freshidea - Fotolia
Microsoft invests a lot to provide its users with data governance capabilities in Office 365, an increasingly important set of features given the prevalence of cloud and hybrid software environments.
However, a survey of Office 365 users conducted by AvePoint and the Association of Intelligent Information Management shows that many organizations are not making full use of the governance capabilities within the Office 365 suite.
"Microsoft knows that they need to convince not only the folks who are interested in productivity within an organization, but also the security and compliance people who are building out a service that is potentially even more robust from a data governance perspective than what they had before," said John Peluso, CTO of AvePoint Public Sector.
According to Peluso, Microsoft's strategy is to trust that business users know what they want, but in his experience at AvePoint -- a Microsoft partner and software company that supports governance, compliance and management software for enterprises -- this strategy ultimately confuses a lot of users.
Employees used to rely primarily on email for business communication and collaboration, but in Office 365, users also have the option to choose Office365 Groups, Teams, Yammer and SharePoint sites.
"Microsoft is giving them as many options as possible to keep them within the Office 365 ecosystem," Peluso said. "But which is the right one to use for a particular business purpose? That is where the confusion comes in."
Licensing levels and requirements
Some of the confusion around governance capabilities in Office 365 comes from the licensing models. Microsoft has several different licensing options for businesses that come with different governance capabilities from the broad to the granular, and there are also options for organizations to purchase more advanced functions.
"There is quite a bit of marketing messaging that goes out to [Office 365] customers, and that sometimes makes them think they can do anything and sometimes confuses them so they don't know what they can do," Peluso said. "Getting to know, in depth, what the capabilities they have and what they can do is step number one."
After figuring out what capabilities an organization has with its current Office 365 license, it is time to map those capabilities against business requirements. This will reveal any gaps that the organization needs to fill.
Filling these gaps, Peluso said, can mean everything from just establishing a new business process or using a citizen development technology, like Microsoft Flow, to investing in a third-party software to help manage governance within Microsoft.
Determining a strategy
After an organization determines what data governance capabilities are included in its Office 365 license and adds any other necessary functions, it needs to put a strategy in place.
John PelusoCTO, AvePoint Public Sector
"It is more than just having access to the tools -- you have to figure out a governance strategy that makes sense," Peluso said. "You can't just flick the switch on and be done."
Businesses need to determine which of Office 365's many collaboration workspaces employees should use for different types of projects, as well as what retention and permissions policies are appropriate for different common use cases. Third-party vendors can help organizations put these strategies into place.
Office 365 includes retention policies at both the workspace and the document levels. When developing a new workspace for a project, users can choose a retention length based on the kind of project that it is. The document-specific retention tools are more targeted.
"If I know a particular document is an employment contract -- either because a user tells me that it is or because I am using some sophisticated software to read inside the document and know based on the content that it is an employment contract -- then I can apply a very specific retention label to [it]," Peluso said.
It is up to the organization or a third-party partner to determine what the appropriate retention times are under different circumstances so that these capabilities do not go underused simply because employees are confused or overwhelmed.
It is not enough to simply implement data governance capabilities in Office 365; organizations must also continually monitor whether the strategy is still functioning properly.
"If it is really easy to create workspaces but there is no process to go through and periodically verify whether those workspaces are still necessary or if the access permissions are still appropriate, then you will end up with a large mess on your hands," Peluso said.
Verifying user access and permissions after a project has ended is vital to controlling who has ongoing access to files and workspaces, which is particularly important when collaborating with external users. One of the services that AvePoint provides is giving companies an inventory report of all of their workspaces across Office 365, including who it belongs to, who has access to it and who last verified that it was relevant to the business.
"That kind of ongoing control gives organizations the confidence to operate Office 365 at scale, especially in medium- and large-sized organizations," Peluso said.