Helping Teams be Compliant
The annual LegalTech conference took place in New York City this week. It’s the highlight of the year if you are interested in compliance technology, and it’s the reason why Microsoft made a number of announcements relating to compliance features in Office 365. Among these was a post about updates for records management.
The text referenced a report commissioned by Microsoft from Cohasset Associates (a company specializing in records management) to examine how Exchange Online and the Office 365 Security and Compliance Center meet the requirements of rules such as SEC 17a-4 and FINRA Rule 4511 about the storage and management of electronic records. This is a big deal for Office 365 because if the service can’t meet regulatory requirements, companies subject to those requirements can’t use Office 365.
The report is worth reading (download it here). Because a third-party wrote it, Microsoft had to answer their questions about how Exchange Online and Office 365 work and what changes are coming in the future. Among the topics covered is how the Office 365 substrate captures compliance records for Teams channel and personal conversations, and it’s here that some interesting facts are highlighted.
Teams Compliance Records and Regulation
The report plainly lays substantial weight on the value of Teams compliance records in terms of Microsoft’s ability to satisfy different regulations. However, it also notes several times that Teams compliance record do not include user responses (for example, when someone “likes” a message) – a fact first revealed in Chapter 13 of Office 365 for IT Pros. One thing we didn’t note is that the GIFs and other graphics are represented in compliance records by links which might change over time. The report notes that Microsoft plans to capture responses in compliance records later this year (July 2019).
[November 12: Microsoft still hasn’t addressed the problem of capturing reactions in Teams compliance records. The problem is proving somewhat more difficult than they anticipated.]
Another topic discussed in the report is the way that Teams compliance records capture individual messages instead of the transcript format used to record conversations by Skype for Business. Although the complete conversation is captured, it is in the form of individual items that must be fitted together to reconstruct the flow of the conversation. Apparently, Microsoft is going to deliver a way to reform conversations from compliance records around the same time as they capture responses. This should also appear around July 2019.
[November 12: Office 365 Advanced eDiscovery is getting the ability to present Teams compliance records “in context,” which is similar to seeing a transcript. Printing off a transcript for an investigator is still not possible.]
Teams Compliance Records are for Compliance – Not Backup
Many people make the mistake that Teams compliance records are exact copies of the messages and graphics stored in the Teams Azure services. Of course, as obvious from the shortcomings noted in the Cohasset report, this is inaccurate. Which then makes it strange when backup companies claim that they support Teams because they can copy the compliance records from Exchange Online. They can certainly copy the compliance data, but can they restore conversations in a channel or personal chat? That’s the key question, and it’s not one that can be answered until Microsoft delivers a suitable API to stream data out of the Teams chats and graphics data stores in a form that can be backed up and restored.
Druva Cites Office 365 for IT Pros
Speaking of backups, the Office 365 for IT Pros team was delighted when W. Curtis Preston, Chief Technologist of backup vendor Druva, used text from Chapter 4 to support his contention that Office 365 tenants need backups. The purpose of the book is to lay out information about how Office 365 works so that tenant administrators can make better decisions. In the case of backups, we can only comment about the current state of backup technology and the capabilities available to process data from Office 365.
Old-Style Backups No Longer Viable
Four years ago, it was good enough to cover Exchange Online and SharePoint Online. Today it is not. The way that applications are more integrated than ever before and the inter-dependencies which exist between workloads mean that the old-style workload-specific thinking about backups is no longer viable. It’s also true that anything written about Office 365 before 2018 can be discarded when it comes to backups because of the new features introduced by Microsoft such as Files Restore for OneDrive for Business (and soon for SharePoint Online) and the change in work practice like the movement of communications from email to Teams. You absolutely need to understand what you can do to protect against threat using out of the box features before concluding that added protection is necessary.
The question of whether an Office 365 tenant should invest in third-party backup is a business decision that is highly influenced by industry focus, data sovereignty, applicable regulations, willingness to accept risk, and funding. In short, it’s down to the tenant to make the decision. All we can do in a book like Office 365 for IT Pros is set out questions that you should debate with backup vendors before making a decision to use backups. The decision usually comes down to risk versus cost. If you understand the risk of running without backups and know how to use the features built into Office 365 to mitigate your exposure, then you might be able to forego the extra cost and complexity of paying for a cloud backup service. It’s your call.
And to be fair to some backup vendors who don’t peddle FUD to convince customers that they need their products to resist horrible failures, I do see a willingness to discuss the issues and understand the current shortcomings. It’s good to talk.
For more about Teams compliance records, see Chapter 13 of the Office 365 for IT Pros eBook. And if you want to know about our views on backups for Office 365, that’s all explained in Chapter 4.