State of WashingtonEvaluation of OneDrive for Business – May 2017

In preparation for a move to Office 365, the state of Washington evaluated how well OneDrive for Business (OneDrive1) satisfies state requirements to store and handle documents and files. We assessed whether, or under what conditions, state documents and files should be stored on OneDrive to support the regular course of state business.

Executive SummaryProceed with Caution as described below.Agencies should establish a limited number of approved locations to store files and documents. OneDrive for Business could be one of those when used according to this report’s recommendations.

For Document Creation:1. Employees could create documents on OneDrive and collaborate with others to do so, subject to

security restrictions in this report.

For Document Use and Long Term Management: 2. Completed documents used only by the employee can remain in the employee’s OneDrive

workspace. 3. All documents intended for use by other people should be stored on other approved platforms

where the agency manages permissions and retention, such as File Shares, ECM, SharePoint, etc.

Employees should think of OneDrive as their individual workspace, similar to MyDocuments on their PCs or their individual drive on a file share.

Process for StudyBorrowing from agile methods, the team used user- stories to evaluate OneDrive for Business from the perspective of each of five major roles needed to manage electronic records. These roles include: the user, central account administrator, records manager, IT security, legal, and public disclosure.

The team employed the records management concept of a record’s lifecycle shown below:

1 All references to “OneDrive” are meant to describe “Microsoft OneDrive for Business” – not the consumer version. This evaluation focuses on Microsoft’s Online OneDrive for Business, but applies also to the 2015 on-premises OneDrive for Business.

Creation

WritingReceivingRecording

Active Use

ReadingSharingPublishing

Retention

StoringRetrievingBackups

Disposition

Destroy orArchive

The OneDrive evaluation was based on materials from the following previous official efforts: Online File Storage and Synchronization Master Contract RFP – for systems of engagement Enterprise Content Management Master Contract RFP – for a system of record Online File Storage Guidelines from the Office of the Chief Information Officer, 2012 – for systems of

engagement

The two RFPs and the Guidelines constitute the standard of care to manage state documents and files as core assets of government. They were collaboratively developed by a community of Washington state agencies and experts responsible for records management, public records requests, legal services, technology, IT Security, and privacy. They incorporated business and external regulatory requirements from numerous agencies.

Along with this OneDrive evaluation, future storage and sharing tools can be evaluated by customizing and reusing the above RFPs and Guidelines.

OneDrive Evaluation Team Members: Kristal Wiitala, DOR (prev. DSHS) Public Records, Information Governance, Legal Anita, Wieland OFM Records Manager Mark Glenn, MIL Deputy CIO Alex Hamilton, MIL CISO Cynthia Whaley, MIL Public Records Officer Bernadette Petruska, MIL Program and Policy Analyst Eric Dazell, ESD Desktop Engineering Daniel Hoinowski, ESD Application Architect Renee Linder, ESD CIO Robert Page, ESD Public Records Officer Leslie Turner, SOS State Electronic Records Management Chuck Pfeil, SAO Deputy of Performance Audit, State Records Cmte Michelle Tuscher, ACB CIO Jennifer Sciba, ACB Deputy Director Ed Lukowski, WSSB IT Manager Martin Singleton, ATG IT Consultant Frank Welter, DRS Network Technician Jay Walsh, DRS ITS Manager Michelle Blake, WSDOT Architect Aaron Munn, SAO CISO Bruce Wirth, SAO Records Nancy Krier, ATG AAG for Open Government, Legal Angie Ragan, DSHS Enterprise Cloud Architect Paul Cox, DSHS Chief Enterprise Architect David Lee, DOH Technical Resource Director Phil Brady, DFI Public Records, Privacy, Legal Cynthia Jones, DFI Information Governance, ECM Architect Dave Kirk, DFI CIO Matt Stevens, WaTech / OCS Statewide IT Security Will Saunders, OCIO Statewide IT Jason McKinney, WaTech State IT Architect Karen McLaughlin, WaTech State IT Architect

2

Steve Finney, Microsoft State Account Executive David Zarling, Microsoft OneDrive SME Abel Cruz, Microsoft Technology Strategist Stephen Rose, Microsoft OneDrive Marketing Chris McNulty, Microsoft SharePoint Marketing Ian Story, Microsoft SharePoint Engineering

Many of these individuals are leading authorities for the state in their respective areas of expertise.

Team Observations:Usability / Designed Use OneDrive for Business is a flexible home for an individual employee's documents

Great for individual contributors Collaboration with others Mobility Usability Flexibility Basic hold/search

It is based on SharePoint; it’s a piece of SharePoint allocated to an individual employee

Global settings are centrally managed by the agency while employees manage permissions and other features

Except for System Administrators, materials in an individual’s OneDrive for Business account are not visible to other employees unless they are specifically shared.

OneDrive for Business is different from the consumer version that you get with either a Microsoft account or Outlook.com internet email. Microsoft does not recommend the consumer version for state agency use.

Central Administration Most systems administration, records management, and disclosure work is done in SharePoint, not

OneDrive Evaluation team members found the administration functions intuitive, easy to use, and

appropriately reachable from anywhere, once they know where the tools are located Evaluators were concerned about visibility of agency work product to other agencies, and about

trusting WaTech as the central administrator There were concerns over agency-configurable versus global controls and settings when addressing

the needs of individual agencies; Provides many automatic retention rules, however, it can be easy to set up incorrect retention rules

on event-based triggers (e.g. “six years after case is closed”) due to configuration complexity. Most state retention schedules are event-based - not based on the date of the record.

3

Security As with any cloud service, special care must be given when granting access permissions to other

users, especially those external to agency. Otherwise, confidential documents (category 3 or 4) in the current or adjacent folders could be unintentionally exposed to unauthorized disclosure to other staff, agencies, or the public.

Each employee manages permissions to their files and folders within their own OneDrive account. General global settings also apply.

The picture is improving:o Good security controls protect in-transit and at rest documents o Two-factor authentication is part of Office 365, but is not yet here to meet Washington’s

needs. It does not yet integrate with SAW two factor authentication.o Mobility and access to data on all devices is a benefit

Some security features require special licensing options agencies do not currently have All data is automatically encrypted at rest and in transit.

Records Management / Retention Good audit log and maintenance to support integrity of records. Document versioning is available. Liked automatic application of retention rules, but event-based triggers such as "six years after case

is closed" are dependent on workflows. Most retention schedules are event-based, not date of record. Retention capabilities exist (see Supporting Materials below) but a great deal of dependence rests

on employees to store data and records properly. If not, these capabilities do not protect agencies. Focus / onus is still on the individual employee, enabling staff to continue lousy records practices OneDrive emphasizes “personal” folders still… perpetuates

silos of information within work units as well as enterprise-wide

“Unlimited” storage continues to build volumes of information/data without means of accountability or defensible disposition

OneDrive does not fix an agency’s lack of file organization and/or records management.

Issue: Which agency has responsibility for shared records? One Drive does not provide much in the way of meaningful tools to enable better practices in this area.

There are costs for migration of records and add-on tools.

4

Public Disclosure E-discovery search results must be exported to different

software to be refined, processed, redacted and published. More copies, more tools to purchase, more expense and complexity (as compared to email tools in use today).

No method to review incremental search results and save progress within the search tool, nor to exclude duplicate results.

Adequate discovery search not supported with our license Will still need to use Discovery Accelerator and vault for

email. Lacks full Electronic Data Records Management support Evaluators liked the ability to search multiple locations such as Skype and OneDrive in one sweep. Litigation holds may be placed at the account level, or placed via a search. These searches may be

granular, but OneDrive does not permit holds to be applied or removed for individual items, resulting in over- or under-inclusion.

“One more place to search; one more tool to learn. Storage and tool sprawl” The Public Records Act requires an agency to produce records it “prepares, owns, uses or retains” –

regardless of how they are shared or stored. With cloud based systems like OneDrive, how will agencies produce documents they share but don’t own? State-endorsed systems must help agencies comply with the Public Records Act, or they should be discarded.

Recommendations: How to use OneDrive for BusinessBased on observations of OneDrive and Washington’s requirements for employee usability, central administration, records management, IT security and public disclosure, the team makes the following recommendations on using OneDrive for Business:

1. Employees should think of OneDrive as their individual workspace, similar to MyDocuments on their PCs or their individual drive on a file share (”Home Drive”). The types of files approved for storage in those locations could be stored on OneDrive. In all cases, agencies and employees should use OneDrive for Business and not the consumer version.

2. For each phase of the document lifecycle, documents could be stored on OneDrive for Business and other storage systems as shown below.

o Creation Phase: - Employees could store documents on OneDrive for: Document creation/ editing, enabling a mobile, flexible workforce Ad-hoc collaboration during creation (“hey look at my draft”)

Sharing/collaborating on Category 1-3 files within an agency, or between agencies within the Office 365 tenant

Sharing/collaborating on Category 1-2 files outside the Office 365 tenant Other agency storage systems could be used as well

o Active Use Phase: Documents and files intended predominantly for an individual employee’s use

can be stored on the employee’s One Drive for Business workspace.

5

Documents intended for dissemination or use by others inside or outside the agency should be stored on other approved platforms where the agency manages permissions and retention, such as File Shares, ECM, SharePoint, etc.

o Retention Phase Same as Active Use phase above Some documents have complex retention triggers and calculations. Be sure to

store these documents on systems that can meet these requirements.

3. If an agency is thinking of moving all file shares to "the cloud"…o OneDrive isn’t the tool for this purposeo SharePoint can work, but presents governance challenges and limitations inherent in

hierarchical folder structures Our team’s records managers and security specialists expressed discomfort with

this approach.o Agencies choosing to use OneDrive for Business should develop policies and procedures

on appropriate employee use, and incorporate best practices for records management, privacy, security and disclosure.

4. OneDrive for Business, like other tools in this space, is in active development. New features are implemented on an ongoing basis. Examples include:

o Two Factor Authentication for collaborators outside the state enterpriseo Preservation policies that could help with records retention

Important Take-Aways Agencies appreciated the process of this study. "WaTech was listening." All documents are subject to retention, whether that is “transitory” where it is not required to be

kept past its business use, or some other retention period as approved. Be sure to use storage systems that help agencies calculate and meet their retention and disposition requirements.

OneDrive for Business presents a few implementation risks and opportunities:o It must be distinguished from OneDrive (Consumer version), which comes pre-installed on

Windows desktop operating systems. Microsoft marketing doesn't distinguish the products well.

o It continues to promote ad hoc, difficult to manage, folder and filing schemes on yet another storage system. This promotes agency waste, risk of public disclosure fines, theoretically unlimited storage capacity, and no cost drivers to encourage proper file management.

o It could allow employees to mingle personal data from personal accounts with state data and accounts with a simple drag-and-drop, unless carefully configured to prevent this. This presents a big risk to state agencies.

o Built-in sharing tools (both internal and external) are attractive but raise potential risks of inadvertent disclosure of confidential state data.

o Microsoft’s messaging regarding its different product offerings is unclear at best and must be addressed with agency employees, particularly with drawing the lines between OneDrive, SharePoint, and Office 365.

o The decision to allow external access may need to be a universal setting which all agencies may not agree on.

6

Employee training across agencies is essential for most WaTech services that are employee facing and that manage state data. This will avoid security, records management, and public disclosure risks stemming from a lack of understanding and improper use. This would include OneDrive.

WaTech and its customers should expect a significant effort when agencies start up any new statewide tools and systems, especially those that are employee facing and manage state data. This is not peculiar to OneDrive, but it’s sometimes overlooked in state IT.

During public disclosure, agencies must notify another agency when they disclose “shared” documents belonging to another agency. Agencies should address this concern in data sharing agreements before it occurs.

Supporting materials Evaluation document (on Box.com) Written Responses (on Box.com) Picture Book with detailed evaluator comments (OneNote notebook OneDrive) MSFT white paper on security What’s included in various O365 packages (MSFT) Overview of retention policies in Office 365 (MSFT) Overview of “Labels” in Office 365 (MSFT) Advanced Data Governance announcement for Office 365 (MSFT)

7