Achieving regulatory compliance with customizable retention policies

Due to regulatory compliance policies, internal policies, or an active litigation, organizations may be required to store data in their Exchange Online, OneDrive for Business, and other Office 365 services for a fixed amount of time. It’s crucial that organizations find a way to comply with all retention policies to ensure they don't incur financial penalties.

While regulatory compliance can be achieved with retention policies, there are certain limitations, including:

1. Increased mailbox sizes can result in higher costs for storage.

   A retention policy prevents users from deleting items from your Exchange Online mailboxes and OneDrive for Business sites. While this allows you to keep your end users from deleting data and thereby maintaining compliance, retention policies can be turned off at will by administrators, enabling them to remove any items from mailboxes or sites. If your administrators turn rogue, or if your privileged accounts’ credentials are compromised, the retention policy can be paused until all items have been purged from your mailboxes.

   To prevent such a scenario, Microsoft provides a feature called retention lock, or preservation lock, that restricts administrators from turning off retention policies or making them less restrictive. The downside of a retention lock is that this change can never be undone, and will only be removed once the retention period, as originally configured, expires. A restrictive retention lock can quickly result in your organization's allotted storage space being filled up, and might force your organization to buy additional storage space from Microsoft.

   Depending on the size of your organization and the volume of data that passes through its mailboxes on a daily basis, your organization could end up spending heavily for extra data storage.

2. Inability to recover from ransomware attacks.

   Ransomware usually attack files stored in computers, but some variants of ransomware can also attack Exchange Online mailboxes and OneDrive for Business sites.

   Ransomware can encrypt all emails and other items in your Exchange Online mailboxes and OneDrive for Business sites, even if a litigation hold is applied. A litigation hold placed on mailboxes or folders renders users unable to delete any data in your mailboxes or sites. Since litigation holds do not create a copy of your data in a new location, you cannot restore your mailbox or site to a previous point in time. Also, Microsoft has explicitly stated that mailbox point-in-time recovery is not in its scope, and it's up to you to make sure you'll have the ability to recover from ransomware attacks by rolling back your mailbox or site.

   A backup and restoration solution like ManageEngine's RecoveryManager Plus is a must-have for organizations today.

   With RecoveryManager Plus’s, you can:

   • Create retention policies that meet regulatory requirements for your Office 365 backups, and automatically discard backups when the retention limit is reached. All data in your mailboxes, even the deleted data in first-stage and second-stage Recycle Bins, is backed up.
   • Store all backups within your premises, or on your Azure Blob Storage, and file shares. Having a copy of all your mailbox and site data allows you to delete items from your mailboxes and sites, so you don't have to worry about running out of space.
   • In case of ransomware attacks, you can delete all the encrypted mailbox and site data, and restore the complete data from backups in a few clicks, and ensure a ransomware attack doesn't impact your organization's productivity.

Couldn't find the feature you wanted? Raise a feature request