPROACH In Office 365, administrators can create transport rules to inspect messages for a variety of email attributes, such as specific senders, recipients, distribution lists, keywords, and regular expressions (for common patterns like those associated with credit card numbers or Social Security numbers). Administrators can also include users’ Active Directory attributes (for example, department, country, or manager) and distinguish by message types (such as automatic replies, meeting requests, and voicemail messages). Microsoft is phasing out its Exchange Hosted Archive offering in favor of the archiving functionality offered in Office 365, as well as Microsoft’s Exchange Online Archiving. While



many Office 365 customers will be well served by these new solutions, there are some cases in which archiving requirements are beyond their capabilities. For example: • Financial services and other highly regulated firms

Financial services firms that are under the regulatory control of the Financial Industry Regulatory Authority (FINRA) must retain all relevant email, instant messaging and social media content. The archiving capability in Office 365 does not support archiving of instant messaging conversations, social media content, Bloomberg, Reuters, etc. and so these firms must employ another archiving solution or face the consequences of non-compliance. Moreover, FINRA-regulated firms must perform granular content sampling on broker-dealers’ communications to remain in compliance. In terms of other regulatory requirements, Office 365 should not be used for managing data governed by the Payment Card Industry Data Security Standard (PCI DSS) standard. While Microsoft does provide email encryption for outbound email through its Exchange Hosted Encryption service, internal communications are not encrypted, resulting in potential violations of various data breach requirements, the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act and other statutory requirements to encrypt all sensitive communications and data. With regard to Microsoft’s own stance regarding its compliance capabilities, the following are Microsoft’s statements about how well it complies with various requirements:

Under EU Data Protection law and our contractual agreement, Microsoft Online Services acts as custodian of your data, essentially a subcontractor (the law calls us the "data processor"). You, the customer, have the final ownership in the data and the responsibility under the law for making sure that we are following the rules and it is legal for you to be sending personal data to us (the law calls you the "data controller"). You must determine for your business in your particular situation if you may use our services to process and store your personal data.vi In some (emphasis added) countries, we also adhere to the security requirements for storage of sensitive personal data, as defined by law.vii Microsoft Online Services do not support the processing, transmitting, or storing of PCI governed data, such as credit card numbers.viii

However, Microsoft is making a strong push into the HIPAA-regulated marketplace and will be offering Business Associate Agreements (BAAs)ix, a new provision in HIPAA that is required as part of Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Microsoft is among the first in the large-scale hosting industry to offer BAAs as an operationalized part of its solution to address requirements associated with hosting Protected Health Information.

• Jurisdictional and geographic requirements

Some organizations require strict compliance with various jurisdictional or geographic requirements, such as a requirement that data not leave a particular geographic area or that it not be transferred to a nation that does not offer adequate protection of sensitive data. However, Microsoft admitted in June 2011 that content in its data centers can be



handed over to US or other authorities and that customers might not be notified of this disclosurex. With regard to understanding exactly where customer is stored, some third-party archiving solutions offer greater transparency about where data resides, which will alleviate some decision makers’ concerns.

• Strict client requirements

With Exchange Online Archiving, each mailbox is paired with a secondary mailbox in the same database that serves as its archive. However, the archived content is visible only for users that employ Outlook 2010, Outlook 2007 or Outlook Web Access. Users that have older versions of Outlook can still use the archive, but cannot see the items in the archive.

• E-discovery requirements

While the Enterprise plans for Office 365 provide some basic e-discovery capabilities, some organizations will require more sophisticated and more granular e-discovery functionality, including highly configurable legal holds, the export of load files in EDRM XML format when performing early case assessment, and sophisticated case management when performing online reviews. Some organizations that have sophisticated e-discovery requirements will find that although useful, Office 365’s built-in e-discovery capabilities will not meet their needs. Many third-party archiving solutions offer more granular capabilities than are available with Microsoft’s archiving solutions, such as tamper-proof storage, highly granular legal holds and access rights, the ability to perform very complex searches for e-discovery or regulatory compliance purposes, output to a wide variety of file formats when exporting content to third-party review tools, and better support for EDRM requirements. Other capabilities that organizations might need and that are not supported by Microsoft’s archiving solutions include built-in collaborative review of discovered content, and sophisticated culling capabilities to reduce legal costs.

• Limitations on content sources that can be archived

Organizations that require archiving of content from SharePoint Online and Lync Online cannot use Microsoft’s archiving capabilities because archiving of content from these systems is not supported, nor is file archiving supported. SharePoint backup and restore tools are available, but tend to be more manual and slow than many businesses will need. Moreover, server-side archiving of Lync Online instant messages is not currently available.

• Limited platform support

Many organizations operate multiple on-premise and cloud-based platforms, and so will need an archiving and compliance solution that can support all of these platforms – capabilities that Microsoft’s archiving solutions do not currently support.

• Limitations on storage

Some organizations require storage of very large amounts of information as a result of either long retention periods for email and other content, or preservation of data-intensive files like engineering or architectural drawings. Consequently, for some customers the limitations in Office 365’s archiving for the less expensive plans will not be acceptable.



The Need for Improved Security in Office 365 Microsoft provides a number of security features for Office 365, including built-in anti-virus and anti-spam filtering through FOPE; physical security at its data centers, such as video surveillance; logical security, such as data isolation, identity and access management, and federated identity; various network security technologies and practices; and real-time health monitoring of its infrastructurexi. However, there are a number of security issues that decision makers should take into account as they consider a potential move to Office 365, including: • Security configuration limitations

The Professional and Small Business Office 365 plans (the “P” plans) do not permit Administration Center Access for configuring domains or changing IP addresses, nor can FOPE Connectors be used to set up smart hosts, safe lists, shared address spaces or to force TLS communications. The Enterprise plans do offer more of this functionality, although configuring domains and changing IP address is available only with the standalone version of FOPE.

• Office 365 uses a multi-tenant architecture

The Office 365 architecture is multi-tenant, meaning that multiple customers run off of the same servers. While this can be a secure environment, many organizations – particularly those in highly regulated industries or those with very sensitive information – may not be comfortable in a multi-tenant environment. As the amount of information an organization needs to store and manage grows, the appeal of, or requirement for, private cloud solutions and customization tends to move customers away from multi-tenant solutions like Office 365. While Microsoft does offer dedicated services, they are reserved only for large enterprise customers.

• Additional security layers may be needed Microsoft FOPE uses multiple scanning engines from Kaspersky and Symantec, among others, and FOPE’s SLA claims to detect 100% of all known viruses with updates every 15 minutes. That said, some customers may want to complement FOPE with an additional layer of inbound protection/detection for increased robustness and phish detection capability. For example, Proofpoint Protection can complement FOPE with a second layer of inbound protection for increased spam capture and phish detection capability; AppRiver’s SecureTide hosted spam and malware protection is currently used to filter email that is then delivered to FOPE for secondary filtering before being delivered to the mailbox. There is no support for blacklists in Office 365 P1. Moreover, Lync Online does not scan files or other content for malware, nor does it archive instant messaging conversations as noted above. Plus, it is important to identify phish from spam, allowing for proper management of phish messages (e.g., not placing phish messages in the same quarantine as spam in order to prevent end users from opening phish messages and having their machine and network potentially compromised). Mobile phone operating systems are currently not supported for reading Exchange Online encrypted email messages, whereas some vendors support mobile decryption on multiple smartphone platforms. Exchange Hosted Encryption (EHE) is Microsoft’s hosted encryption service. While EHE is enabled using Forefront Online Protection for Exchange (FOPE), the



same hosted spam and malware protection included in Office 365 service plans, it is not actually considered an Office 365 product.

• Limitations on traffic flow

There is a daily limit on the number of recipients that can receive email from Office 365 accounts: 500 emails per 24 hours for small business accounts and 1,500 for enterprise accounts. Moreover, emails are sent at a maximum of 30 per hour. While the reasons for imposing these limitations are sound and will likely not cause problems for some customers, this can seriously limit the utility of Office 365 even for small customers that might process large amounts of email.

• SharePoint Online sandbox model

SharePoint Online uses a sandbox model and so any custom code designed for SharePoint must work within the limitations of that model. Consequently, the SharePoint Online API requires custom code to work with the Microsoft sandbox model. However, Silverlight, Visual Studio 2010 and SharePoint Designer 2010 all offer tools to help developers leverage the Sandboxed Solution feature inherited by SharePoint Online from SharePoint 2010.

• Mobility limitations

Office 365 wipes only ActiveSync devices, which can be a serious limitation in the large number of organizations that operate BlackBerry devices. In November 2011, RIM introduced the public beta of BlackBerry Business Cloud Services (BBCS) for Microsoft Office 365, although BlackBerry-enabled organizations that do not want to deploy beta software will continue to be limited to the much slower BlackBerry Internet Service until the former is generally available. BBCS, which delivers a BES-like feature set at little or no cost, is targeted for general availability in January 2012.

• Backup and recovery are managed by Microsoft

Microsoft manages backup and recovery of content for Office 365 customers unless customers have implemented their own capabilities. While not an inherent weakness per se, customers must rely on Microsoft to manage these aspects of the Office 365 experience. Moreover, data replication does not occur in real time.

• Unified messaging

Office 365 can be used with the unified messaging functionality in Exchange 2007 and 2010, but it requires the use of a Session Border Controller to integrate an existing telephony system with Office 365.

• Single sign-on

Single sign-on capabilities are supported in Office 365, but only when Active Directory Federation Services (ADFS) are employed in networks that are running Windows Server 2008 Active Directory on-premises. This means that in enterprise environments, a significant level of on-premise infrastructure is required in order to effectively manage Office 365 access.



Key Questions to Ask Decision makers have four basic questions to answer with regard to Office 365: • Should we migrate our active mailboxes to Office 365? • Should we port our existing email archive to Office 365? • If yes to either, should we use Microsoft or a third-party to provide Office 365 services? • Should we use one or more other third parties to provide additional capabilities? Here are some of the more important questions that decision makers should consider as they consider a potential migration to Office 365: BUSINESS ISSUES • Because migrating essential services like email and collaboration to the cloud carries with it

some level of risk, should we employ multiple providers in order to distribute the risk? For example, if we are concerned about going “all-in” with a cloud strategy, will we be better off using a third-party archiving solution that will maintain copies of data at the Office 365 provider’s and the archiving provider’s data centers?

• Should third-party cloud vendors be employed to enhance the security of Office 365,

including vendors of email encryption, business and compliance email archiving or Web filtering?

• What are the options available for cloud service portability? In other words, how easy or

difficult will it be to migrate to Office 365, from Office 365 to another provider, or back to an on-premise service model?

• What is the current level of internal IT support that we could devote to managing the

migration to and support for Office 365 and third-party offerings? • What is the desired level of internal IT support for managing the migration to and support

for Office 365 and third-party offerings? • Should we deploy Office 365 using only basic services with supplemental capabilities offered

by third parties, or should we opt for more sophisticated (and more expensive) services initially, keeping in mind the limitations in migrating from less capable to more capable plans?

• How will our organization respond and stay productive in the event of an Office 365 service

disruption or outage?

REGULATORY ISSUES • To what extent do we or will we need to comply with SEC/FINRA, HIPAA, FERPA, SOX,

GLBA and other regulatory requirements?

• How well will native Office 365 capabilities comply with our requirements and what are the holes we will need to fill with third party services?



SERVICE LEVELS AND SLAs • How reliable is Office 365?

• How reliable are third-party solutions focused on archiving, security, compliance, encryption,

etc.? • What compensation is offered by providers following outages? • What should our backup strategy for Office 365 data be? • What metrics do we need to establish with regard to Recovery Time Objectives (RTO) and

Recovery Point Objectives (RPO)?

CONTENT MANAGEMENT AND ARCHIVING • Do we need redundant copies of our archived data in multiple locations?

• If yes, why? For data protection? Business continuity? Disaster recovery? What is the

relative importance of each?

• Do we need to specify in which country(ies) our content will be stored? • What will be the impact of the US PATRIOT Act on our ability to protect information? • Do we need to add our corporate domain(s) and set up journal rules to capture all

messages sent or received from Exchange Online directly within the administration console? SUPPORT AND INTEGRATION • What types of support services are available with the providers we are considering? Online

support only, telephone support, chat support, concierge onboarding, US-based support?

• How much support will be required initially and long term? • How well can a third party vendor integrate with Office 365 from a user management and

Active Directory sync perspective?

FOCUS ON SMBs OR ENTERPRISES? • Does the provider of Office 365 or other services like archiving or security focus on the SMB

market, on the enterprise market or both? In other words, what is the market focus of the provider and how well will they meet our specific requirements?

MIGRATION SERVICES • What services are offered for migrating existing, on-premise Exchange mailboxes to Office

365?

• What services are offered for migrating archived data from on-premise archiving solutions to either Exchange Online Archiving or a third party, cloud-based archiving solution?



• Do these services include mail route control, split domains or blended solutions that can streamline the migration process?

• To what extent are customization services required? MOBILE USERS • Which mobile platforms are used today and which ones will be used in the future?

• How well will our mobile users be supported in Office 365 and by third party providers?

PROFESSIONAL AND RELATED SERVICES • To what extent will Microsoft-focused professional services be required to assist in the

migration and/or integration process?

• To what extent will deep product integration with Microsoft services and software be required?

• How much will providers be required to know about Microsoft’s underlying technology,

including key Microsoft-focused competencies and certifications? How much do they know? • How much experience should the provider have with multiple Microsoft platforms like Office

365, BPOS, on-premise Exchange, Exchange Online, SharePoint, Lync, etc.? • Does the provider have direct access to internal Microsoft product team internal resources,

training materials and technical content? USER MANAGEMENT • How easy will user management be in Office 365 based on the number of users, the

amount of archived data, the geographical distribution of users/offices and other factors? SINGLE SIGN-ON • Is single sign-on required?

• If so, will the investment in on-premise Microsoft solutions be worth the expense, or will

another single sign-on offering be a better fit? • If a third party is used, will that party leverage Microsoft’s ADFS for identity management

and single sign-on as opposed to other, non-Microsoft-sanctioned/approved methods? TRIALS • Are trials of Office 365 and/or various third-party capabilities offered that will enable us to

evaluate them in their own real world environment?



Summary Office 365 is a robust and capable cloud-based offering that can satisfy the email, real-time communications, document sharing, collaboration and document creation needs of small, mid-sized and large organizations. However, despite the many features baked into Office 365, it will not satisfy every requirement, particularly in the context of highly regulated organizations or those with specialized security needs. Consequently, while Osterman Research recommends that organizations consider Office 365 when they evaluate cloud-based solutions, we believe that most mid-sized and large organizations will need to use third-party solutions to fully satisfy their migration, compliance and security requirements.

Sponsors of This White Paper AppRiver, a leading provider of email messaging and Web security solutions, was among the first syndicated partners to bring the new Microsoft Office 365 suite to market. With more than 45,000 corporate customers and 8 million mailboxes worldwide, AppRiver is one of the largest hosted security service providers in the world. It is that record of success, and the company’s over-the-top commitment to customer care that made AppRiver a natural partner during the launch of Office 365. With Office 365 from AppRiver, there's no upfront investment in software, updates are automatic and included, and service plans may be tried out for free for 30 days. There are no cancellation penalties and clients are free to leave at any time. That said, the company maintains an impressive 93% customer retention rate since inception and backs its services with award-winning Phenomenal Care™. Every AppRiver customer has VIP access to US-based technicians 24 hours a day, every day. What’s more, a team of trained sales engineers is available to assist customers with complimentary migration to the cloud. AppRiver offers a growing suite of cloud-based security solutions that may be managed within a single, easy-to-use customer portal. Services include spam and virus protection, secure Exchange hosting, email encryption, email continuity, archiving and Web protection. The company is led by an Ernst & Young Florida Entrepreneur of the Year award winner, and has been identified as a Top 20 Cloud Security Vendor in 2011 by Everything Channel’s CRN magazine. For more information, please visit www.appriver.com.

!

AppRiver, LLC 1101 Gulf Breeze Parkway

Suite 200 Gulf Breeze, FL 32561

USA

+1 866 223 4645 www.appriver.com



LiveOffice is the number-one global provider of cloud-based email archiving, email compliance, email discovery and email continuity solutions, with more than 20,000 clients and a 97-percent client retention rate. UNIQUE PARTNERSHIP WITH MICROSOFT OFFICE 365 LiveOffice offers advanced compliance and e-discovery capabilities for Microsoft Office 365. It is the only archiving provider that securely captures, retains and synchronizes users in one integrated system and provides the only archiving solution that: • Archives Exchange Online (including Personal Archive), SharePoint Online and Lync Online

content

• Automatically synchronizes users, email addresses and distribution lists

• Provides native archive access from Windows Phone 7, along with other mobile devices and tablets

THE ONLY THIRD-PARTY ARCHIVE WITH AUTOMATED DIRECTORY SYNC TO OFFICE 365 With automated directory sync, Exchange administrators only need to manage and provision users and mailboxes in one place. Unlike most archiving solutions that may leverage other single sign-on (non-Microsoft) methodologies, LiveOffice enables single sign-on through the same ADFS mechanism that enables users to sign in to Office 365. This simplifies the archive deployment for Exchange administrators and minimizes the user impact and learning curve.

!

LiveOffice LLC

2780 Skypark Drive Suite 300

USA

+1 800 374 2032 www.liveoffice.com

!



• Other benefits include:

o Significant cost savings for organizations looking for advanced compliance and e-discovery (when bundled with E1 or E2 plans)

o Seamless migration of existing data (e.g., tape backups, PSTs/NSFs or on-premise archives)

For more information, call 800.374.2032 or visit www.liveoffice.com. Visit the LiveOffice Blog at http://blog.liveoffice.com or follow us on twitter at www.twitter.com/liveoffice. Proofpoint, Inc. helps the largest and most successful companies in the world protect and govern their most sensitive data. Proofpoint delivers an integrated suite of on-demand data protection solutions spanning threat management, regulatory compliance, data governance and secure communications—all of which are based on a common security-as-a-service platform. Proofpoint Enterprise Archive

is an on-demand email

archiving Software-as-a-Service (SaaS) solution that can supports Microsoft Office 365 and both hosted and on-premises versions of Microsoft Exchange Server. Proofpoint Enterprise Archive’s policy engine allows an organization to create, maintain and consistently enforce a clear corporate email retention policy. Proofpoint Enterprise Archive

offers users the following advantages:

• Mitigates discovery risk by preserving a copy of every message and improves efficiency in

managing the discovery hold process.

• Permits users to systematically review selected email, to help simplify the compliance audit process, and foster compliance with SEC and FINRA regulations for email.

• Securely archives a copy of every internal and external email in Proofpoint’s state-of-

the-art data centers and provides customers with easy access to their messages at all times.

Learn more about Proofpoint Enterprise Archive for Office 365 at http://www.proofpoint.com/office-365. Because every enterprise is unique, flexibility defines Proofpoint solutions, deployments and support. We lead the way with cloud-based email solutions, but also specialize in appliance, virtual appliance and unique hybrid deployments. And we back it all up with a commitment to customer service where exceptional is the rule.

!

Proofpoint, Inc. 892 Ross Drive

Sunnyvale, CA 94089 USA

+1 408 517 4710

www.proofpoint.com!



Headquartered in Sunnyvale, California, Proofpoint has offices around the globe including Canada, Japan, the United Kingdom, Asia Pacific, Europe and Mexico. Smarsh® provides hosted solutions for archiving electronic communications, including email, instant messaging and social media platforms such as Facebook, LinkedIn and Twitter. Founded in 2001, the company helps organizations manage and enforce flexible, secure and cost-effective compliance and records retention strategies. With robust supervision, compliance and e-discovery functionality designed to meet the sophisticated needs of highly-regulated industries, the Smarsh email and electronic message archiving platform enables clients to powerfully augment the capabilities of a Microsoft Office 365 deployment. Clients search, review and produce email on-demand alongside an expanding number of electronic messaging forms, including enterprise (ex. Lync Online), public and third-party (Reuters, Bloomberg) communications platforms, SMS/text messages, social media content and websites.

Customizable solutions fit the needs, budgets and technological infrastructure of any business and are matched with unrivaled customer support and service. For more information, visit www.smarsh.com and follow Smarsh at www.twitter.com/SmarshInc.

!Smarsh

921 SW Washington Street Suite 540

Portland, OR 97205 USA

+1 866 762 7741

www.smarsh.com!



© 2011 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i http://www.microsoft.com/en-us/office365/enterprise-solutions/enterprise-plans.aspx#fbid=Wmp7vsIGoJd ii http://www.microsoft.com/en-us/office365/buy-small-business.aspx?WT.z_O365_ca=Buy_how-to-get_en-us#fbid=Wmp7vsIGoJd iii http://www.microsoft.com/en-us/office365/enterprise-solutions/enterprise-plans.aspx#fbid=Wmp7vsIGoJd iv http://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Security_Audit.htm v http://www.zdnet.com/blog/howlett/microsoft-office-365-is-dead-to-me/3241 vi http://www.microsoft.com/online//legal/v2/?docid=31 vii http://www.microsoft.com/online//legal/v2/?docid=31 viii http://www.microsoft.com/online//legal/v2/?docid=31 ix http://www.hipaasecurenow.com/index.php/microsoft-office-365-cloud-service-to-offer-business-associate-agreements x http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225 xi Addressing Cloud Computing Security Considerations with Microsoft Office 365, Microsoft Corporation