Security and Compliance for

Exchange Online in Office 365

Security and Compliance Features

2

Litigation Hold versus In-place Hold

Litigation HoldHolds are based on userEnable users to be placed on hold and keep mailbox items in an unaltered statePreserve mailbox items that may have been deleted or edited by usersPreserve mailbox items automatically deleted by MRMKeep the litigation hold transparent from the user by not having to suspend MRMEnable discovery searches of items placed on holdBlanket applicationUnlimited users, unlimited content

In-place HoldHolds are based on a queryEnable content from query to be placed on hold and keep mailbox items in an unaltered statePreserve mailbox items that may have been deleted or edited by usersPreserve mailbox items automatically deleted by MRMKeep the in-place hold transparent from the user by not having to suspend MRMEnable discovery searches of items placed on holdProvides granularity5,000 mailboxes per query, 30GB content per mailbox

3

Quick Comparison

4

You want to… Use Litigation Hold Use In-Place Hold

Preserve all items in a mailbox

Yes Yes

Preserve all items in a mailbox for a specific duration

Yes Yes

Preserve items matching query parameters

No Yes

Specify types of items to preserve (such as email, calendar, notes)

No Yes

Specify hold settings for members of a distribution group

Yes Yes

Max users on hold No 5,000

Place multiple holds on a mailbox

No Yes

Make mailboxes inactive to preserve data in Exchange Online

Yes Yes

Use Litigation Hold for preserving mailboxes

Licensed mailboxes are fully functionalRemove a license and the mailbox is disconnected, ultimately deleted, unless…Mailboxes on litigation hold are preserved indefinitelyCan be searched, cannot be mounted

5

Messaging records management policies

What they can doAutomatically move content of a certain age to the archiveCreate multiple policies for content of different ages, types, etc.Can be applied to specific foldersCan use flags

What they cannot doPrevent users from overridingPrevent content from being deletedPrevent content from being purged

6

How MRM works in Exchange Online

7

Exchange Online provides a web-based interface for searching the contents of mailboxes in an organization.

Through ECP, administrators can search a variety of mailbox items including email messages, attachments, calendar appointments, tasks, and contacts. Multi-mailbox search can search simultaneously across primary mailboxes and personal archives. Rich filtering capabilities include sender, receiver, message type, sent and receive date, carbon copy, blind carbon copy, and advanced regular expressions.

For legal discovery purposes, messages located through search can be copied or moved to a specified mailbox for further investigation. Administrators can connect Outlook to this mailbox and export the search results to a .PST file.

8

Multi-Mailbox Compliance Search

9

In-Place eDiscovery

Helps to perform discovery searches across mailboxesUses real time content indexes created by Exchange SearchDiscovery Management role group is used to delegate discovery tasksAuthorized users can:

Estimate search resultsPreview search resultsCopy search results to a Discovery mailboxHold contentSearch SharePoint and archived Lync content

10

Discovery Management Role Group and Management Roles

In-Place eDiscovery searches can only be performed by members of Discovery Management role groupThe Discovery Managed role group consists of two roles

Mailbox Search roleLegal Hold role

No eDiscovery tasks are assigned to any user or Exchange administrator by default

Roles and Permissions

11

Permission for eDiscovery tasks must be explicitly granted via Role Based Access Control (RBAC):Discovery Management Role Group

Mailbox Search RoleLegal Hold Role

Typically to legal department or discovery agentsAccess to default Discovery Mailbox included in Role GroupAccess to additional discovery mailboxes must be grantedChanges to access permissions written to Audit Log

12

Discovery Mailboxes

A secure target mailboxWhen you use EAC to copy search results, only Discovery mailboxes are displayed

Large mailbox storage quota50 GB by default

Enhanced security measures employed by default Only users with explicit permissions can access

Email delivery disabledUsers cannot send email to discovery mailbox.

13

Creating an In-Place eDiscovery search

14

eDiscovery Searches Via PowerShell

New-MailboxSearch "Discovery-CaseId012" -StartDate "1/1/2009" -EndDate "12/31/2011" -SourceMailboxes "DG-Finance" -TargetMailbox "Discovery Search Mailbox" -SearchQuery '"Contoso" AND "Project A"' -MessageTypes Email -IncludeUnsearchableItems -LogLevel Full

15

Considerations When Using In-Place eDiscoveryAttachments

Searches attachments supported by Exchange Search

Unsearchable itemsItems that cannot be indexed due filter, filter error or encrypted Can still be copied to Discovery Mailbox

Safe listFiles with content that cannot be indexed

IRM-protected itemsIRM protected messages are indexed

De-duplicationReduces size of Discovery Mailbox, reducing workload for discovery managers, reduces cost of eDiscovery

16

Estimate, Preview and Copy Search Results

Exchange Online administrators have the ability to manage mail archiving and compliance features available with the service.

Disclaimers - Exchange Online lets administrators add disclaimers to messages in transit using transport rules. Administrators can create custom disclaimers for different groups in an organization and can control whether the disclaimers are applied to internal messages, outbound messages, or both.

Granular transport rule conditions - Administrators can create transport rules to inspect messages for a variety of email attributes, such as specific senders, recipients, distribution lists, keywords, and regular expressions (for common patterns like those associated with credit card numbers or social security numbers). Administrators can also include users’ AD DS attributes (for example, department, country, or manager) and distinguish by message type, such as automatic replies, meeting requests, and voicemail messages.

Ability to moderate - Administrators use transport rules to route email messages to a manager or trusted moderator for review. Reviewers can approve or block the message and, if blocked, provide an explanation to the sender.

Message classifications - Administrators can use transport rules to apply metadata to messages, describing the intended use or audience (for example, attorney–client privileges). Users can also apply classifications manually and have transport rules check messages when they enter the transport pipeline. If messages do not meet the conditions of the classification, an action can be applied to modify, protect, or block the messages.

Attachment inspection - Administrators can create transport rules based on content in a Microsoft Office attachment. However, file types such as Adobe PDF files that require installation of third-party IFilters on the email server cannot be inspected in Exchange Online.

Transport rules - Transport rules are used to inspect emails in transit (inbound, outbound, and internal) and take actions such as applying a disclaimer, blocking messages, or sending a blind carbon copy to a mailbox for supervisory review. Transport rules use a set of conditions, actions, and exceptions similar to inbox rules.

17

Transport Rules

18

Journaling in Exchange Online

Journaling is the copying of emails to an external mailbox via SMTPHelps with legal, regulatory or compliance requirementsRecords inbound and outbound communicationsPer user or per distribution list basisInternal messages, External messages or bothJournaling destination cannot be an Exchange Online mailbox

19

Journal Rules

Journal rule scopeDefines which messages are journaled by the journaling agent (internal, external, or all)

Journal recipientSpecifies the SMTP address of the recipient you want to journal

Journaling mailboxSpecifies one or more mailboxes used for collecting journal reports

20

Creating Journal Rules in EAC

21

Creating Journal Rule in PowerShell

This example creates the journal rule “Discovery Journal Recipients” to journal all messages sent from and received by the recipient joe@contoso.com.

New-JournalRule -Name "Discovery Journal Recipients" -Recipient joe@contoso.com -JournalEmailAddress "Journal Mailbox" -Scope Global -Enabled $True

Exchange Online provides two forms of built-in auditing capabilities.

Note: Administrator audit logging is on by default. Mailbox audit logging is off by default.

Administrator audit logging Allows customers to track changes made by their administrators in the Exchange Online environment, including changes to RBAC roles or Exchange policies and settings.

Mailbox audit logging Allows customers to track access to mailboxes by users other than the owners, including access by delegates and access to shared mailboxes.

Several predefined audit reports are available in ECP, including administrator role changes, litigation hold, and non-owner mailbox access. Administrators can filter reports by date and role, and can export all audit events for specified mailboxes in XML format for long-term retention or custom reporting.

22

Auditing

Audit Logging

23

Audit logs track specific changes made by administrators and delegates:

Non-Owner Mailbox AccessAdministrator Role GroupIn-Place eDiscovery & HoldPer-Mailbox Litigation HoldExport Mailbox Audit LogExport Administrator Audit LogSearch-AdminAuditLog & New-AdminAuditLogSearch

Administrators can use delivery reports to view detailed reporting on email messages within the Exchange Online environment.

Using Exchange Control Panel (ECP), administrators can search for messages and view information such as time and date of delivery, reasons for non-delivery, and policies applied. Users can also view delivery report information for emails they have sent.

To access delivery information for messages sent to external destinations, administrators can use the message tracking capabilities within the EOP Administration Center.

24

Message Tracing

Message tracing

25

Delivery Reports

26

For more information…

Security and Compliance for Exchange Online in Office 365http://help.outlook.com/en-us/140/ff637239.aspx

27