Table of Contents
Understanding Shared Responsibility in Microsoft 365
Why Cloud Infrastructure Isn't Bulletproof
The Limitations of Native Microsoft 365 Recovery Options
The Role of Immutable Backups in Data Protection
What is the 3-2-1 Backup Strategy?
Managing Risks: End-User Deletions and Ransomware Attacks
Tailored Retention Policies for Compliance
Download the Best Practices Infographic
Understanding Shared Responsibility in Microsoft 365
When organisations adopt Microsoft 365, they often assume that Microsoft handles all aspects of data protection. While Microsoft does manage infrastructure and uptime, the responsibility for data backup, retention, and compliance rests with you. This concept of shared responsibility is crucial to understand for any IT team looking to safeguard their data.
Microsoft ensures the availability and performance of the platform, but they do not provide comprehensive data backup solutions. This means that you are responsible for implementing your own data protection strategies, especially to safeguard against data loss scenarios like accidental deletions, overwrites, and malicious attacks.
Microsoft's Shared Responsibility Model
In the cloud, you always retain responsibility for data, endpoints, account and access management.
The Reality
We've heard businesses argue "it's too expensive" to retain data for a month and decide in favour of the lower cost option. But lower cost = shorter retention period. What if a user accidentally deletes an important file that's older than a month? The data is irrecoverable, as it is past the retention period. Now just imagine this was an accidental deletion of a file that is vital to your business such as a patent application and you have no way of recovering it.
Imagine your SharePoint data is gone one morning, what do you do? Microsoft may confirm that the data is gone but won't do anything about it because it's not their responsibility.
Why Cloud Infrastructure Isn't Bulletproof
While we and our customers love the flexibility the cloud/Microsoft 365 brings in terms of costs, productivity and growth, it comes with a set of different challenges that you need to keep in mind. Speaking from experience, backups are generally top of mind in businesses using on-premise solutions, but talking to prospects that are on the cloud, we've noticed there are some misconceptions about data backups, to the point that there are no arrangements to ensure the data is, in fact, backed up apart from standard OneDrive/SharePoint synchronisation.
A common misconception is that cloud-based services like Microsoft 365 are inherently secure and immune to data loss. While cloud infrastructure provides high availability and redundancy to ensure uptime, 5this does not equate to data recovery capabilities.
For instance, files stored in OneDrive or SharePoint can still be wiped, encrypted, or permanently deleted if not properly protected by third-party backup solutions. The cloud offers a resilient environment, but it is not a foolproof safeguard against human errors or cyber threats.
And those are exactly the reasons why it's your responsibility to protect yourself from data loss with backups.
The Limitations of Native Microsoft 365 Recovery Options
Microsoft 365 offers some native recovery options, but these are often limited in scope and duration. For example, recycle bins in OneDrive and SharePoint have short retention periods. Once this period lapses, the data is permanently deleted. Similarly, mailbox item recovery is not true versioning and lacks the granularity needed for comprehensive data protection.
These limitations highlight the need for a more robust backup solution that extends beyond the default settings provided by Microsoft. Without such measures, you risk losing critical data with no means of recovery.
The Role of Immutable Backups in Data Protection
Backups that cannot be altered or deleted (= immutable) provide a reliable safety net in case of data loss incidents and are essential in a comprehensive data protection strategy. Immutable storage ensures your backup data remains unchanged and protected from deletion, which is particularly crucial in ransomware recovery scenarios.
With a third-party backup solution, you can ensure extended retention periods and faster recovery times. This approach tailors the backup policies to meet your specific organisational needs, rather than relying on Microsoft's default settings.
What is the 3-2-1 Backup Strategy?
Just having a backup isn't enough. Following the National Digital Stewardship Alliance (NDSA) in the US, there are four key areas to protect digital content:
- Know - what you have, where it's stored and risks associated with it
- Protect - secure storage of redundant copies, protected by access controls
- Monitor - regular checks to determine if data has been corrupted or lost
- Sustain - while technology moves fast, the files must be usable long-term through formation migrations, documentation, and ongoing management.
You never know what could happen to your business data - from accidental deletion and fire to ransomware and theft. That's why you need copies to be equipped for all eventualities. Here's where the 3-2-1 backup rule comes into play:
Three copies: original/production data and two copies.
Two different media: keep the copy on two different devices. That could be your PC, an external hard drive and cloud space from a private cloud provider.
Backstory: Obsolescence or hardware failure have always been an issue. Think floppy disks (although 1.44MB wouldn't get you far these days anyway) or water damage in an HDD rendering it unusable.
One offsite copy: Why? Theft, water damage, fire - just a few examples of how you could lose your data. With a cloud copy as mentioned above, this point is already covered.
With having both and on- (e.g. external hard drive) and offsite copy (cloud), you can quickly restore any data that has been lost. The on-site copy in form of an external hard drive gives you the benefit of not having to rely on an internet connection.
Managing Risks: End-User Deletions and Ransomware Attacks
Data loss is most often caused by human actions, whether accidental or intentional. End-user deletions, file overwrites, and malicious activities by insiders or external attackers are common risks that every business faces. Without proper backup solutions, your recovery won't only be challenging but also time-consuming.
Ransomware attacks, in particular, pose a significant threat to data integrity. Attackers can encrypt files and demand a ransom for their release. In such cases, having a separate, secure, immutable backup is crucial for data recovery without succumbing to the attackers' demands. Backups serve as a safety net, allowing you to restore your data and resume operations quickly. Because the major cost may not lie in the attack itself, but the lost revenue/custom while recovery operations take place.
Tailored Retention Policies for Compliance
Compliance requirements often mandate specific data retention periods, which Microsoft 365 does not provide by default. That means you'll need to implement tailored retention policies to meet regulatory standards and avoid potential legal repercussions. It's also worth considering that it could negatively affect your cybersecurity insurance premiums or even lead to a denial of your claim if you were subject to a data breach.
Third-party backup solutions offer the flexibility to define retention periods that align with compliance requirements, such as retaining data for seven years or more. This ensures that you can meet your data retention obligations while maintaining the integrity and availability of their data.
In summary, understanding the shared responsibility in Microsoft 365 is crucial for effective data protection. By recognising the limitations of native recovery options and implementing third-party backup solutions with immutable storage and tailored retention policies, you can safeguard against data loss and ensure compliance. This proactive approach is essential for managing the risks associated with end-user deletions, ransomware attacks, and other data loss scenarios.
Download the Best Practices Infographic
