Taming Office 365 governance and reporting in enterprise SaaS solutions
Table of contents
SaaS applications have played central roles in organizational productivity for years now. Microsoft’s Office 365 suite, in particular, has become a prominent solution amongst businesses of all sizes—vying for market dominance against the likes of G Suite. Office 365 holds 38% of the business-suite market share.
As of last year, 61% of small businesses leveraged 365, as did over 70% of Fortune 500 companies. With over 258,000,000 users on board and Microsoft Teams attaining meteoric popularity, organizations must sift through mountainous quantities of data. There are numerous pain points to address as a result.
Let’s take a dive into governance, reporting, and trends across the business realm.
The importance of data governance
Different departments across businesses claim ownership over various resources. Under these team umbrellas, we have individual employees, who themselves enjoy varied privileges and permissions. Accordingly, it’s essential that data access is delegated properly. Much of the information passed around daily has immense business value or is proprietary.
That’s where data governance comes in. Over the years, the ins and outs of data governance have evolved, yet some core goals remain. Organizations should ensure that their data is:
- Secure – or protected against attack, theft, or unauthorized access
- Trustworthy – or wholly accurate, credible, and confirmable
- Logged – or recorded, documented, and organized in a meaningful way
- Managed – or overseen by a trusted, knowledgeable party
- Audited – or periodically inspected to create profiles, usability reports, and quality
Naturally, applications or processes for governing data change as we move between organizations. It’s hard—if not futile—to choose a one-size-fits-all approach. Accordingly, it’s helpful to become intimately familiar with your data sources, access strategies, and organizational goals. In other words, how will proper data governance improve business outcomes?
Better decision making
Data-based decision-making should appeal to any business. Harnessing concrete information—as opposed to hunches or assumptions—leads to improved outcomes, calculated choices, and leaner operation. Poor processes could otherwise consume a lot of resources. Sounder business practices also lead to cost savings.
Improved Data Quality and Transparency
Data doesn’t exist in a perfect bubble. There’s plenty of extraneous information to filter out, which we often call “noise.” Sorting the good data from the bad gives us more reliable insights—including how employees are using apps, how they’re sharing resources, and if there are more efficiencies to be found.
Teams must also decide between what’s confidential and what’s public knowledge. It’s best to keep sensitive data under lock and key internally. Crafting better dissemination strategies will help keep necessary stakeholders in the loop without unduly revealing company secrets.
Additionally, consider the infrastructure monitoring example. For years, data reporting was fragmented within organizations. IT teams had access to one dashboard, while marketing and others leveraged their own visualizations. Quite often, these teams worked towards the same goals and found value in woefully-siloed data. The information didn’t readily change hands. The centralized metrics dashboard gave everyone with vested interest a standardized look at the same information. Companies should strive for the same, where applicable, with their reporting. There’s a clear need for a more seamless exchange of information between teams.
Improved regulatory compliance
Different industries have different rules governing data protection. These are stringent in areas where Personal Identifiable Information (PII) trades hands or is stored for extended periods of time. We see this most notably in the financial and healthcare sectors. Data governance is critical for maintaining lawfulness—especially where processes are concerned.
Data governance teaches us how to be smarter and more discerning with how we use our data. It allows teams to minimize risks while safeguarding customers and employees.
Introduction to Office 365 Data
Microsoft’s Office 365 suite delivers plenty of functionality to enterprise users and smaller businesses alike. The package includes the following programs:
- Word
- Excel
- PowerPoint
- Outlook
- OneNote
- Publisher
It’s also important to note the services bundled in with 365:
- Planner
- OneDrive
- Exchange
- SharePoint
- Access
- Skype and Yammer
- Microsoft Teams
That’s an expansive list. There’s an innumerable amount of functions that any employee may perform within these applications or services. Organizations must manage accounts, access, documents, conversations, calendars, team sites, are more. It’s no wonder that dedicated tools for Microsoft Office are becoming popular. IT departments must manage data tied to at least 14 apps.
Telecommuting considerations
Additionally, business isn’t confined to the office any longer (especially given extenuating circumstances). Our devices are portable, and our workspaces are dynamic. Employees are no longer tied to on-premises networks or assigned desktops, thanks to the growth of remote work. The cloud revolution makes anywhere access absolutely integral for productivity. It can also introduce more variables into the mix.
Are VPNs working properly? Are access points private and secure? What happens when an employee misplaces a device—especially in a public setting? Employees must worry about remote and physical access via unauthorized parties.
From fundamental to complex, the process of logging in and collaborating is central. Role-based access control (RBAC) and attribute-based access control (ABAC) have grown in importance. We want to internally delegate access on top of mitigating any external threats to account security. Thankfully, Microsoft allows us to couple Office 365 with Azure Active Directory. This allows admins to enforce password policies, group policies, and other security protocols to keep data locked down. Ongoing identity management plays a key part here.
What else can admins do to ensure sound data governance with Office 365?
Status monitoring and usage reports
An important part of understanding the Office 365 suite revolves around application usage. Which employees are using what, how often, and if that activity matches an employee’s assigned roles within the organization. Luckily, the admin center contains a reporting feature, which periodically generates these detailed summaries.
We’ve touched on the monetary benefits of this data. Say we have employees that aren’t meeting a usage quota or who aren’t using the Office suite entirely. It’s often not necessary to supply these employees with licenses. Switching departments, tools, and even companies are common. Employees can terminate these licenses to save money.
Naturally, these reports can contain sensitive information. Microsoft themselves offers access recommendations while reserving access for the following persons:
- Global, Exchange, SharePoint, and Skype for Business admins
- Global and reports readers
- Teams Service and Teams Communications Administrators
How are roles assigned? Through Azure Active Directory, admins can assign unique roles to individuals or groups. The admin center is the conduit through which this happens. Privileged users can check activity, manage roles, and assign user permissions. This is crucial for getting reports into the proper hands.
Note that Office 365 offers US Government plans. Data attached to these institutions is already more sensitive than it might be for the average user. Well-defined data access is critical, as reports gather metrics on email activity, Office activations, active users, apps usage, OneDrive activity, SharePoint activity and usage, Teams activity, device usage, and more.
It’s important to keep this data internalized and anonymized wherever possible. How can admins accomplish this? Microsoft allows teams to hide user-level details within Admin Center’s settings. From the Services & add-ins page, simply access the Reports pane and select Display anonymous identifiers.
This data is pivotal in determining usage trends over given periods of time. The Microsoft Productivity Score is another powerful data point that teams can use to tighten up their operations. Microsoft draws from research reports and endpoint analytics to suggest best practices.
Better data security for Microsoft Teams
Teams plays host to many tasks that create data. Groups can communicate via meetings and messages within. They may also share files. These activities form communications histories over time and generate voice data in the case of calling. Recorded conversations and data are automatically uploaded to the cloud—mainly for convenience. This must be done safely, and Microsoft shoulders much of that burden. Again, however, the right individuals must have access to that pool of information.
Thankfully, Teams builds a number of protections into the application. Data at rest is encrypted, as is data in transit. Files are automatically stored in SharePoint, thus benefitting from its built-in safeguards. The same goes for Notes and OneNote. Team-wide and organizational two-factor authentication are always enforced—as is Active Directory single sign on. Admins can devote time to other tasks.
The following are also integral to Teams’ data integrity:
- Advanced Threat Protection – for detecting and blocking malicious content, which can expose precious data to outside actors
- Safe Links – for URL scanning, spam prevention, malware protection, and anti-phishing (in public preview, not general release)
- Safe Attachments – for threat detection within files, documents, images, and more, similarly to Safe Links
Of course, the sophistication of admin-based security measures can widely vary. That’s why Teams supports Microsoft’s Secure Score. A centralized dashboard arms admins and assigned members within security center with app data. This covers usage, devices, and Office 365 identities. There’s greater transparency in this approach. Open-and-clear visualizations allow admins to compare their metrics with pre-defined performance indicators.
Compliance controls
Teams’ compliance measures follow many of the practices we’ve highlighted early on in this article. Easy data access from the dashboard lets us view compliance successes for channels, conversations, files, and retention policies. Teams administrators can act to patch any existing security holes. They may also remotely manage the application via Intune. This mobile control offers easier, swifter manipulation of data and permissions.
Data Loss Prevention in Teams (and 365 as a whole) outlines security best practices for data sharing. Teams administrators can dictate how group members transfer files, messages, and other information. Essentially, the feature prevents participants from giving resources to unauthorized individuals—internally and externally.
Microsoft Teams also offers eDiscovery for efficient data collection. Legal requirements and proceedings might require admins to compile and organize electronic information. eDiscovery and Advanced eDiscovery facilitates the following:
- Case data management
- Data preservation
- Data searches
- Analysis and exportation
Generated reports may pull from most every type of logged data within Teams. Advanced eDiscovery may also unlock quicker insights from a general Teams data pool. This upgraded version includes machine learning (ML) and unstructured data analysis. Unstructured information is particularly tricky; it’s neither pre-organized nor pre-labeled prior to inspection. Humans would take a long time to derive meaning from such data points—ML algorithms can sort through this amalgam much faster to uncover patterns.
If we don’t want data to change over time, a Legal Hold will prevent sensitive information from becoming corrupted or lost. Accordingly, Teams supports event-based reporting and auditing. Should something go awry with users or applications, Teams will alert admins to begin an investigation. Approved admins can filter and export relevant data for retrospective analysis.
Data is rich within the Teams application. All important metadata and data is journaled. Microsoft Graph displays usage and productivity trends. Finally, Microsoft Teams data is SOC1 and SOC 2 compliant while meeting ISO 27001 standards.
Understanding data flows
Teams data moves to a couple of different locations: Exchange and SharePoint for Teams. The ingestion pathways are as follows:
- Teams > Chat Service > Office 365 substrate (multi-application service enablement) > Exchange Cloud
- Teams > Exchange Cloud
- Teams Clients > NGC Skype Calling/Meeting services > Call/Meeting Record Processing > Exchange Cloud participants > Office 365 information protection tools
Many different types of data are at play. Emails, chats, group chats, messages, files, summaries, and more enter the funnel.
Data redundancy and remote data control
Data isn’t useful if we can’t access it. Office 365 understands this, and allows admins to dictate who can download what. Not all users are siloed from one another. Consider that one user’s license might be revoked, or their role changed, for a variety of reasons. Their OneDrive, Outlook, and other accounts may contain mission-critical information still relevant to the organization.
Admins should seize control where necessary to copy this data elsewhere. Remember that accounts must still be active for this to be possible, for an unrestricted period of time. Should admins delete an account before attempting data recovery, that data will remain available for 30 days. However, an admin can define any retention period from 30 days to ten years within the SharePoint admin center. Office 365 will permanently delete this data if the associate account isn’t recovered within that assigned window. Admins can move these files to their own OneDrive, a shared library, or to their local Downloads folder.
Revocation and wiping devices
Conversely, access revocation is an important step in the governance process. It’s stated within access management best practices that minimal privileges should be assigned in completing a certain task. Once that task is completed, permissions should be restored to their defaults.
Imagine you hire a house sitter while you’re away on vacation. That person receives your garage key code, thus permitting them access to your home in order to complete their job. Once those responsibilities end, you can send them on their way and change your passcode.
The principle is similar in this case, yet self-imposed. Admins will want to revoke their own access to protected OneDrive data—should it resides within another account—lest their own account becomes a possible vector for data leakage. This keeps your “house” (the ecosystem) safer overall.
Lastly, admins can remove Microsoft 365 data from mobile devices and PCs. This is useful when these devices are lost, stolen, or temporarily in the hands of an ex-employee. Note the company data cannot be restored after deletion. By going to Admin center > Devices > Manage, one can search for users and summon their active devices. A factory reset or Remove company data option are both available, depending on the situation.
The Battle of SMPs vs. Specialized Tools
As companies adopt new software, their management needs expand in lockstep. The average enterprise entity uses 137 SaaS applications during daily operations. That’s a lot to data to manage—hence why SaaS Management Platforms (SMPs) have skyrocketed in popularity in recent years. These provided one centralized record for all apps under a company’s operational umbrella. SMPs can help determine how employees access core, sensitive data stemming from applications and their users.
Interestingly, new findings from Gartner suggest that larger enterprises are now embracing bespoke solutions, instead. The stock of specialized data governance tools seems to be rising—as teams favor targeted solutions to challenges within cloud suites like Office 365. These programs can show us how data is safe or vulnerable throughout 365. There’s a huge need to classify and uncover trends from application data at a granular level. This detail may be lost within a broad SMP.
There’s a curious trend of inverse proportions brewing in the software realm. While large companies favor a precise (read “efficient”) approach, SMBs are embracing those broad management platforms. It’s possible that these businesses cannot devote as much investment or specialized care into data governance—amongst a slew of other priorities—and thus favor a catch-all solution to make their lives easier. That’s not necessarily bad; it simply highlights differing priorities.
What issues can dedicated tools solve? First, there’s plenty of clutter to sort through in a data-driven environment. Specialized software can also involve more stakeholders in the governance process. Large companies don’t want to be dinged for massive compliance failures—nor be burned by vulnerabilities. Platform-based alternatives may cut corners in order to satisfy diverse use cases. That’s a risk that established industry leaders don’t feel comfortable taking.
There’s little doubting that the governance landscape is evolving. Companies are realizing that applications need special care in order to provide peak value. The third-party market is booming. However, not all tools are created equally.
Governance doesn’t have to be complicated
As we can see, there are many moving parts to data governance within Office 365. Thankfully, Microsoft’s included tools excel at managing these processes. While some operations are possible via something like PowerShell, it’s comforting to know that various admin center GUIs can get the job done effectively.
Office 365 is also making heavy use of centralized dashboards within its respective administrative panels. The integration of Azure Active Directory simplifies sweeping application of permissions to user accounts. We’ve also seen third-party platforms emerge to tackle the aforementioned tasks behind data governance.
Our own Syskit Point solution excels at cutting clutter, while ensuring the right people have the right access with automated governance workflows. Point triggers automated flows and sends email requests to data owners for one or more governance policies you have set in motion. The beauty of it is in the elegance of the solution. On the one hand, admins and IT support are freed of the burden of governing content and users they are not familiar with at operational level. On the other hand, IT and compliance managers can rest assured all content is governed properly.
Compliance managers, auditors, business users, and Office 365 admins can benefit from these tips—and from Syskit Point. You and teams worldwide have the opportunity to lead the way in data governance. According to the Harvard Business Review, just 3% of data in a business enterprise meets quality standards. Sixty to seventy-three percent of data is never used for any strategic purpose. Finally, bad data costs 12% of company revenue on average.
We can do so much better. Thankfully, the path forward looks quite promising—should businesses enthusiastically employ best practices.