What Microsoft Does Protect?
Office 365 has some built-in data protection to ensure that you never lose your current data. In Exchange Online and Microsoft Teams, for example, data protection is achieved using Database Availability Groups (DAGs); four Exchange servers each hold a copy of your mailboxes in their databases. Those servers are in different datacenters in the same region, and this protects your mailbox against disk, server, networking, and entire datacenter failures.
Failover is automatic and transparent and managed by automated systems in Exchange. The fourth copy is lagging by seven days (whilst still receiving the up-to-date logs from the other copies) and is used in the extremely rare case of large-scale, system-wide data corruption.
Data in SharePoint Online (which also houses OneDrive for Business and Teams files) is mirrored across at least two datacenters with metadata backups kept for 14 days, again ensuring that you won’t lose your data to a man-made or natural disaster.
There are also several technologies built in, such as the Recoverable Items folder where emails and other mailbox items go for some time after you’ve deleted them in Outlook. A user can use Recover Deleted Items in Outlook / Outlook on the web and select one or more items to restore. There’s also Litigation hold and Retention Policy which an administrator can put on one or more mailboxes or a public folder which prevents items from being permanently deleted.
SharePoint Online provides versioning to keep multiple copies of documents as they’re edited, two stage recycle bins to recover deleted files and the ability to recover an entire OneDrive for Business. Some of these features support 14 days or 30 days recovery and you can change some of these intervals.
In other words – Microsoft is very unlikely to lose your current data due to an outage or natural disaster and your users have methods to recover recently deleted emails and documents.
What Microsoft Doesn’t Protect
At this point, especially if you’re a micro business you might think that the above features provide good enough protection for your needs. However, it’s important to think about reasons you might need to augment this native data protection.
The most obvious one is regulation and compliance – these seem to be increasingly prevalent in many jurisdictions around the globe (GDPR in the UK etc.) and over time it will affect more businesses. There may be a requirement for your business not only to protect current data against attacks or loss but also be able to “go back in time” and have point in time copies of your data, sometimes going back many years. There might also be a business need or policy that mandates that certain data must be retained for a long time.
Another consideration is the ease of restoring documents. Training users and help desk personnel in how to use the built-in tools to “get stuff back” quickly and efficiently is not easy, third-party solutions have UIs that are much easier to use.
Another key point is having a copy outside of the system itself. In the past, the general rule for backups was 3 – 2 – 1, have three copies of your critical data on at least two different media types (hard drive and tape), with at least one copy offsite. Storing a copy of your data in a separate system, even a different cloud provider, gives you some protection against a large-scale issue in Microsoft 365.
The most common type of cybercrime today is ransomware attacks where criminals infiltrate your network and monitor normal operations. Often, they’ll corrupt or encrypt your backups for a while before launching the attack that’ll encrypt all your production data, followed by a ransomware demand, tailored to your organisation’s annual revenue (what you’re able to pay). If you’re going for a third-party solution, make sure it has protections in place to ensure that the backed-up data isn’t easily corrupted or encrypted.
To add further incentive for you to pay hackers will also frequently exfiltrate your data before encrypting it so that if you refuse to pay, they’ll release sensitive information publicly. There have been many high-profile examples of these attacks in the news over the last few years, and no business is safe from these lowlifes. Having a backup of all your Microsoft 365 data in a separate location will seem like a lifesaving idea, if you find your business has been ransomed.
There’s also the consideration of access to your data during an Office 365 outage – there has been several high-profile situations over the last few years and being able to access past messages and documents can mitigate the business impact of prolonged downtime.
These and other, business specific needs might push you towards a third-party Office 365 backup solution such as FOS.net managed solution, powered by Ahsay.
Backup is one of the least interesting aspects of IT, it’s boring and mundane but not paying it sufficient attention can leave your company exposed. Making sure that your company’s most precious data is sufficiently protected against human error, malicious attacks or natural disasters is crucial.