We recently talked about SOX compliance in our regular newsletter, “WOOF!” The full article is here: 5 Big Benefits Your Company Gains from SOX – WOOF! March 2017
(Yes, there are actually benefits to SOX compliance. Weird, huh?)
It made me think of how I (very briefly) mentioned compliance in The Security Behind 6 Business Chat Apps (Including Skype for Business). Have I ever examined Skype for Business on its compliance? Not in detail, I hadn’t.
Well, since I’m thinking about it, why not? Let’s see what I can find on compliance!
What Do I Mean by Compliance?
Compliance is a term for your business meeting certain legal requirements. When it comes to communications, compliance means maintaining records of conversations, in case legal entities (e.g. government) need to review those records in an audit or lawsuit.
That means the records must include chat logs, voicemail, voicemail transcripts, and emails. Anything your employees used to communicate and direct business activity.
Several compliance standards exist: SOX (Sarbanes-Oxley), HIPAA, EUMC (EU Model Classes), ISO 27001, etc. If you have to meet one, keeping those records is now a legal requirement. Only option you have is, which solution do you go with?
There are far more potential solutions out there than I could cover in one blog post. For today, I’m covering four communications tools: Skype for Business (Server and Online), Slack, and Microsoft Teams. Let’s see how they stack up.
How Slack Meets Compliance Regulations: Compliance Reports
Good news, Slack users. Your choice of chat app has built-in compliance…and it has since 2014.
Slack has a Compliance Reports feature, which allows you to export all team communications, thereby satisfying compliance requirements.
Slack announced Compliance Reports in a 2014 blog post: Slack’s policy update: What it means for you (November 2014)
Compliance Reports is part of the Slack Plus plan. It’s available to Team Owners. The catch is, it’s NOT enabled by default. You have to request Slack enable it. (The procedure to do so is in the blog post.)
Also, Compliance Reports is NOT retroactive. Once it’s active, it begins archiving channels, private messages, edit history…from that point forward. So if you’re already using Slack, and want to add in Compliance Reports? Better copy out all the old conversations, just in case.
How Skype for Business (Server) Meets Compliance Regulations: Archiving Menagerie
Ah, my old friend. How’s your compliance?
Very good, thank you. Just needs some setup.
First, the Exchange Server. Exchange has well-developed compliance features. So much so that Exchange 2016 will archive some Skype for Business content within its own In-Place Archiving feature:
“You can archive instant messaging conversations and shared online meeting documents in the user’s primary mailbox. The mailbox must reside on an Exchange 2016 Mailbox server and you must have Skype for Business Server 2015 deployed in your organization.”
Next, Persistent Chat’s Compliance service. Once activated, this service maintains an archive of Persistent Chat messages, as well as activities. When people join/leave chat rooms, upload/download files, etc.
Setup is relatively simple. You only need to use one cmdlet, configured by identity or instance.
Set-CsPersistentChatComplianceConfiguration [-Identity ] ((COMMON PARAMETERS))
Set-CsPersistentChatComplianceConfiguration [-Instance ] ((COMMON PARAMETERS))
Parameters available are as follows:
- AdapterType – Lets you specify the adapter type (XML default).
- OneChatRoomPerOutputFile – Lets you specify that separate reports to be created for each chat room.
- AddChatRoomDetails – Records details about each chat room in the database. Disabled by default, since it can inflate the database with lots of activity.
- AddUserDetails – Records details about each chat room user in the database. Also disabled by default, for the same reason.
- Identity – Lets you scope compliance settings for a particular collection (Global, Site, Service levels). Global is the default.
- RunInterval – Dictates the amount of time before the server creates the next compliance output file (default: 15 minutes).
Thirdly, Archiving Server.
Does your Skype for Business deployment include an Archiving Server? If not, and you have compliance requirements, you should do so right away. (Here’s how to deploy an Archiving Server if you don’t have one yet.)
Archiving Server maintains an archive containing:
- Peer-to-peer instant messages
- Conferences (meetings), which are multiparty instant messages
- Conference content, including uploaded content (for example, handouts) and event-related content (for example, joining, leaving, uploading sharing, and changes in visibility)
- Whiteboards and polls shared during a conference
My old post on what Archiving Server archives. (Hmmm, I should update that one…)
Once this three-part setup is complete, your Skype for Business Server is keeping track of its conversations. Add a good backup system, and you should be fully compliant in case of audit (or litigation).
How Skype for Business (Online) Meets Compliance Regulations: Trust and eDiscover in the Cloud
As Microsoft says in the Office 365 Admin’s Security & Compliance menu:
“It’s your data. You own it. So we’ve developed features that let you take charge of how and when it is stored, used, and retained or removed.”
I view Skype for Business Online the same way I do Slack. The records themselves are archived and available. However, since Office 365 products are cloud-based, eDiscovery becomes much more important. You’ll need to locate & extract content as-needed in the event of an audit.
Fortunately, Microsoft put up a slew of information about O365’s eDiscovery capabilities: eDiscovery in Office 365.
For instance, the Content Search tool will search mailboxes, public folders, Skype for Business conversations, and more. Then you export the results (in different formats, like a PST for each mailbox or individual messages) and incorporate the files into your audit process.
How Microsoft Teams Meets Compliance Regulations: Information Protection…But is it Complete?
The Teams FAQ reports that Teams does retain all messages. We also have this:
What forms of information protection does Microsoft Teams support?
Archiving, Content Search, eDiscovery, legal hold, and audit logs are available via the Office 365 Security & Compliance Center for chats and channel messages, OneNote content, OneDrive for Business files, and SharePoint content.
At the same time, compliance tools are listed as “Working on It” here:
Commenters spoke urgently of the need to confirm Teams’ compliance policies.
Now, that could just be out of date. The FAQs are maintained, so they’re likely the latest-and-greatest information. Especially since Teams is an Office 365 product, which is compliant with several industry certifications anyway. The same eDiscovery tools available to Skype for Business Online, are available to Teams. At least according to Microsoft.
My Verdict: All Will Meet (Most) Compliance Regulations As-Is
In terms of compliance “thoroughness,” I’d rank these in the following order:
- Skype for Business Server. The most work to set up, but the most control over archiving.
- Slack/Skype for Business Online. Less work involved, since most of the archiving is done for you, and retrieval features are available. That said, these do use cloud services, which places (most of) the data outside your network.
- Teams. I put this one last because it’s still so new. It does fall under Office 365’s Trust Center guidelines, and does facilitate archival. But since it’s in early adoption stages, the need to verify compliance hasn’t come up in large numbers yet. Will Teams fully satisfy legal compliance for the businesses who use it? I think it will…but we may have a few businesses hitting bumps when they begin an eDiscovery process.
How big of a factor is legal compliance in your communications choices? Please comment or email. I’m also curious to note which type of compliance hits your business the most (if you’re able & willing to share, of course).