Let's Talk About Microsoft 365 Backup
Over the past couple of years we have seen the progression of remote and home working accelerated by the pandemic. Now the dust has settled many businesses are revisiting their Microsoft 365 environments and are seeing there are many considerations when it comes to the protection of data.
In this blog post we look at a few reasons why you should be backing up your Microsoft 365 environment.
Your Data. Your Responsibility.
Microsoft’s sole responsibility is the security and availability of the infrastructure platform that provides the Microsoft 365 service and to ensure this is available as stated in their SLA’s. Microsoft are not responsible for your data, I’ll say it again, Microsoft are not responsible for your data. The data belongs to you, you are responsible for it and that includes protecting it.
Data Protection Principles
Basic data protection principles state that you should hold at least one copy of your backup data at a location away from the primary data copy, so using 365 to backup (or provide a level of recovery) from itself is a straight-forward violation of this principle. So, whilst we’re not saying that Microsoft 365 can’t provide any level of recovery natively, we think it’s common sense to want to keep a backup copy away from the primary service.
Where once talk around Microsoft 365 protection was a low priority in discussions around backup and data protection, it has now become the same priority as on-premise workloads and other Azure, AWS and Google Cloud services.
One of the biggest drivers for this change is the ever-looming threat of ransomware. Accidental deletion and recovery of data is one thing (which can be accomplished to some degree using native features) but recovering from encrypted mailboxes is an entirely different scenario. We’ve seen some scary simulations of how easily an attacker can gain access to an Azure AD (and subsequently Microsoft 365) environment given the right scenario.
You should check your Azure Enterprise Apps/App Registrations, if you haven’t got your security settings configured correctly, it might be possible for any user to authorize a third-party app access to your directory. It’s a short step from here to gain access to a mailbox and encrypt everything.
These types of attacks can damage a business on so many different levels, from reputation and financial loss to ongoing operational issues due to data loss.
Backing up your Microsoft 365 environment and holding the data externally can help protect you against this threat by providing you with a copy of your data and a method to recover in the worst-case scenario.
Native Features & Complexity
One thing to be clear on when we talk about backing up Microsoft 365 is that we’re not saying there are no native features available to help you protect your data against several different use cases, because there are features such as retention policies, legal hold, in-built immutability (license dependent), preservation lock, versioning etc. which can help. However, many of these assume that you have your Microsoft 365 environment configured optimally and have all these features configured and adjusted to suit your specific needs. This configuration can be complex, or you just might not have the time to learn about it.
As with any backup solution, it's a form of insurance policy, a way of protecting against known – but also unknown, threats to your data. You should consider the points we’ve talked about in this article carefully when deciding whether Microsoft 365 backup is something your organisation should be doing.