Are you relying on Microsoft services and infrastructure for Microsoft 365 data protection? Unfortunately, native Microsoft 365 data protection falls short of the backup and restore functionality most organizations need. Businesses today need a solution that can provide comprehensive Microsoft 365 backup and satisfy enterprise-level disaster recovery and compliance requirements.
Microsoft 365 can be compromised in the same ways as your on-premises applications and data. Data can be damaged or lost for a number of reasons, including accidental changes and deletions (human error), as well as from malicious activities such as viruses and ransomware. Here are just a few ways your Microsoft 365 data can be compromised:
- Deletion or encryption of files via malware or ransomware
- Hacking via phishing
- Impersonation of a Microsoft 365 administrator using Access key, Secret Access key and domain
While Microsoft may host the infrastructure for its productivity suite, it doesn’t provide comprehensive data protection or disaster recovery. Here are 5 common misconceptions regarding the protection of Microsoft 365 environments:
1) Microsoft 365 data in the Azure Cloud is always available, so there is no need for backup
The Azure cloud is basically a large, distributed physical data center and suffers from all the same challenges as your own data center. A quick glance at recent Azure outages confirms that equipment can fail. Broken cooling pumps, faulty devices, surges in network traffic and more have all contributed to system downtime and business disruptions.
Microsoft offers a versioning capability for OneDrive and SharePoint to help protect against accidental file loss or damage. Versioning can help recover an older version of the file, but does not have data protection for the most current version. Users may need to spend a significant amount of time bringing an older version of a file back to where it was before the damage.
Even worse, malware could find its way to all the versions and delete or damage them all. In a worst case scenario, if you lose OneDrive or SharePoint due to a disaster or malicious activity, you lose all the version history.
2) My Microsoft 365 data is protected against human error
Let’s be honest – no one is safe from human error – by your cloud provider, your internal users or even random construction crews who accidentally cut fibers. There’s always a chance that code defects, misconfigurations, updates and patches will have widespread repercussions that result in file loss. And, of course, it could be something as simple as accidentally deleting a file or email. Even IT administrators have made serious errors, sometimes deleting entire volumes of data by mistake.
If you rely on Microsoft 365, make sure you understand the shared responsibility in the cloud model. While the company guarantees protection from failures in systems or hardware, it is your responsibility to protect your data from human error, cyberattacks, malware, and internal malicious actions – which leads us to the next point.
3) Microsoft 365 is a SaaS product, so it has data protection and security built in
There are a number of ways bad actors can attack your Microsoft 365 data. Consider the following:
- Malware/ransomware deletes or encrypts files
- A user reveals account information via a phishing email
- Access key, Secret Access key and domain are all that’s needed to impersonate an Microsoft 365 administrator
- A software vulnerability in Microsoft 365 provides an entry
- The OAuth2 protocol is used to gain programmatic access via Azure AD, and there are vulnerabilities in OAuth2 itself
Bottom line, no software is 100% safe from security vulnerabilities, so it’s up to you to ensure your Microsoft 365 data is properly encrypted in the cloud. It also pays to invest in security awareness and data protection training for users so they reduce the risk of exposing the organization to cyberattacks.
4) The Microsoft 365 retention policy provides sufficient data protection
Microsoft 365 offers a retention policy where documents can be retained for 93 days and emails for 14 days. But this is not really considered long-term data retention as required by numerous compliance regulations, nor is it considered a real backup strategy. Many industry regulations such as those in financial services require data to be kept for 7 years and some, like K-12 education, require data to be kept for the lifetime of the student.
Also, retention policies do not protect files if they are accidentally or maliciously changed or deleted. Also, retention policies don’t deliver a 3-2-1 backup strategy – having multiple copies of data on separate devices and in different locations.
Additionally, there is no point-in-time recovery. Microsoft retention is basically a replication copy. If you corrupt a mailbox or item in production, you corrupt it in the retention archive folder too.
5) Microsoft offers High Availability for Exchange online through Data Availability Groups (DAG)
Every mailbox database in Microsoft 365 is hosted in a database availability group (DAG) and replicated to geographically-separate data centers within the same region. The most common configuration is four database copies in four data centers; however, some regions have fewer data centers (databases are replicated to three data centers in India, and two data centers in Australia and Japan). But in all cases, every mailbox database has four copies that are distributed across multiple data centers, thereby ensuring that mailbox data is protected from software, hardware and even data center failures. Out of these four copies, three of them are configured as highly available. The fourth copy is configured as a lagged database copy.
While DAGs are a very good high-availability or disaster recovery mechanism, it’s not meant for typical backup and restore since every change made to the original file is replicated/synchronized to all DAG copies. Also, there are instances where you may need to recover only an individual mailbox, email or attachment. The lagged database copy can only be prevented from synchronization up to every 14 days, so afterwards any accidental or malicious changes or deletions are applied to even the lagged database. Plus, according to Microsoft itself, “DAGs are not intended for individual mailbox recovery or mailbox item recovery. Its purpose is to provide a recovery mechanism for the rare event of system-wide, catastrophic logical corruption.”
Reduce risk now with the right tools and strategies
Don’t believe the misconceptions about data protection in Microsoft 365. Protecting your Microsoft 365 data is your own responsibility. Data loss due to human error, malware, ransomware attacks or a wide range of IT disasters can impact your company’s productivity, your customers and your business reputation.
IT organizations need complete control of their Microsoft 365 backups for maximum data protection. Performing your own backups of Exchange and SharePoint Online, OneDrive, Active Directory, Teams and calendars allows you to protect business-critical data. Storing those backups in multiple locations further reduces the risk of business downtime.
While you may be reluctant to add another layer onto your system infrastructure, the bottom line is you need comprehensive protection and granular recovery for your Microsoft 365 data. With so much at stake, it pays to learn about the shortcomings in Microsoft 365 data protection so you can actively address them with your own backup and recovery solution.