CIO Talk: Is Compliance the Killer App for E5?

Before joining Directions on Microsoft in 2020, Barry worked at Microsoft for 12 years in a variety of roles, including... more

As a novice CTO for one of Microsoft’s divisions, I remember the first time the risk management team came to my office to visit. I have to admit that I dreaded the conversation. How interesting can regulatory compliance possibly be?

I discovered it’s actually really interesting, both from a technological and from a business standpoint.

The Regulation Explosion

Businesses have a profound need for ever more sophisticated regulatory compliance technologies: According to Thomson Reuters, companies can expect around 234 regulatory changes of one sort or another — per day. Regulations affect nearly every aspect of normal business operations (commerce, reporting, customer and employee privacy, safety). Highly regulated industries such as healthcare, pharmaceuticals, and finance face, with mostly good reason, higher bars. More daunting is that regulations covering the same activities can vary from country to country, state to state. (And, as I’ve often said to my teams, compliance really means two things: complying, and proving you’re compliant, through reporting and other means.)

The penalties for non-compliance can be draconian: violations of Europe’s General Data Protection Regulation (GDPR) can result in fines of up to 4% of annual revenues; of the EU’s new AI Act, designed to regulate the use of artificial intelligence technologies, up to 7%!

Is all this bad for business? Some will say that the expense of compliance is onerous. Personally, I disagree: as someone once said, one person’s “regulation” is another’s “protection.”

Microsoft is answering these challenges with an array (in my opinion, industry-leading) of compliance services, many quite innovative, often powered by AI. The downside? To get the features your organization will likely require, you’ll need E5, the highest tier of Microsoft 365.

Microsoft’s Regulatory Purview

In my view, Microsoft is way ahead of its competitors (AWS, Google) in the regulatory compliance space. Unlike those others, whose stance seems to be “talk to our partners,” Microsoft has made and is continuing to make very substantial investments in compliance, which have resulted in some pretty compelling innovations, including some clever uses of AI.

The downside, of course, is you have to pay for them.

Compliance is a many-splendored thing, covering many different use cases; in 2022 Microsoft folded all of them under the umbrella brand “Purview.”

Almost everything to do with compliance has to do with content: what you have, where you have it, who can access it, when you can delete it. Purview’s core content-search services technologies use metadata (author, date, etc.), keywords. More advanced capabilities leverage pattern-matching (for example: three numbers, a hyphen, two numbers, another hyphen, four numbers: a Social Security number). Even more advanced features use AI (this document looks like a contract). Content search forms the basis many compliance activities.

Let’s walk through the different services and describe what’s in E3 and why you’ll probably need E5.

Compliance assessments report the current state of sensitive data in your tenant: where it is, how much there is, who owns it. In E3, assessments are based on a Microsoft amalgam of various regulations (such as GDPR). E5 allows much more specificity, with support for over 200 individual regulations; administrators can pick and choose what they need. When the assessment is complete, administrators are given a “score” and a list of actions they can take to improve it.

Data classification. Every organization should have a data classification strategy: what’s sensitive, what needs to be protected from unauthorized exposure, and what’s not. With E3 you can create labels and manually apply them to content. E5, however, enables much more automation, including sophisticated pattern matching and “trainable classifiers” where administrators can feed the system sample documents – such as contracts – and it will learn to recognize and classify them automatically.

Data Loss Prevention (DLP) uses similar underlying capabilities (such as pattern matching) to prevent exfiltration of sensitive content. E3 supports DLP for email and files; E5 adds DLP for endpoints (client machines, using an agent) and Teams chat, and who doesn’t use Teams these days?

eDiscovery supports investigations usually as a result of litigation. With E3 administrators can search for content based on criteria (author, topic, keywords, etc.) and place legal holds on content. With E5, however, administrators receive support for much broader range of features, including data custodians, customizable legal notifications, searching in Teams conversations and Copilot interactions, and AI-driven deduplication of content, to name a few – all features required by modern enterprises. And of course the mantra that anyone who gets the benefit of E5 — such as a custodian — must have an E5 license.

Data retention. Say you’re in litigation and you’re ordered to produce a document, but it’s been deleted. As often as not, the judge will assume you’re hiding something. Thus, most companies have policies around data retention. E3 supports creation and assignment of retention labels – but most will need the more advanced features in E5, which include automated retention labeling (using the same types of technologies we’ve seen earlier) and so-called “regulatory labels” which can be applied to content that can never be deleted (even over SharePoint site rebuilds, Microsoft claims).

Audit. The Audit log tracks events, such as who last edited a file or accessed a mailbox. As such Audit is essential for forensic investigations. Until recently, however, Audit entries in E3 were only retained for 90 days – hardly enough for a thorough investigation. After a breach, however, Microsoft extended E3 Audit retention to 180 days — but E5’s retention period is by default a full year, and can be extended to 10 years. Additionally, which events are captured differs in E3 and E5; make sure you know before you buy!

Insider Risk Management. Insider trading. Harassment. Policy violations. Any of these can have unpleasant consequences up to and including legal action. Purview’s Insider Risk Management can help administrators monitor email and Teams conversations for potential issues and can even prevent different departments from communicating altogether (which may be required for regulatory reasons). Insider Risk Management is only available with E5.

It’s worth noting that it’s possible to “boost” an E3 license with E5 compliance features via add-ons, such as the E5 eDiscovery and Audit Add-on, the E5 Information Protection Add-on, the E5 Insider Risk Management Add-on, or the E5 Compliance Add-on. Be careful though: a la carte may result in costs higher than a simple E5 license. Also, you may have good reason to have a mixed E3/E5 tenancy, but be cautious. Anyone (such as a data custodian) who gets the benefit of an E5 feature must have an E5 license.

Phew!

Microsoft is investing heavily in compliance. But the overwhelming focus of innovation is in E5, and I suspect the requirements of any large organization will mandate an E5 purchase, expensive as it is.

Is Microsoft missing things? Have an interesting compliance issue or story? Drop me a line at bbriggs@directionsonmicrosoft.com.