Office 365 & Backup – Did you know??

For the fan (yes, I do mean singular) of my backup blogs, you will know I am a lover of hyperbole. However, what isn’t hyperbole is my continuous and unrepentant dismay at the number of folks I speak with who don’t understand their Office 365 deployment and, perhaps more importantly, the elements they are explicitly responsible for.

The Big Misconception

Microsoft empowers YOU with the responsibility for YOUR data. Microsoft – as do most IAAS, PAAS or SAAS providers – will guarantee application uptime through geo-redundancy and some foundation level data protection capabilities (recycle bin, litigation boxes) but you, the customer, are responsible for the short and long term protection of your data against:

  • Unnoticed deletions or compromises

— The average time between compromise to discovery is 140 days

https://discover.office.com/6-steps-to-holistic-security/chapter1/

  • Accidental “purge” or permanent deletion
  • Internal security threats (employee tampering or terminated employee)
  • External security threats (malware and viruses)
  • Legal and compliance requirements

As the Bard once said:

“There are more things out there looking to corrupt your data, Horatio, than are dreamt of in your philosophy” 

Or something of that ilk……

Don’t believe me? Do you believe this is “Project Fear” or the over-eager attempts to sow fear, uncertainty and doubt by a verbose Bercow-esque salesperson? Well, don’t take my word for it, Microsoft tells you as much in their terms and conditions:

Of course, Microsoft do have an offering available in the form of a – relatively – new feature called Retention Policies which provides additional protections against some of the events mentioned above.  Retention Policies have their limitations, however.  First of all, is the complexity.  The “Overview” of how they work is 25 pages and over 5,000 words long.  There are a variety of options in this tool, any one of which could be configured incorrectly and result in a reduction in protection.

Perhaps the most important thing to understand about retention policies is that the additional versions of files that they store are kept in your Office 365 account, some of which is counted against the storage allocation of your account.  In addition, retention policies are only effective against hackers and rogue admins if you enable Retention Lock.  It prevents bad actors from undoing the retention policy you put in place by not allowing anyone to undo a retention policy once you have activated retention lock.  The downside is that you can never undo this change.  If you use up your storage allocation, you will be required to buy however much additional storage you need, at whatever price Microsoft wants to charge you for it.


In summary

Ultimately, you need to ensure you have access to, and control over, your Office 365 data. You need to ensure that your company’s retention policies and service catalogue can be met across Office 365 as well as on-premise systems and ensure your company’s data is protected against the myriad of threats.

No pressure!

Let’s not even start with GDPR and other data compliance laws and requirements…

As ever, it’s been my pleasure to offer up my thoughts to you. Come back soon for more blogs and feel free to ask questions or to tell me if there is anything you disagree with. Just ask my colleagues, I do enjoy some good debate.


Author: Ian Preston