back to article Have you been naughty, or have you been really naughty? Microsoft 365 users to get their very own Compliance Score

Got governance? Microsoft reckons there is room for improvement – it should know – and has used its Ignite Florida knees-up to batter compliance with its overused AI stick. Are you... compliant? Protecting data is a challenge. Microsoft 365 customers can already slap classifications and labels on documents to control which …

  1. Anonymous Coward
    Anonymous Coward

    as new documents arrive in the cloud.

    Ha, if the documents have arrived in the cloud, its too late.

    1. Anonymous Coward
      Anonymous Coward

      Re: as new documents arrive in the cloud.

      You remind me of when I was asked to do a security audit on devices.

      I was asked why I had failed every fax and device with a fax card (that probably gives my age away).

      "Because they were faxes."

      But what was the problem?"

      "They could send faxes."

  2. Steve Davies 3 Silver badge
    Facepalm

    Pssstt: Wanna pass that Audit?

    sign here for our latest widget.

    That will be two legs please...

    See Icon

  3. alain williams Silver badge

    Compliance score for office 365 ?

    Ie that Microsoft is properly protecting all of its users' files, ie not scanning them for marketable information or sharing with USA government agencies.

    1. bombastic bob Silver badge
      Trollface

      Re: Compliance score for office 365 ?

      The foxes CLEARLY stated that they do NOT eat the chickens. Why don't you believe them?

  4. bombastic bob Silver badge
    Big Brother

    what disturbs me..

    what disturbs ME is their mention of "Company Code of Conduct"

    Why is Office 365 getting involved something like *THAT* ??? And WHAT does that have to do with your "compliance score" ???

  5. jake Silver badge

    Let me get this straight ...

    ... to make use of this offering, I am supposed to upload my business documents unencrypted (else how can the "AI" read/parse them?) to a computer system owned by Microsoft? Yeah, sure, right. That's going to happen ... five years to the day after Microsoft's last major security blunder. Maybe.

    What kind of idiot is this service aimed at, anyway?

    1. Anonymous Coward
      Anonymous Coward

      Re: Let me get this straight ...

      "What kind of idiot is this service aimed at, anyway?"

      The same idiot that would buy their own PowerBI license without telling IT.

      Middle-management.

    2. veti Silver badge

      Re: Let me get this straight ...

      The kind that bases their entire company library on Sharepoint.

  6. el kabong Silver badge
    Big Brother

    Perfect !!!

    What could possibly go wrong?

  7. Ken Moorhouse Silver badge

    I predict...

    I predict people being locked out of things they are supposed to have access to.

    If I'm thinking that, and the average IT user is thinking that, administrators are going to make sure this feature is disabled, just in case...

    But because there is a tendency for Microsoft to think that they know best, that disabled setting might just get enabled again at the next update.

    If Microsoft eat their own dog food, isn't there a risk that this might happen to their techies systems too?

    Yup, the machines are taking control.

    1. Kiwi Silver badge
      Coat

      Re: I predict...

      I predict people being locked out of things they are supposed to have access to.

      Pretty sure you're wrong.

      I mean, no automated service/system anywhere has ever locked a user/admin out of data/systems they should really have access to! Nothing's ever lost private keys or blocked all access or somehow flipped a bit in a password entry...

      Hope the customers have good backups of their data on their systems (only I'll not be surprised if the MS T&Cs claim 'copyright' of all data on their system...).. Although that'd kinda defeat the purpose of using any 'cloud' service like this anyway, as said data are outside the scope of the scamscanner

      1. Psmo Bronze badge
        Flame

        Re: I predict...

        Yeouch. My sarcasm detector just caught fire.

  8. Mr Sceptical
    Terminator

    Skynet has arrived?

    It's just no-one has realised this update has been pushed out by the AI and no humans were involved - until too late!

    That's it, run for the hills/fallout shelter. Where's my EMP cannon & half-brick in a sock?

  9. Doctor Syntax Silver badge

    First step to compliance: don't put your stuff on somebody else's server which can be accessed by a foreign - or any other - busybody just by telling the operator to hand it over.

  10. moiety

    I really don't understand Office 365...

    ...if data is important enough to bother presenting it nicely in a document then it's certainly important enough to firmly control who can read it. The whole product....no the whole concept...seems unfit for purpose to me.

    I mean yeah convenience and yeah shiny tools; but to my mind you'd have to be a fucking idiot to expose your private data to potential hostiles, especially in a business setting. I genuinely don't understand why people would even use this as a free product, let alone pay for it....on a leasing system yet; where it can all be taken away from you if your bank fucks up. Nope. I don't get it at all.

    1. Giovani Tapini Silver badge

      Re: I really don't understand Office 365...

      It's in the cloud, it's in the contract. Therefore your data is automatically safe... Even if you think your data is stored in a region, us the AI local to it? Or are you opting into a submission to the TLA...

      what I still don't get is why I keep getting told cloud has no risk....it's very frustrating

      1. Nick L

        Re: I really don't understand Office 365...

        > what I still don't get is why I keep getting told cloud has no risk....it's very frustrating

        I don't think anyone is saying that anywhere. The position I keep seeing is people adopting is that because they're running on prem there's no risk: that too is frustratingly incorrect.

  11. Anonymous Coward
    Anonymous Coward

    IT Policy says no... But never says yes

    An immense source of frustration for me, are the endless supply of Corporate IT policies that you must not $ForbiddenActivity. How about going about the policy the other way and answer How Do I?

    For example, documents classified classified as critical must be kept on encrypted storage, and strictly not in the cloud or on our networked storage. You must password protect data too. We have encrypted hard drives deemed "good enough", so local storage is OK. Apart from office passwords being trivially breakable, so far so good.

    Problems with these policies arise immediately. How do we back up the file if I can't use the network? Transferring it from one user to another means putting it on a suitable encrypted USB device; exposing risk of loss or theft. How do I get other colleagues to work on the document? And downstream users of the data may need to include a subset of it in their own analysis. Are they subject to the same restrictions? Maintaining version concurrency over sneakernet is a problem too.

    A bigger problem comes with Office 365 and internal corporate snoopware. While the file is being edited; the snoopware in conjunction with O365 is actively sending material across the BLAN as you type, for inspection purposes. Is the connection suitably encrypted? Do I know it's not being eavesdropped? The recieving end of the snoopware must be able to decrypt it to inspect it, and is that end of the chain allowed to see the classified data? Personnel do ultimately sit on the end of the chain after all. Are those personnel from a 3rd party? Some of them are. What are they looking for anyway?

    We're really good in the IT world at saying what NOT to do, but solutions for what to do are rarely forthcoming. The arcane world of Office 365, sharepoint and loss of control really just serve to further complicate answering any of these questions.

    1. Anonymous Coward
      Anonymous Coward

      Re: IT Policy says no... But never says yes

      "We're really good in the IT world at saying what NOT to do, [...]"

      I used to have an air-gapped PC to do analyses of sensitive customer network captures. The antivirus software was kept up-to-date by using an official version in standalone mode.

      Then someone complained that some people were ignoring the general intranet updates. A regime was enforced that if you hadn't been connected to the intranet for a few days - then the security package would lock your PC until you had connected and received any updates.

      The stand-alone updates were no longer to be supplied. Thus my very secure off-line system was compromised - by an enterprise decision that was supposed to increase security.

  12. Unicornpiss Silver badge
    Meh

    I'm sure this will work just as well..

    ..as EVERY other time Microsoft tries to think for you and anticipate behavior. And by that I mean very, very, very poorly to the point of wanting to cry with the aggravation of it.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm sure this will work just as well..

      The MS 365 email service has a habit of putting legitimate emails in the IMAP "Junk Mail" folder. If you use POP3 there doesn't seem to be any way to see that repository - so the emails become invisible in that mode.

      There appears to be no predictable consistency in the filtering. Ebay auction confirmations occasionally end up in there. Flickr and Yahoo user official notifications do too.

      All the web page form posts forwarded from my web site get junked - even though each one will have a fair amount of variable user text. The formats are predictable - but security checks mean picture name updates and guest book submissions are validated before the email is sent.

      In low volumes that can be tolerated - the human filter can move them to the "new mail" folder. You would think the MS 365 algorithm would learn the pattern of what you consider valid emails.

      1. Kiwi Silver badge
        Trollface

        Re: I'm sure this will work just as well..

        In low volumes that can be tolerated - the human filter can move them to the "new mail" folder. You would think the MS 365 algorithm would learn the pattern of what you consider valid emails.

        If you're using Thunderbird or Evolution, you should be able to make a simple script to move messages out of the junk folders as needed.

        If you're using that Other thing, well, welcome to the 90's... :)

  13. FuzzyWuzzys
    Facepalm

    It's a great idea and worth playing with to see what it does, but use in production? No fecking way! Can you imagine MS going to town on all your company's data, lableling it all then you come in on Monday and no one can access anything 'cos the labels have locked down the permissions and your local helpdesk is swamped with irate users who can't open their 65 XL sheets.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019