In this blog post, I will discuss various best practices for securing end-user data after their Microsoft 365 account is reassigned or deleted and how to avoid common pitfalls and risks.
A short true story:
Many years ago, I received a call from a very good friend at a company I had left the year before. After catching up on the news, etc., he asked me if I had a copy of the large ROI/TCO/NPV/BET Excel calculator I had developed for the Sales group to compare on-premises email archiving costs with our cloud-based archiving platform.
This ROI model was inclusive and included cost comparisons like on-prem storage, cloud storage, eDiscovery, regulatory compliance, data center floor space, power requirements, and cooling. In fact, I invested 2-3 person months in developing and testing this model and had great results with the salesforce.
It seems the company had a large potential deal in the works, and the client wanted to see an extensive ROI comparison between our cloud archive and their current legacy archiving platform. However, no one in the company could find my ROI calculator!
My ex-company had an extensive- exit process for departing employees, including a legal form stating I would not/had not taken ANY corporate data prior to my departure. Because of that requirement, as I left, I made it a point to delete ALL company-related data from any personal devices and cloud accounts to avoid running afoul of the company’s legal department.
Please stick with me here; I am getting to the point of this blog.
On my last day, I put a prominent note on top of my laptop stating that it contained important corporate information and financial models, so they SHOULD NOT delete/reimage the hard disk (so they could reuse it for new employees) until they had downloaded my data/files. In the note, I also suggested that THEY NOT DELETE or reassign my Office 365 account until they had downloaded and protected all my email and OneDrive data (this is where all my financial calculators were stored).
I also made it a point to email my managing VP with the same suggestions and the importance of following them.
I told my friend I did not have a copy of the calculator - mainly because of the legal certification I had been asked to sign. However, I suggested he check my laptop and Office 365 OneDrive account to find the needed ROI model.
As you may have guessed, all my instructions were ignored, i.e., my laptop was immediately erased and reimaged, and my Office 365 account had been deleted - and all the data was irretrievably deleted. I never asked my friend about the sale, but it probably didn’t go well.
I tell that story to highlight the point of this blog - that IT/Legal organizations need to understand and create departing employee policies and procedures that ensure essential data (IP, compliance. legal) is protected before laptops and Microsoft 365 subscriptions are deleted or reassigned.
Going data-conservative
One workaround I have seen over the ensuing years is that organizations, especially government agencies, for some reason, choose to keep departed employee Microsoft 365 accounts active (and unused) so that they can retain the data in place. I have also seen organizations store departed employee laptops (or just the hard disks) for several years in case future litigation or regulatory inquiries crop up.
Several years ago, a sizeable mid-west city told me they wanted to migrate a bunch of data from departed employee Microsoft 365 accounts so they could deactivate them and stop paying for the (expensive) licenses. It turns out this city had accumulated more departed live employee Microsoft 365 accounts (that they were paying for) than active employee accounts – a huge waste of money.
Many IT professionals have told me they understand the importance of migrating and securing data from departing employees' devices and subscriptions. However, they don’t have the time or resources to find, download, and secure this potentially important data from departing employee laptops and M365 accounts.
Both of these overly conservative practices are costly and wasteful. So again, creating processes and procedures to capture and protect the data quickly would produce a significant ROI, not to mention eDiscovery benefits.
Some background…
Microsoft (Office) 365 account management
When a Microsoft 365 account is deleted/reassigned, the data associated with that account - email, OneDrive, and Teams, are not immediately deleted but retained, depending on the license type, for 30 days. After 30 days, the account data is unrecoverably deleted.
Note: A departed employee's standard contributed SharePoint Online data is not removed based on the SharePoint admin's current retention policies.
Again, depending on the type of account, personal, work, school, and the retention policies in place, the data is moved to a recycle bin or a soft-deleted state, where it can be restored within a certain period of time.
For example, suppose the deleted account is a personal Microsoft account (such as Outlook.com, OneDrive, Skype, etc.). In that case, the data will be kept in the recycle bin for 60 days, after which it will be permanently deleted.
However, suppose the account is a work or school account (such as Office 365, Teams, etc.). In that case, the data will be kept in a soft-deleted state for 30 days by default, after which it will be moved to another soft-deleted state for another 14 days before being permanently deleted.
Note: The administrator can change these default settings and extend or shorten the retention period, but most don’t.
During the “soft” retention period, the data can be restored by either the user or the administrator, depending on the type of account and the permissions granted. The restored account and its data will be fully functional and accessible as before.
If an account is deleted by mistake or accident, it can be restored within the stated retention period. The process of restoring an account and its data varies depending on the type of account and whether the user or the administrator deleted it.
As I have already stated, it is a best practice to export or archive the account data before deleting or reassigning the account. This way, you can retain a copy of the data for future reference, backup, compliance, or legal purposes.
Note: Many GCs now instruct IT to migrate and retain departing employee data for years (depending on the local statute of limitations) in case there is future related wrongful termination litigation.
Migrating Microsoft 365 data from departing employee accounts
There are different methods for exporting or archiving different types of data in Microsoft 365. For example:
For email messages, contacts, calendars, tasks, and notes in Outlook, you can use the Export/Import feature in the Outlook desktop app or Outlook on the web to create a PST file that contains all your data. You can then save this file to an external storage device or upload it to a cloud service.
For files and folders in OneDrive, you can use the Download feature in the OneDrive web app or OneDrive sync app to download all your files and folders to your local computer. You can then copy them to an external storage device or upload them to a cloud service.
For documents and files in SharePoint and Teams, you can use the Sync feature in the SharePoint web app or Teams web app to sync all your documents and files to your local computer. You can then copy them to an external storage device or upload them to a cloud service.
For chat messages and conversations in Teams, you can use the Export chat feature in the Teams desktop app or Teams web app to export all your chat messages and conversations as HTML files. You can then save them to an external storage device or upload them to a cloud service.
Another method for migrating departed employee data from Microsoft 365 accounts is using a third-party migration service provider. These providers can significantly speed up your migration process, allowing you to reassign the licenses quickly while still retaining and protecting the data.
After exporting or archiving the target employee data, you can reassign or delete the account and its data permanently and securely. This will ensure that the data is no longer accessible or recoverable by anyone and that it is erased from all Microsoft's servers and storage devices.
Final question: Where to store the migrated inactive employee data
Besides my example at the beginning of this blog (lost ROI model), the main reason for retaining departed employee data is for legal and regulatory compliance. The probability that some portion of a departed employee’s data is considered a “regulated record” or tied to anticipated or current litigation is high. Because of this, this migrated data should be stored in a centralized storage location that is secure and searchable by legal, HR, Compliance, and business teams (for reference/reuse).
Secure on-prem or cloud-based file shares are an obvious storage location for these files. However, depending on the estimated amount of data that will be stored in the coming years, utilizing low-cost cloud-based storage virtualization would better address the various issues storage administrators have with moving large amounts of data from a managed SaaS platform (M365) to on-prem storage resources.
Cost of on-prem storage: The fully loaded cost of on-prem enterprise storage does not equate to the cost per GB of spinning disk that can be purchased at Best Buy or Amazon. The fully loaded cost of enterprise storage includes the price of the primary storage, secondary copies, backups, and Disaster recovery. One fact to remember when planning for storing and managing departed employee data is that much of it (99%?) will be considered inactive. So, the question is, do you need to store it on high-priced enterprise storage resources, or could it be virtualized (based on policies) and stored in a lower-cost cloud (restorVault Tamperproof Cloud Storage} while leaving behind pointers or virtual data files (VDFs) for employee easy access? The virtualized files should be encrypted and stored on immutable cloud storage tiers to protect against ransomware and extortionware. This virtualized departed employee data stored in a secure cloud would also exclude the need for backups or DR resources.
Data security: The restorVault virtual file storage capability protects against ransomware and extortionware by storing the virtualized and migrated files in a highly secure cloud, enabling file encryption and storage to a WORM or Immutable storage tier. This ensures that virtualized data cannot be copied, deleted, or corrupted.
Employee accessibility: As file server files are virtualized (based on policies), they are replaced with pointers that remain directly in the file server Windows File Explorer. This ensures employees can click on a pointer in the File Explorer, and the virtualized file is immediately retrieved. This means zero training is required for employees. Additionally, the pointers can be automatically repopulated to the file server if a mishap or cyber-attack occurs.
Information management: The restorVault virtual storage capability includes a file management capability that provides for migration policies based on inactivity and retention/disposition policies.
Searchability: Microsoft 365 departed employee accounts are more complicated to search and place litigation holds in. A central file share with virtualized files is easily indexable and searchable for employee reference/reuse, regulatory compliance inquiries, and eDiscovery processing. The restorVault virtual storage solution ensures easy search and retrieval from a consolidated and secure storage repository.
Securing departed employee data before their Microsoft 365 account is deleted is a crucial task that requires careful planning and execution. By following the best practices discussed in this blog post, you can ensure that your data is protected from unauthorized access or misuse, that you have a copy of your data for future reference or backup purposes, that you can access or delete your data permanently and securely when needed, and that you comply with your legal and regulatory requirements for data retention and deletion.
A recap on restorVault storage virtualization
restorVault’s Storage virtualization solution replaces a file (based on policies) in an on-prem active repository, such as a file share, with a pointer or virtual data file that points to the original file in the restorVault cloud. Whenever a user clicks on a virtual data file (pointer) in their file explorer, the actual file is instantly retrieved from the restorVault CCA cloud platform (see below) for viewing and continued work. This storage virtualization into the immutable restorVault trusted cloud repository also eliminates the wasteful need for backups of inactive data.
It also frees up large amounts of costly enterprise storage for priority use by active data. With your inactive data automatically stored and managed in a trusted and inexpensive cloud repository, your enterprise backups will be approximately 20% of their current size. This will enable you to restore data faster and free up costly enterprise storage. For every TB of restorVault virtual cloud storage, you could recoup 3 TB from primary, backup, and other cloud platforms - a 300% increase in usable storage capacity.
The restorVault patented cloud solution provides two ways to store your inactive unstructured data as well as other high-value unstructured data safely and inexpensively in a trusted cloud vault:
The Compliant Cloud Archive (CCA) provides long-term information management and on-demand access to virtualized unstructured data, with an option to store your data in an immutable cloud storage tier for ransomware/extortionware protection.
The Tamperproof Cloud Storage solution (TCS) provides a hot standby-like protected storage repository that allows for complete disaster or ransomware recovery in minutes, not days.
Contact us today to learn more about how restorVault can help your company save money by storing and managing your inactive data while increasing data security and storage capacity!