Governance for Microsoft 365: frequently asked questions
1. Why should we consider governance before using M365 and other cloud services?
Cloud services, whether in Microsoft Azure or in Microsoft 365 (M365), are easily and rapidly provisioned. Since customers using M365 in a SaaS plan do not have to worry about hardware, sizing, updates and the overall availability of the service itself, it’s deceptively simple to deploy cloud services. Although the cloud has many positive traits, its fluid nature makes governance a significant challenge. If ignored, networks can be left vulnerable while IT misses opportunities for cost optimization.
2. What does Microsoft 365’s IT governance framework look like?
An IT governance framework is different for every organization – and the ideal framework varies depending on the service being used. Let's take the example of a cloud service like OneDrive for Business. OneDrive is a cloud storage and collaboration tool available in the standard M365 suite. By nature, it can be deployed on any user’s device and can be synchronized across devices. Organizations can also give external users the authority to access, share, and edit documents within a collaborative environment.
It is necessary to evaluate whether your organization should implement OneDrive in this way - and this is exactly where IT governance for M365comes into play. The first step is to determine how access takes place. Consider if OneDrive will only be accessed by internal users or if you will allow access to external partners and guests. Then it is necessary to identify the processes you will follow to facilitate and secure access to the application. Once this is complete, consider the devices that will be accessing OneDrive. Are they managed clients, mobile devices, unknown web terminals, Use your own Device (UyoD), Bring your own Device (ByoD), or something else entirely?
Finally, don’t forget to ascertain the best way of protecting identities, devices and data.
By using an IT governance framework specifically designed for cloud services, organizations will define processes and guidelines regarding access scenarios, client and mobile device management, identity protection, and data protection.
3. Which services are relevant to IT governance in Microsoft 365?
IT Governance for M365 considers all of the services offered in the M365 package, including Microsoft 365 and Enterprise Mobility + Security, then considers the most appropriate way to use them. Within the governance framework, organizations must evaluate user lifecycles, data protection, data management, and legal requirements for data.
Currently, IT governance concepts for user and data life cycles are modeled and applied in an expanded form, which provides a basis to cost-optimize operations. However, this model means that basic events like an employee’s recruitment or retirement can cause major changes to your governance processes. Often, organizations will mistakenly issue licenses to employees due to faulty processes or old knowledge – such as giving a terminated employee access to M365 although they have not been employed in the company for some time. This can contribute to network vulnerabilities and cause significant expenses over time.
Besides typical business users, there are other employees with more extensive requirements and an increased need for secure access to data – network administrators, management, the HR department, the legal department, and more. Before granting these parties use of your M365 service, it’s crucial to provide a complete IT governance process that offers rigorous guidelines and protections for these user groups. By finding a reliable provider of IT governance services for M365, organizations can define the technologies and roles that can assist with this protection while upholding organizational rules and regulations.
Finally, companies must consider the question of data protection, GDPR and overall data security. It’s necessary to evaluate on-premises concepts and requirements to ensure your governance policies for M365 will be sustainable, viable, and flexible. When designing your framework, consider technologies such as Microsoft Azure Information Protection, Microsoft Data Loss Prevention as well as Managed Backup and archiving systems from other providers.
4. How do organizations adapt their IT operations for cloud services?
Companies and their IT departments are often confronted with the challenge of having to address and provide for both their business needs and user requirements. For example, many organizations want to fulfill user requirements by creating the “Modern Workplace,” which simplifies communication and allows for effective collaboration. At the same time, on the business side, organizations have a constant need to evaluate their investments in licenses and their associated costs.
Cloud services allow organizations to fulfill certain business needs and user requirements quickly and easily, but it comes at a cost. This lightning-fast speed of delivery often means that very few important governance requirements are taken into account during the implementation and rollout of cloud services like Microsoft 365. As a result, organizations aren’t building a foundation for IT operations - and as a logical extension, they are not building IT governance policies for cloud services. The best way to resolve this is to have IT and network management team create pilot or proof-of-concept projects before fully deploying M365.
5. Is it possible to reach a compromise between urgent requirements, rapid implementation and medium-term project planning?
It is always necessary to find areas that fundamentally need IT governance prior to using cloud services at all. However, keep in mind your strategy may include some trade-offs depending on your current cloud software portfolio. For example, if parts of the enterprise already use cloud services that aren’t provisioned and managed by IT, it’s better to implement a somewhat sufficient governance policy as quickly as possible before working on a complete solution.
When you plan your governance policies, don’t forget to include requirements for internal employees. They are an important resource for upholding and carrying out these projects and failing to consider their needs during the planning process can lead to considerable delays. However, developing governance policies for all communication channels is a time-consuming process and companies often don’t have time to create governance policies for each service. A trade-off in this situation would be outlining governance policies for one service, like Microsoft Teams, and deploying it for general use until other services can receive a complete governance policy.
6. What is the risk of implementing cloud services without IT governance?
If organizations use cloud services such as Microsoft Office 365 without also purchasing Enterprise Mobility + Security, their data may be at risk. Without any additional security software to reinforce your Microsoft 365 deployment, the only inherent protection mechanisms are simply the user’s login information. This makes it easy for hackers and other malicious agents to siphon or steal data – and they may even steal a user’s identity to gain further access into the organization.
Without IT governance for M365, attacks and data misuse often go undetected, since no reporting or SIEM system would have been configured, connected or even available. This issue is compounded if there’s no single person responsible for security incidents, or if there are no processes in place for handling security threats. An effective IT Governance policy needs ongoing management and measurement to handle security breaches effectively.
Quite apart from these data-related risks, an evaluation of current users is often neglected. This is a serious vulnerability, as unauthorized access and other adverse incidents may occur if an organization has a bring-your-own-device or other relatively open environment. The clear answer is to enact strict governance policies that will prevent these unsavory scenarios. However, a strong IT Governance policy will immediately change a user’s access scenarios each time the service or policy has a significant update. This may prevent employees from smoothly and consistently accessing their necessary devices and applications, resulting in frustration. Users will also become exasperated if they feel they’ve sacrificed effective internal communication, meaningful training or a multiplier network effect in the name of governance. Eventually, this frustration may build into a widespread unwillingness to embrace cloud services.
With that being said, the activities and work packages described here are simple examples. When constructing your own IT Governance policies for Microsoft 365, your organization will have individual requirements as to how extensive IT governance should be, which may depend on your current rules and internal processes.