This is a sponsored post written by Paul Schnackenburg, DOJO Editor at Altaro, Part of Hornetsecurity Group.
There’s a spirited discussion going on in the IT Pro community – do you need a third-party backup of Office / Microsoft 365 or not? From an IT consultant’s perspective, the answer is always – “it depends”.
In this article, we’ll look at how the platform itself protects your data and the reasons you may want to augment that protection with a third-party solution.
I’ll use the terms Office 365 and Microsoft 365 interchangeably throughout because from a backup perspective there’s not much difference. Know though that Microsoft 365 includes many more services than Office 365.
What Microsoft Does Protect?
Office 365 has some built-in data protection to ensure that you never lose your current data. In Exchange Online and Microsoft Teams, for example, data protection is achieved using Database Availability Groups (DAGs); four Exchange servers each hold a copy of your mailboxes in their databases. Those servers are in different datacenters in the same region, and this protects your mailbox against disk, server, networking, and entire datacenter failures.
Failover is automatic and transparent and managed by automated systems in Exchange. The fourth copy is lagging behind by seven days (whilst still receiving the up-to-date logs from the other copies) and is used in the extremely rare case of large-scale, system-wide data corruption.
Data in SharePoint Online (which also houses OneDrive for Business and Teams files) is mirrored across at least two datacenters with metadata back ups kept for 14 days, again ensuring that you won’t lose your data to a man-made or natural disaster.
There are also several technologies built in, such as the Recoverable Items folder where emails and other mailbox items go for some time after you’ve deleted them in Outlook. A user can use Recover Deleted Items in Outlook / Outlook on the web and select one or more items to restore. There’s also Litigation hold which an administrator can put on one or more mailboxes or a public folder which prevents items from being permanently deleted.
SharePoint Online provides versioning to keep multiple copies of documents as they’re edited, two stage recycle bins to recover deleted files and the ability to recover an entire OneDrive for Business. Some of these features support 14 days or 30 days recovery and you can change some of these intervals. If you’re interested you can see where in the world your data is actually housed.
In other words – Microsoft is very unlikely to lose your current data due to an outage or natural disaster and you / your users have methods to recover recently deleted emails and documents.
What Microsoft Doesn’t Protect
At this point, especially if you’re an SMB, you might think that the above features provide good enough protection for your needs. However, it’s important to think about reasons you might need to augment this native data protection.
The most obvious one is regulations – these seem to be more and more prevalent in many jurisdictions around the globe (GDPR in Europe, CCPA in California etc.) and affect more businesses. There may be a requirement for your business not only to protect current data against attacks or loss but also be able to “go back in time” and have point in time copies of your data, sometimes going back many years. There might also be a business need or policy that mandates that certain data must be retained for a long time.
Another consideration is the ease of restoring documents. Training users and help desk personnel in how to use the built-in tools to “get stuff back” quickly and efficiently is not easy, third party solutions generally have UIs that are much easier to use.
Another key point is having a copy outside of the system itself. In the past, the general rule for backups was 3 – 2 – 1, have three copies of your critical data on at least two different media types (hard drive and tape), with at least one copy offsite. Storing a copy of your data in a completely separate system, perhaps even a different cloud provider, gives you some protection against a large-scale issue in Microsoft 365.
The most common type of cybercrime today is ransomware attacks where criminals infiltrate your network and monitor normal operations. Often, they’ll corrupt or encrypt your backups for a while before launching the attack that’ll encrypt all your production data, followed by a ransomware demand, tailored to your organization’s annual revenue (what you’re able to pay). If you’re going for a third-party solution, make sure it has protections in place to ensure that the backed-up data isn’t easily corrupted or encrypted.
To add further incentive for you to pay hackers will also frequently exfiltrate your data before encrypting it so that if you refuse to pay, they’ll release sensitive information publicly. There have been many high-profile examples of these attacks in the news over the last few years, and no business is safe from these lowlifes. Having a backup of all your Microsoft 365 data in a separate location will seem like a lifesaving idea, if you find your business has been ransomed.
There’s also the consideration of access to your data during an Office 365 outage – there has been several high-profile situations over the last few years and being able to access past messages and documents can mitigate the business impact of prolonged downtime.
These and other, business specific needs might push you towards a third-party Office 365 backup solution such as Altaro Office 365 Backup. Be aware that there’s no Application Programming Interface (API) for backup products to “talk to” Office 365 so all solutions are using a workaround to achieve their goals. Look for a cloud-based SaaS solution, you definitely don’t want to provision storage etc. on premises just to house your backup data.
Conclusion
Backup is one of the least “sexy” aspects of IT, it’s boring and mundane but not paying it sufficient attention can create an RGE (Resume Generating Event). In other words, making sure that your company’s most precious data is sufficiently protected against human error, malicious attacks or natural disasters is crucial. Familiarize yourself with the built-in options, how to use them and how to help your users recover from a wrong keystroke and then weigh your needs carefully and invest in a good third party Office 365 Backup solution.
