Is Microsoft for Information Governance Enough?

By Brett Knudson, Micro Focus

With the rise of unstructured data, a well-thought-out information governance process is necessary for success. However, is Microsoft enough to get the job done, or do you need more? Read on to see if Microsoft 365 is sufficient for you.

 In a recently published white paper titled, Does a Microsoft-Only Approach to Information Governance Make Sense? Osterman Research lays the groundwork for determining if an organization should consider more than just Microsoft 365 for its information governance strategy. If you use Microsoft 365 for your information governance, you may want to reassess your needs to determine if it’s enough.

Here's a brief highlight reel of the report:

What is Information Governance? Defining the term in question will probably be helpful. Information governance involves the rules and procedures set out by organizations for handling their data. This process is even more important for organizations in highly regulated industries.

Information governance involves organizations determining what types of information are in possession, properly classifying it, and removing irrelevant information. Then, proper access to certain information must be ensured for regulatory compliance and communication audits. Further, information must be available and easily searchable for eDiscovery requests and for external review. While information governance sounds complex, it doesn’t have to be.

To best determine if using only Microsoft for your information governance is enough, let’s compare Osterman’s suggestions for best practices with information governance capabilities within Microsoft. Here are approaches to consider in various information governance aspects when evaluating vendors to understand the Microsoft approach against what Osterman considers best practices:

Data Discovery and Data Mapping

When an organization begins the information governance journey, an early step in the process involves identifying, storing, and categorizing the information that exists in its repositories.

Best Practice: Connects with multiple repositories, whether on-prem or in the cloud. It should work across data repositories, services, and file formats. Machine learning algorithms can be used to identify sensitive information like PHI, PII, and PCI. The system identifies ROT (redundant, obsolete, and trivial) data and reduces the storage of unnecessary bits of information.

Microsoft 365: The system focuses on data stored in M365 workloads and contained in supported Microsoft file types. For a higher price tag, organizations can use data discovery capabilities for multiple cloud services and on-prem data Microsoft data repositories. About 100 sensitive information types are used to analyse and label content in files. The types rely on keyword and regex matching. Identifying ROT data is supported when an organization migrates its data to M365 but is out of luck for ongoing analysis. Microsoft is focused on storing everything in – surprise – Microsoft 365, bumping ROT removal down the priority list.

Retention and Deletion

Identifying what information should be kept and what information should be thrown out is vital for any organization, especially those in regulated industries.

Best Practice: An emphasis is placed on the removal of ROT data. This streamlines what data is retained, reducing the risk of litigation, the vulnerability of sensitive data to an attack, and storage costs. Reporting can support collaborative decision-making. It is also best practice to create a separate backup of email, document, and file data for long-term storage and archival. Archived data is stored in a non-editable format that is signed and held in a different location than the original source.

Microsoft 365: Microsoft 365’s data governance capabilities focus on applying retention labels to content that must be kept for a pre-scheduled duration, but largely ignores the rest of the organization’s data. (Much of this is ROT.) Users are then expected to select the correct retention label. A single source architecture in M365 for current and archived data means that incorrect classification of pertinent email, document, and file data leads to indefensibly early deletion. This can be very bad.

Data Access Governance

The threat of insider data breaches is high when organizations don’t have a strong approach to access governance with their data. Many organizations have poorly organized files servers with decades-worth of unstructured data that isn’t managed.

Best Practice: A good information governance approach involves scoping the data access analysis across data repositories for on-prem and cloud-based. It offers a user-centric analysis of the data people are trying to access with automated remediation of inappropriate access privileges.

Microsoft 365: Microsoft approaches scopes data access analysis across applications where identity and access are managed through Azure AD and requires Azure AD Premium P2 licensing. There are no provisions to prevent “sharing” of content with users who shouldn’t have it and it’s not possible to validate the reason someone has access to data. Microsoft assumes a thorough access approach to M365 already exists and it provides the tools to keep it that way.

eDiscovery Capabilities

Organizations are likely to face litigation over the course of their existence, but without proper and comprehensive eDiscovery capabilities in their information governance solution(s), trouble could be lurking. If the data can be quickly attained, cases can be closed faster with much higher success rates.

Best Practice: Content searches should use standard indexing processes for the quick and responsive presentation of search results. Only responsive content is assembled for external legal review, to substantially decrease the cost of the external review process. Legal holds for content in question are created by guarding data in a separate repository for each case, allowing for multiple legal holds to be applied to the same content.

Microsoft 365: Content searches for eDiscovery force a re-indexing of all selected data locations in M365 for a custodian. This adds time and slows the process of data discovery. M365 does not offer the ability to pre-process potentially responsive content and search results must be exported before they can be viewed. Legal holds can be put on responsive content wherever it is stored in production M365 workloads and multiple legal holds can be applied to the same workload.

Endpoint Backup

Endpoints are how organizations get work done. With the rise of remote workers, endpoint backup is increasingly important. Endpoints also serve as an organizational risk. Endpoints house corporate data and can be costly and difficult to obtain crucial data from.

Best Practice: Policy-based enterprise endpoint backup solutions safeguard all data on an endpoint in the network. Data retention on enrolled endpoints is a policy-based decision. All endpoint data is captured and preserved to support eDiscovery and enterprise search requirements. Organizations can define how long files should be kept available in an archive.

Microsoft 365: Content in OneDrive and SharePoint can be synchronized to an endpoint for simple access and collaboration. Users can avoid data retention requirements easily by storing documents outside the OneDrive folder hierarchy. Data stored on endpoints outside the OneDrive is excluded from eDiscovery, creating dark data. OneDrive automatically captures deleted files in a couple of tired duration recycle bines, but when a file is removed from the second storage bin, it is gone forever.

For some organizations that are Microsoft-centric and rarely face eDiscovery cases, Microsoft 365 provides all the information governance capabilities they need. For many others, especially those in regulated industries, their approach requires more.

Microsoft 365 offers some capabilities for information governance, but third-party vendors complement and extend what Microsoft offers. Organizations should examine their information governance needs and look to third-party solutions to extend what Microsoft offers and fill in the holes in their complete information governance strategy.

Micro Focus offers a broad line of information management and governance solutions that help organizations complete the information governance puzzle. Micro Focus’ portfolios of products help organizations create a holistic strategy and offer capabilities for secure content managementunstructured data analyticsdata protectionunified endpoint management, and team collaboration. Are you unable to use Microsoft 365 or simply looking for an alternative? Check out our Microsoft 365 alternatives that offer all the same M365 capabilities and a whole lot more.

Read the full report.