- Your cloud service providers are not responsible for the safe keeping of your data.
- You are responsible for keeping your data and metadata safe.
- What shared responsibility means.
- What cloud services like Microsoft 365 currently offer to retrieve lost data.
- How to make sure your cloud data is actually secure.
What You Risk by Not Backing Up Your Cloud Data
Let’s start by looking at the exposure a company faces that does not participate in shared responsibility. Depending on the nature of one’s business, several risk scenarios could arise if you rely solely on cloud service vendors for backup (and the vendors themselves recommend that you do not rely solely on their services):- You lose access to critical intellectual property documentation such as patents.
- You may no longer be in compliance by losing access to certain required information.
- The entire company loses access to emails and other collaboration tools such as SharePoint and other apps, thereby preventing employees from doing anything.
- Critical systems such as Salesforce, which are based on multiple automations that have been painstakingly built up over time, will need to be rebuilt.
Common Data Loss Threats
Data loss threats don’t always originate from outside the organization, as demonstrated by a study conducted by the Enterprise Strategy Group (ESG) which showed that human error from within the organization is one of the single biggest contributors to data loss. A breakdown of data loss causes is illustrated in the following graphic:
If you lose data for any of these reasons, cloud vendors like Microsoft will not provide data backup because they adhere to the “shared responsibility” model that states it’s not their responsibility. More on that later.
The “Backup Features” Currently Available in Microsoft 365
In essence, cloud service customers have three functionalities that many think serve as backup of their data.Litigation Hold
The purpose of litigation holds is to help if you are involved in a legal process and need to preserve information exactly as it is at a specific point in time. It is clearly not designed as a backup or recovery tool, because:- Retrieving just a single email requires going through 8-10 demanding steps.
- Based on your licensing plan, your cost of storage may be significantly higher.
Versioning
Microsoft automatically saves versions of your documents at regular intervals, so you can just go back and open a previous version, right? Technically yes, but:- You only get the random actual documents. What you don’t get is structure—nothing is where you left it, and there are no folders. So, at scale, this quickly becomes unmanageable.
- If there is a ransomware attack, all versions may be encrypted.
- There is zero protection against dangerous and potentially crippling ransomware.
Recycle Bin
Just like the bins around your office, the Microsoft recycle bins are emptied regularly. How frequently depends on the application. For example:- In Exchange: mail items disappear after 30 days, and calendar items after 20 days.
- In Teams: channels, teams, and group items go away after 30 days.
- In OneDrive and SharePoint, they’re removed every 93 days.
- In SharePoint backup, items disappear after 14 days.
A Crash Course in Shared Responsibility
What is Shared Responsibility?
Although no official dictionary definition exists, in a nutshell, shared responsibility means you and each cloud vendor take shared ownership for accessing your data in the cloud. Don’t be surprised to learn that Microsoft is not responsible for protecting your data. They are very clear on this issue. You can read a summary of their shared responsibility policy for Microsoft 365 in this short article, and here’s the bottom line (in Microsoft’s own words): ‘You own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type)’. Regardless of the type of deployment, the following responsibilities are always retained by you:- Data
- Endpoints
- Account
- Access management
Source: Microsoft
Who Uses the Shared Responsibility Model?
Originally, AWS developed the concept, and today it’s used more or less identically by all cloud services. So, shared responsibility doesn’t just apply to specific vendors or types of services but to cloud computing in general. If you want to dig deeper and explore how some of the main cloud service providers refer to shared responsibility, follow the links below to learn what each says on their respective websites.What Microsoft Recommends Instead: The 3-2-1 Backup Principle
So, if Microsoft is not responsible for your cloud data, what steps do they recommend? Simply put, they recommend keeping your eggs in different baskets. The most effective way to safeguard your data is to use the 3-2-1 backup principle, which goes like this: Store your data separately from your day-to-day operations. You must keep one copy of your data off site. Years ago, offsite storage was mainly to protect against fire and theft. Today, it’s more complicated than simply separating data geographically. And you can’t fully rely on cloud access, which could be taken offline to protect the providers’ own business interests. If you want to learn more about what Microsoft recommends what to do if you experience a ransomware attack, you can find a good summary here. Let’s move on to some actionable advice on what you can do next to bridge the huge security gap left by shared responsibility.How to Find a Backup Solution That Works
If you decide to heed the advice of Microsoft, Google, and the other cloud service providers, and find a reliable third-party backup solution, here are some important considerations:- Find out who is actually responsible for data loss in applications such as OneDrive, Groups and Teams, SharePoint, and Exchange within your organization. Is there a dedicated person or team, or is the responsibility spread across the organization?
- Make sure backup copies are stored outside of Microsoft 365’s domain. Always have offsite, immutable, backup copies that are stored separately from your primary data. Never store in the same logical infrastructure as your primary data.
- Look for comprehensive coverage for your SaaS data, in order to include as much data and metadata as possible in your backup.
- Look for fast and granular recovery so you can recover from a single item, all the way up to the tenant level to achieve precision recovery at scale.
- Look for a third-party tool that is compliant and offers long-term retention and a variety of security controls.
How to Find the Right Microsoft 365 Backup Vendor
There are great solutions available, and like everything else, you need to find the one that best meets your needs. To help you in that regard, here are the most important considerations: Microsoft 365 coverage- Does it support all of Microsoft 365, with all associated data types, such as Teams private chat, channel chat, versioning, and public folders, etc.?
- Can you restore all business-critical data in place?
- Is all data restored in its original format?
- Is all data restored — from a single item up to tenant level?
- Can you configure backup admin permissions?
- Is the audit log tamper-proof?
- Can you limit access rights across specific data connectors?
- Are data centers independent from the SaaS provider?
- Are there options for data residency?
- Are redundancies built in?
- Can you store copies of your data in two separate data centers?
- Is the license model clear and transparent?
- Is data consumption included?
- Are there any hidden costs (for example, for departed users)?
- Can you search universally across all snapshots in a single view?
- Can you preview documents live?
- Can you control search and restore delegation?
- Can you perform point-in-time navigation or restore?
- Can you easily manage and unify backup sets of cloud apps?
- Can you share public links to end users, and download all the data types and levels?
- Is the interface intuitive?
- Is the backup deployment simple and configurable?
- Can you scale across any size organization?
- Are the retention policies flexible across the instance?
- Can you segment Microsoft 365 data to meet business requirements?
- Is the storage engine tamper-proof?
- Are there SSO and MFA options?
- Are the data centers ISO27001 certified? And what about the software development and operations organization?
- Is the solution 100% cloud-based with no maintenance required?
- Are new users automatically added to the backup?
- Can you automate notifications and backups?
- Is there an open API allowing for third-party integration?
In summary:
We’ve covered the concept of shared responsibility, touched on what the cloud service providers cover, and where your responsibility lies. We’ve also shared some advice on what you should look for in a backup and recovery solution. I hope you come away from reading this blog post feeling better equipped to perform your cloud data risk assessments. If you have any questions, you are of course welcome to reach out.About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.
