[Sponsored] The Need for PST Eradication from Office 365 Tenants

PST Migration Process

This post is sponsored by Quadrotech, you can learn more about their PST Migration tool here.

Old File Format, Time to Go

Seen through the lens of 1996 (think of the excitement caused by Windows 95), a PST was a pretty good deal. Exchange mailboxes were small because storage was expensive. The first version of Outlook was under development, and people wanted more space. Microsoft dutifully delivered the Personal Storage Table and even allowed Outlook to deliver email to an Inbox in the PST. All was well.

That was 21 years ago. Time has moved on and PSTs don’t look so good when viewed through the lens of current technology. The file format is notoriously insecure (password crackers are easily available) and prone to corruption. But more importantly, the easy availability of mailbox storage and the advent of features like Exchange Online expandable archives obsoleted the PST years ago.

I’m no fan of PSTs and eschew their use at all times. In 2016, I helped write an ebook called The Complete Guide to Eradicating PST Files. The ebook is still available, and its focus is still correct: it’s long past time to get rid of PSTs.

Sony Loses Sensitive Data on PSTs

Even the most ardent defender of the PST can’t say that these files are secure. The infamous Sony Pictures hack in 2014 is just one example where companies lost information in PSTs. Attackers stole like backup.pst and archive.pst for 179 mailboxes and extracted lots of deliciously salacious information that was subsequently published. Remember, any Outlook desktop client can open any PST.

Despite well-documented instances like the Sony hack, it’s a source of wonder to me that organizations continue to allow people to use PSTs. Apart from exposing company confidential information to potential loss if people lose their PC or USB drives, email that isn’t kept in a mailbox lies outside the scope of Office 365 data governance and compliance functionality like retention policies. With regulations like GDPR in place, organizations can be fined large sums if they don’t manage personal information properly, and stuffing email and documents holding personal information into PSTs is just one example of bad practice that can creep in if you allow people to use PSTs.

Bad Backup Practice

I am similarly bemused by companies selling “backup to PST” products. Any Office 365 tenant administrator who uses PSTs for backup needs to have their head examined by a competent medical professional. Given the amount of data stored in Exchange Online mailboxes (something’s got to fill the 100 GB quota), backing up a mailbox to a PST can take a very long time. The default maximum of a PST with Outlook 2016 is 50 GB. You can increase the maximum file size (if you’re brave), but that doesn’t seem like a good thing to do either.

One Use Case for PSTs

The one reasonable use case that I can come up with for a PST in an Office 365 scenario is to transfer information to a third party such as a lawyer. This might happen during an eDiscovery operation where messages are found that need to be reviewed by an external expert. For all their faults, PSTs are widely readable, and that’s why Office 365 content searches support the export of found data to PSTs (the same applies to how Office 365 handles GDPR data subject requests).

Impact of Encryption on PSTs

Some say that they need the ability to use PSTs so that they can store personal information. In most cases, this assertion is invalid. Personal information can be stored in an online mailbox and protected there against unauthorized access using rights management, which is enabled by default for all Office 365 E3 and E5 tenants.

Indeed, the growing use of rights management-based encryption inside Office 365 through features like sensitivity labels will soon make PST storage much less attractive for people who want to use PSTs to bring information from one company to another. Any encrypted message will become inaccessible as soon as a person’s Office 365 account is disabled because that person won’t be able to authenticate themselves with Azure Information Protection to gain the right to access the encrypted content.

Plan for Change

If your organization still uses PSTs and you want to break the habit, what should you do? Here’s my suggested checklist.

  1. Educate users that online storage is much more secure and accessible than PSTs. For instance, if someone needs to use OWA when traveling, they have full access to their mailbox and archive, but they can’t open PSTs. The same is true for smartphone clients like Outlook mobile. Paint the picture that PSTs are a dead-end street.
  2. Stop the spread of PSTs by deploying a group policy to stop users creating new PSTs and writing data into existing PSTs.
  3. Investigate tools to find PSTs on user workstations and ingest them into Office 365. Microsoft has some tools to help such as the PST Collection tool and Office 365 import service. There are many ISV PST migration tool sets available too that should also be considered.
  4. Communicate that you will gather PSTs from user workstations and ingest them into user mailboxes in Office 365 and when this will happen. You don’t want unhappy users, so make sure that they understand the benefit of the exercise and that they will not lose data.
  5. Make sure afterwards that PSTs don’t come back like zombies rising from their graves.

Free or Paid-For

The Microsoft tools for PST collection and ingestion are free, so you can’t argue with the free point. These tools do a good job for small to medium organizations where you don’t have more than a couple of thousand PSTs to process – For more information on this, you can download Dominik Hoefling’s guide, How to Migrate PST Files to Office 365.

Running a PST eradication program for a large enterprise needs a different kind of tool set because automation, workflow, and user communication become very important aspects. The project might take months to complete, you probably need to deal with tens of thousands of PSTs, and the work might happen over several countries. In addition, the tools need to be able to handle deduplication (PSTs have a habit of storing a lot of duplicate messages), handling password-protected files, and dealing with mild to medium corruption (many items in older PSTs suffer from corruption). Finally, speed of transfer to Office 365 and the ability to handle problems on-the-fly during transfer are important contributors to the goal of eliminating PSTs rapidly with zero data loss.

As you might expect, you’ll have to pay for tools that include features like those listed above (Quadrotech PST Flight Deck is an example), and while no one likes to pay when free tools are available, the time saved for administrators through automation is usually sufficient reason to justify the spend. Unless, of course, you like processing PSTs manually (a task that rapidly gets boring and is positively tiresome when you reach the early hundreds of PSTs).

Time to Change

PSTs ran out of road years ago. It’s time to dump these files and move on. I can understand that some users might think that they need their data in PSTs because “the cloud is unreliable,” but the simple fact is that eight years of solid operation by Office 365 has disproved that myth. We don’t need PSTs anymore. Let’s eradicate the lingering file remnants of 1996.

This post is sponsored by Quadrotech. Quadrotech created a guide to help prevent Microsoft Teams disrepair. It explores basic Teams management functions and method. Download guide to help your organization maintain a well-managed Microsoft Teams instance that works as an advantage for your users. Download now!