Microsoft Office 365 – is external backup really needed?
Most companies generate a significant amount of unstructured data (e.g., emails) that needs to be protected, preserved and accessible, often for legal reasons. Microsoft Office 365 is a major source of that data but it is risky to assume that Microsoft is caring for it on your behalf. What we assume Office 365 does with your data and what actually happens needs to be clear and understood.
To complicate the situation, it is often difficult to know exactly how well Microsoft supports data backup, retention and recovery. Cloud service providers, including Microsoft, typically adopt a shared responsibility model but the details can change over time, can vary by application and are often easy to misunderstand.
The net result is that, while you can transfer responsibility for your Office 365 technical infrastructure, you are always accountable for your business data.
The gap in data responsibilities
The backup process copies data to a separate, secure storage location on a scheduled basis but doesn’t automatically restore it when the primary data is altered (i.e., it does not try to create a mirror image). It is important for the data owner to have direct access to, and full control over, the backup process so that the data can be recovered quickly and selectively if the primary data is lost or deleted for any reason.
In a traditional data centre the backup was stored on magnetic tape with off-site vaults for physical separation. Procedures were devised to make full and incremental backups, to re-cycle the physical tapes and to maintain high security. However, the data was only put online when needed to restore the primary data, so the backup data could not easily be used for eDiscovery or granular recovery functions. Today, cloud-based backup data is online and readily available for immediate use.
Microsoft (and most cloud service providers) do not offer to take control over customer data or to assume liability for data breaches, corruption or destruction. Microsoft does, however, claim Office 365 customer data is available whenever it is needed using Microsoft’s built-in replication for geographic redundancy; however, any data corruption or deletion actions are also copied.
The reality today is that only SharePoint Online customer data is backed up – integrated backup/restore capabilities are not available from Microsoft for Exchange Online, Teams, Planner or Azure Active Directory. Data backup and recovery for Office 365 is simply not a primary focus of Microsoft’s products.
Office 365 provides archive mailboxes that can help with some retention, eDiscovery and litigation hold requirements. An Exchange retention policy can be used to move mailbox contents to the user’s archive mailbox automatically and, if needed, a user can recover items deleted from their archive mailbox for a limited time. The Office 365 recycle bin, which deletes contents after 30 days, provides no deletion rollback option.
Office 365 data for inactive and deprovisioned users is permanently deleted unless the account license is retained, which can be costly. Microsoft does, however, provide limited access for 30 days to export your data after expiration or termination of an Office 365 contract.
Protecting company data is critical
Office workers depend on Office 365 for most of their day-to-day activities, with between 5 and 50% of company emails qualifying as corporate records that might be required for auditing purposes, according to a CIO Insight survey. Losing a major report, presentation or even a single email could, at the very least, be a significant inconvenience but it could also lead to a lost sales. The same survey also indicated that 1 out of 3 respondents said that the potential financial exposure of being unable to produce emails could be more than $5 million. More than half said the financial impact could be at least $1 million.
An email that goes missing can be time consuming and annoying but, more importantly, what would you do if a set of emails from multiple authors had to be extracted for evidence in a court case?
Backup requirements haven’t really changed just because office systems have moved to the cloud. Some of the common reasons for an external backup system are provided in the box at the right.
For some customers, however, a backup system can be justified simply as a mitigation against the Office 365 equivalent of placing “all your eggs in one basket.”
Reducing administrative complexity and the potential for user errors may also be a sufficient reason to deploy a third-party backup solution. Multi-site organizations with hybrid cloud solutions (i.e., combinations of on-premises and cloud-based accounts) would benefit from consolidated backup management.
Some reasons to back up office data:
· Some data may have to be retained for legal reasons (a litigation hold);
· Storage media may be subject to physical failure (although various schemes are used to avoid single points of failure);
· Accidental or malicious purging of recycled/deleted items does happen;
· Well-meaning administrator may delete or purge items they aren't supposed to;
· Hackers sometimes do gain unauthorized access to an administrator’s account;
· Ransomware attacks can encrypt Office 365 data, making it inaccessible;
· Requirements do exist to retain files even when a user account is terminated.
In some organizations, the cost of a cloud-based backup system may be less than the costs and security exposures associated with retaining old Office 365 accounts, especially if user turnover rates are high or mailboxes are frequently re-assigned.
One other compelling reason for external backup storage is that, in 2018, the median time from a compromise to a user notification was 78 days according to the FireEye M-Trends report. Since Office 365 data is generally recoverable for only up to 30 days, a significant potential for permanent data loss exists.
In the end, companies must accept accountability for their data no matter what it includes, how it was created or where it may be stored. Simply relying on Microsoft for replicating and archiving Office 365 data does not replace a separate, user-controlled data backup system.
Backup data access, control and discovery
Veeam® Backup for Office 365, a multi-tenant cloud service offered by ThinkOn through its partners, can serve as a robust, resilient, third-party, cloud-based backup service for Exchange Online, on-premises Exchange, SharePoint Online, on-premises SharePoint and OneDrive for Business. Data can be selectively targeted for backups which can be scheduled weekly, daily or even as often as every five minutes.
The backup data can be stored in the ThinkOn cloud, in your on-premises data centre or even in a hyper-scale public cloud. One reason why many businesses opt to integrate external backup for Office 365 is to increase security, such as role-based access control and auditing which can allow a different department or administrator to hold the rights to perform restores.
Restoring Office 365 data using the Veeam-based backup service provides industry-leading recovery flexibility including reliable, granular restore operations for Office 365 email items, SharePoint sites, documents, libraries and lists as well as OneDrive for Business accounts, files and folders, all in a few simple clicks. In total, 25 distinct restoration functions are provided, ranging from restoring an Exchange item to an on-premises Exchange mailbox or calendar to having a service provider restore a OneDrive file, folder or user for a tenant.
You can also use Veeam’s efficient eDiscovery on the backup data to help with finding specific files for legal and compliance requirements. Without an easily accessible copy of your data, retrieving emails can be a costly and time-consuming activity.
Consolidating the backup and restore functionality for both cloud-based and on-premises instances of Office 365 can also simplify the administrator’s tasks. For example, backing up from one location and restoring to another could be very useful during migration projects or for frequent employee re-assignments.
The ThinkOn-powered Veeam Office 365 Backup gives subscribers the option to choose per-user pricing or unlimited storage models. With each license, you can get unlimited storage with your choice of one year, three year and forever retention periods. This option makes it easy to simply focus on user counts and not worry about storage costs. Alternately, with the pay-as-you-go storage model, you would pay the lowest cost per license and then pay for whatever storage you use, which is great for those who would like to monitor storage and tightly manage costs.
The bottom line is that you, not Microsoft, are responsible for your data, for assessing the risks associated with cloud services and also for mitigating any risks that are unacceptable. But you are also accountable for controlling costs, maintaining compliance, supporting your users and improving data security and privacy. Veeam Backup for Office 365 combined with the ThinkOn portal and cloud infrastructure provides a solid platform for taking control of your Office 365 data.