Moving your data to the cloud provides many benefits, not just ever-growing storage potential. But is that data protected?
There's a big difference between data being secure, and data being backed up. Whilst access to your data can be protected by the likes of conditional access, it's not actually being backed up for potential disasters occurring at a later date. This may come as a surprise to many of you, but you will find it in the SLAs of Office 365.
Before moving to the cloud, organisations would religiously backup their data; daily, weekly, monthly and annually, for those wanting extra security, maybe even hourly. Whilst Microsoft provides features in the 365 services (recycle bin, deleted items etc), they do not provide a backup service, as such. Your data in Office 365 belongs to you, Microsoft are only the custodians of it and provide access to the information / documents / files via their services.
With Office / Microsoft 365 E3 you have the ability to place a mailbox on Litigation Hold, or you can place a user on "In-Place Hold", but can you restore it easily and simply? Both these options are used for legal discovery purposes.
"I'll place my mailboxes on Litigation Hold, that means I can recover the email, right?"
Whilst you can do that, and you can still recover the email, it's not actually securing and backing up your inbox. Litigation Hold does not create a copy of the data in a secondary location, and it's not designed for backup and recovery purposes.
When a mailbox is placed on Litigation Hold all items are held for a specified duration. This provides the compliance admin with the ability to recover any subsequently deleted messages from within the security and compliance centre.
In-Place Hold is where SharePoint sites and users' mailboxes and OneDrive's are scanned for specific criteria and anything that meets the criteria is then held for the specified duration. Again, data is then recovered via the security and compliance centre.
Anything that is in the mailbox is then encapsulated by Litigation Hold/In-Place Hold (including ransomware and the like).
Placing all your users on Litigation Hold could open a whole new can of worms for your organisation, especially with the legal department as they use this function for legal discovery purposes.
"I archive my email in Office 365, that's a backup isn't it?"
In short, no. Archiving and backup have two completely different meanings. Archiving moves data from one location to another based on retention policies. A backup creates a moment-in-time copy of the data in a second location.
“I use versioning control in SharePoint/OneDrive for Business, I can go back to previous files, can’t I?”
Whilst you can do this, again, it isn’t a valid backup. What happens if your files get infected with ransomware? Or if the files save and replace your previous versions? What if a user deletes a file, leaves the company and then months down the line you need to recover it?
There are several tools out there that can be used for backup, and recently I have been exploring the offerings from Druva – they provide several services, one of which is a product called InSync. This service does not just back up data in the cloud, it can also be used to back up mobile devices, laptops and desktops (Windows, MacOS and Linux). There is also a compliance offering, available in one of the premium plans.
After spending some time looking at the cloud backup offerings from Druva, it seems to tick all the boxes:
I’ve previously looked at other products which have all initially looked great, but most back up solutions do not cover Microsoft Teams (even though they do back up SharePoint). Some only focus on email, but Office 365 is so much more than just e-mail. Druva has all these covered, and it provides an automatic discovery of newly created Microsoft Teams.
Currently, Druva can sync users from on-premises AD only using an AD/LDAP Sync connector, and authentication can be off-loaded in to ADFS/Azure AD. However, a new feature is coming to enable full account sync and single sign on (SSO) with Azure AD which will mean you can also wrap your conditional access policies around user sign-in.
Most people I have talked to about Office 365 think backup is not needed as they are only focusing on e-mail (although you will still need to back this up). Some organisations may have Mimecast or a similar product in place which they use for continuity and backup, but this is for email only; what about all the other data in Office 365? Microsoft Teams has been the fastest adopted collaboration platform from Microsoft and organisations are using it in force - day in, day out. This means that data within Microsoft Teams also needs securing.
Backing up your data should never be overlooked when moving to the cloud. The data in the cloud is owned by you and it is your responsibility to protect it, it’s just accessed via new technology – and it could cause you problems when you need to recall information, but it also needs to be considered inline with GDPR compliance. Traditional backup solutions were not designed with the cloud in mind, so a new backup technology that offers total support of all your applications is essential.
My recommendation is, if you backed up your data before you moved to the cloud, you should certainly still be backing up your data, using a tool that is designed specifically for this purpose, not by using the tools designed for security and compliance, retention and document control. There's also options to outsource this using something such as Back-up As a Service.
With Druva I’ve seen a quick, simple, comprehensive and secure way of backing up and recovering data within Office 365. There is also an option to give users the ability to do self-service restores.
If you’re interested in finding out more about the best way to backup Office 365, contact your account manager, or contact us using the link below.
We would love to hear any comments you have about this article!