The case for protecting Office 365 is undeniable. First, Microsoft’s license agreement makes it very clear that the data stored on its service is the user’s and it is the user’s responsibility to protect it. Second, it makes sense to protect Office 365, as there is an on-premises version of the software available. Almost every other SaaS application (G-Suite, Salesforce.com for example), can’t be run on-site. Having the data backed up only has value if, and when the service becomes available again. It is easy to understand the “why” of protecting Office 365, the “how” is a point of some confusion.
The priorities in protecting Office 365 are different than protecting an on-premises application. With an on-premises application, IT needs to concern itself with both high availability, availability during and through a disaster, and point-in-time protection from accidental deletion or cyberattack. The primary concern with SaaS-based applications is not a disaster caused by a natural event or even server failure.
Microsoft has taken extreme steps to make sure Office 365 is available through natural disasters and in-cloud server failures. Historically the service has maintained over 99% uptime. It is human-caused data loss, ranging from simple user error to a malicious attack, which is the primary concern. To recover from a human-caused event, IT needs to traverse back in time to find a point before the mistake or attack. Failures, as a result of human error or cyber-attack, are far more common than a disaster caused by a natural disaster or server failure.
Does Microsoft Provide Backup Features?
The first question is what to use for Office 365 backup. Most organizations point to the Office 365 recycle bin and version histories as a suitable stand-in for backup. The reality is that while these services provide some protection, they are not adequate protection. The first problem, which is determining when and how these “backups” occur, is not under the control of IT. It happens as the service dictates.
There is also a retention problem. While the administrator can set a retention period of “forever,” users can easily go in and “empty” these folders whenever they want. Most of the time a user emptying a folder is a holdover from past training that taught users to empty them as a best practice. If the organization is counting on recycle bins and versioning, as a form of backup, allowing the user to control backup retention times is problematic, especially in light of governance and compliance regulations and requirements that may apply to the organization’s data.
Another problem with the built-in services being under user control is that if an attacker compromises a user’s account, the attacker now can delete files at will.
The other reality is that most organizations have a relatively small account storage capacity and storing data indefinitely, as is the case with backups via a recycle bin, adversely impacts that capacity. The same is true with file versioning since each version of a file consumes capacity and pushes the organization to its capacity threshold more quickly. A separate backup enables the organization to use the recycle bin for its intended purpose, quick recovery of a very recent copy of data.
What to Look for in Third Party Backup Applications
Given the responsibility that Microsoft places on its customers to protect their data, as well as the very short-term protection value of the built-in Microsoft protection options, it is clear that organizations need to look for third-party data protection solutions that can give IT the operational backups required to protect against human-caused data loss and cyber-attacks. As a result, many vendors have raced to market with an Office 365 backup solution. Sorting through the myriad of available solutions is challenging. IT should establish a specific set of requirements when selecting an Office 365 backup solution.
Requirement #1 – Real Backups of Office 365 Data
The number one requirement is that the solution enables IT to have complete control over Office 365 data. The solution needs to protect data and store it separately from the Microsoft services. It also needs to protect the entire Office 365 environment including SharePoint, Exchange and OneDrive for Business. The solution needs to retain these backups for an IT-controlled period. Retention only makes sense if IT can later find data, and is critical if the organization has to meet specific regulatory compliance standards. The solution has to provide the ability to search for specific data and to recover that data rapidly.
Requirement #2 – Prevent Backup Silos
IT needs to be careful not to add an Office 365 data protection solution that creates yet another backup silo. Instead, IT should be trying to consolidate solutions and should look for a data protection solution from an established vendor that can protect their on-premises virtualized infrastructures, bare metal infrastructures, SaaS applications as well as cloud-native applications. While not always possible, IT should try to keep the number of different data protection software solutions that it has to maintain to a minimum.
Requirement #3 – Store Data Anywhere
The Office 365 backup solution should also have the ability to store data outside of Microsoft Azure. The ability to store backup data externally makes more sense with Office 365 data than any other service because all the applications in Office 365 are available to run on-premises.
The critical decision is where to store that protected data. Many solutions only provide the ability to store a copy within Azure, which is like copying data to the same hard disk and considering it protected. One option, which some solutions provide, is for the customer to store data on-premises. Storing a copy of data on-premises means reinvesting or at least continuing to invest in on-premises data protection infrastructure. As an alternative, the organization could store these backups at another cloud provider. Selection of that secondary cloud provider though is critical. Moving the data to another public cloud could be expensive and during recovery may require moving data out of the alternate cloud provider and restoring it on-premises, which could incur additional egress charges.
Alternatively, the organization could move the data to a custom cloud provider that cannot only store the data but also host essential Microsoft services. A custom provider that offers comprehensive services may make more sense than a public provider that can’t host Microsoft applications or restore data on-premises. As the organization continues to migrate to cloud services, they are less likely to have the ability to host applications like Exchange and SharePoint on-premises. The custom cloud provider can easily host all of these applications and enable the customer to recover quickly in the event of a significant Microsoft outage or if for some reason, they decide to bring the service back on-premises, without charging debilitating egress charges.
Requirement #4 – Flexible Recovery
The reason for backing up any environment is in case IT needs to recover data. In the Office 365 environment, granular recovery is most critical. Again, Microsoft does an excellent job of maintaining high availability through application outages and disasters. The primary purpose of Office 365 backup is recovery from a human error or cyberattack. These circumstances require granular recovery. The backup software should have the ability to restore a complete version of the data or specific subsets of it. Granular recovery means recovering files as well as objects from within the Exchange or SharePoint environment.
Requirement #5 – Complete OneDrive Support
One of the more puzzling aspects of Microsoft’s backup capabilities is how it supports OneDrive for business. Recovering an OneDrive account is an all-or-nothing proposition. If there is file corruption, accidental deletion or ransomware attack, IT can either restore the entire account or restore nothing. This lack of robust restore has made OneDrive support one of the most requested features. The problem is that most solutions on the market don’t offer the granularity that users require. Office 365 data protection solutions should be able to recover individual files, restore to another folder or user account and of course a full restore in case of a malware attack.
Sponsored by KeepItSafe