The struggle is real. Is it possible to have a great end-user experience in Office 365 yet still have security, privacy, and compliance controls enforced? It’s not an easy answer and if your organization is struggling with striking that perfect balance, you’re not alone. The path to figure it out may be filled with heated conversation and debate, often with competing interests. It will require a constant, dedicated focus to strike an acceptable balance between end-user experience and the security, privacy, and compliance controls in your tenant.
To explain the trade-off between these two sides, let’s talk about what a good end-user experience is. It can mean different things at different times.
On one hand, it might mean the ability to have any tool available whenever and wherever you are, completely unencumbered, so you can just get your job done!
On the other hand, it might mean instilling trust by ensuring your account and data you work with are protected from any threat so you’re comfortable working in Office 365.
Both of these things contribute to a good end-user experience, however they’re often at odds with each other. Organizations need to perform a balancing act between end-user experience and the security and compliance controls implemented.
Follow along as I talk about both sides.
A Great End-User Experience
Teams in an organization who work to support the end-user experience are responsible for rolling out all collaboration tools and the goodness they bring: Microsoft Teams, Yammer, Planner, Modern Team Sites, Communication sites, Microsoft Flow, PowerApps, etc. They take great interest and pleasure in new features announced and are constantly looking for ways to improve the end-user experience. This group also includes Adoption experts who work with teams across the organization ensuring they’re trained and comfortable using the tools to get their work done. Adoption experts are usually the first to hear from end-users when something doesn’t work quite the way they want it to or is too difficult to use.
I would argue if not enough security & compliance features are put into place, this could have a negative impact on the end-user experience. For example, if ransomware infects some of your user’s computers on your network and your IT team has to spend days identifying root cause and isolating the infected machines, this is a terrible end-user experience for those affected. In cases like this, having a protection control implemented (like Advanced Threat Protection, Safe Links, or Safe Attachments) could improve the end-user experience. This is why it takes a considerable amount of planning to ensure the appropriate amount of controls are enabled in your tenant to protect, but not unnecessarily impede your end-users.
Security & Compliance Controls
Teams in an organization who are responsible for rolling out the security, privacy, and compliance controls are specialists in their respective fields and are up-to-date on the latest security threats, privacy regulations, and compliance standards. Typical resources in this group are: Security Officer, Privacy Officer, Compliance Officer, Records Officer, Legal Officer, Risk Officer, Identity and Access Management staff, Audit Officer, and IT-Pro Administrator.
The types of controls implemented in an organization are a factor of its industry, region, regulatory requirements, privacy regulations, etc. Organizations need to implement the controls required to protect their corporate assets based on what’s available to them in their license within Office 365 (or use other third-party solutions). Some services included to implement them within Office 365 are: Azure Information Protection, Data Loss Prevention, Cloud App Security, Conditional Access, Multi-factor authentication, Advanced Threat Protection, and Retention Classifications and Policies.
At the end of the day, we want end-users to trust the environment they’re working in, be confident they’ll be protected from threats to their data, and remain compliant in any tool they choose to use within Office 365. Done right, this can also contribute to a good end-user experience.
How do you decide when to implement a control?
To help solidify your decision whether or not to enable a security, privacy, or compliance control in your tenant, start by answering this question:
“Why did your organization move to Office 365 in the first place?”
Was it to:
- mitigate/reduce risk?
- increase compliance?
- improve the collaboration experience for information workers?
- improve the mobile experience for your workforce?
- reduce costs?
- improve business process automation?
If there were multiple reasons from above, weight them to decide which one is more valued. You must know what’s more important for your organization so you’ll be able to make a sound decision when the time comes to light up a feature if you have opposing demands for/against it. Examples:
- Do we implement Conditional Access controls for added security even if it might impede the ability for some staff to work like they’re used to doing when they’re connected outside of the corporate network?
- Do we implement required Azure Information Protection labels without a default, forcing end-users to pick one before saving?
- Do we require end-users to manually provide a retention label for their documents in their collaboration Team site?
Which side is right?
Both. I know of several examples where an organization has favoured user experience over Security & Compliance and they were burnt by it. It usually only takes one breach to force some tough decisions and tip the scales in favor of the Security & Compliance side.
However, I also know of many examples where an organization has favoured Security & Compliance over user experience and one thing for sure, the user will always find a way around a control. It could be in the form of an unsanctioned SaaS app, posting passwords on Post-its, or emailing documents to themselves.
It requires constant vigilance from the IT team to strike an acceptable balance.
My Thoughts
Many organizations won’t have the luxury of trading off Security & Compliance for the perfect end-user experience – they may be required by law or regulation to do it. However, as IT Professionals we must figure out how much to tip the scale toward security & compliance without impacting a good end-user experience as much as possible. Where it’s impacted, ensure end-users know why the control has been put in place and it’ll be a lot easier for them to accept.
The Security & Compliance of your organization depends on it.
Thanks for reading.
-JCK