The not so boring version of how Exchange Online satisfies SEC rule 17A-4

The not so boring version of how Exchange Online satisfies SEC rule 17A-4

November 10 brought a Microsoft announcement that Office 365 Online Archiving now meets the requirements of SEC Rule 17a-4. You might be unfamiliar with SEC 17A-4, as I know it’s not a topic of interest for many outside the legal and financial community. Basically, this deals with the record keeping requirements for financial companies trading in the U.S. market under the aegis of the Security and Exchange Commission (SEC).

In any case, it’s a big thing for Microsoft as SEC compliance is a major checkmark on the list when financial companies look for technologies to meet their archiving needs. The assertion is backed up by a white paper written by Covington & Burling LLP that you can download and read to absorb all the fascinating detail of how Exchange archiving satisfies the SEC.

Having had some exposure to lawyers during my career and knowing a tad about how Exchange archiving works, I perused the white paper to see what kind of case was made.

A great deal is made of retention policies, the ability to move items into archive mailboxes, and in-place holds, all of which are important parts of the Exchange Online compliance suite. The rest of Office 365 is not quite as well equipped as Exchange Online is, but the gradual built out of the Compliance Center is under way and its effect is being felt in SharePoint Online and OneDrive for Business.

Weight is given to the ability of the Office 365 Import service to ingest information from social sources such as Twitter and Facebook or, more importantly, corporate sources such as Bloomberg Chat and SalesForce Chatter. I covered this functionality in a July 21 post but admit that I haven’t seen much action in the space since. Perhaps the companies who are building the capabilities to package data from these sources in a form suitable for the Office 365 Import service to ingest are waiting for the service to reach general availability, which seems to be targeted for early 2016. Remember that the costs for this processing remain unclear as they will be set by the companies who package the content. Regular imports will be free for over-the-network loads and $2/GB for drive shipping.

[Update: On November 18, Microsoft announced that the third party ingestion capability for the Office 365 Import Service was now available in preview.]

Another new feature that’s mentioned is the ability to create and apply preservation policies (with a “preservation lock”). This feature is in preview in the retention part of the Compliance Center to allow administrators to create queries to identify content that needs to be preserved in mailboxes or SharePoint sites. The items subject to the query can be retained indefinitely or for a set period. The paper notes:

Preservation Lock ensures that no one, not even administrators or those with certain control access, may change the settings or overwrite or erase data that has been stored…”

The interesting thing here is that if you lock a preservation policy, it can’t be removed or disabled by an administrator. In fact, the only thing that you can do is to add more sources (such as mailboxes) to the policy or extend its duration. Although preservation policies are not supported by on-premises Exchange, it’s arguable that the concept of an administrator being unable to change a policy is an example of where Exchange Online is a more secure environment. After all, on-premises administrators could reach for the ADSIEdit tool and remove the policy from the Exchange configuration data held in Active Directory. This is impossible for Exchange Online because tenant administrators have no access to policies or any other objects held in the configuration data.

The paper emphasizes the “robust copy-on-write mechanism used by Exchange archiving, which I assume means the way that the Information Store logs transactions as it writes data to mailboxes, including archive mailboxes. Mention is also made of the redundancy incorporated in the way that Exchange Online is run inside Office 365 with multiple database copies (4) spread across multiple datacenters within a region.

Emphasis is also placed on the use of the MAPI MessageID as the unique identifier for items held in mailboxes and to allow the retrieval of “a specific item without ambiguity”. I imagine that most will construct eDiscovery search queries around other terms (like author or a date range) and the question of the message identifier will usually only be of technical interest to those who examine MAPI message properties. However, its presence meets the  requirement about how data is serialized or indexed internally, so that’s a good thing.

The need for auditing is addressed by Exchange mailbox auditing. The functionality here is not as strong as some would like, especially in the ease of reporting and analysis of user actions, and I hope that the Unified Auditing infrastructure being rolled out inside Office 365 (accessible through the Compliance Center) will improve matters. We’ll see.

Finally, I note that EOA meets the criteria for being able to provide data in an accessible/downloadable format by “making the data downloadable and accessible via In-Place eDiscovery in industry standard formats such as EDRML and PST”. The inclusion of a PST as an accessible format is understandable because it’s an easy way to transfer information recovered through an eDiscovery search. In fact, it’s one of the only reasons why I think PSTs should ever be used. Otherwise, I’m all for PST eradication.

Remember that this report addresses Exchange Online and not Exchange on-premises. As noted above, the on-premises version does not support preservation policies nor do facilities exist to allow you to ingest data from third-party social or business sources.

The compliance features available to Exchange and SharePoint have come a long way since the first blush in Exchange 2010. It’s good to see progress and it’s good to see how the features meet a practical need in an important market. But as the lawyers point out, “Readers are advised to consult with both technical and legal advisors in assessing compliance with Rue 17A-4”. No more needs to be said.

Follow Tony @12Knocksinna

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.