While most cloud service providers, including Microsoft 365, offer some degree of data backup, you might be surprised how minimal it actually is. This brings us to the discussion of shared responsibility and why it can’t be ignored if you want complete data protection and backup.    Because Microsoft 365 is so commonplace in business, it’s easy to assume that so long as you stick we them, you have the basics covered. That, unfortunately, is not correct when it comes to cloud backup and recovery. Here are two hard truths you need to take into consideration when you plan your SaaS data protection:

1. Your cloud service providers are not responsible for the safe keeping of your data. 
2. You are responsible for keeping your data and metadata safe.

  In this blog post, you will learn: 

• What shared responsibility means.  
• What cloud services like Microsoft 365 currently offer to retrieve lost data. 
• How to make sure your cloud data is actually secure. 

What You Risk by Not Backing Up Your Cloud Data

Let’s start by looking at the exposure a company faces that does not participate in shared responsibility.    Depending on the nature of one’s business, several risk scenarios could arise if you rely solely on cloud service vendors for backup (and the vendors themselves recommend that you do not rely solely on their services):  

• You lose access to critical intellectual property documentation such as patents. 
• You may no longer be in compliance by losing access to certain required information. 
• The entire company loses access to emails and other collaboration tools such as  SharePoint and other apps, thereby preventing employees from doing anything. 
• Critical systems such as Salesforce, which are based on multiple automations that have been painstakingly built up over time, will need to be rebuilt. 

  When data loss happens to a large business it can result in thousands of unhappy employees and customers. For small to medium-sized businesses the consequences can be even more severe if they lack the IT resources and know-how to immediately address the problem.     The eventual outcomes range from customer inconvenience and disgruntled employees to severe legal problems and potential business catastrophe.  In other words, your business continuity is at stake.

Common Data Loss Threats  

Data loss threats don’t always originate from outside the organization, as demonstrated by a study conducted by the Enterprise Strategy Group (ESG) which showed that human error from within the organization is one of the single biggest contributors to data loss.    A breakdown of data loss causes is illustrated in the following graphic: If you lose data for any of these reasons, cloud vendors like Microsoft will not provide data backup because they adhere to the “shared responsibility” model that states it’s not their responsibility. More on that later. 

The “Backup Features” Currently Available in Microsoft 365 

In essence, cloud service customers have three functionalities that many think serve as backup of their data.  

Litigation Hold 

The purpose of litigation holds is to help if you are involved in a legal process and need to preserve information exactly as it is at a specific point in time. It is clearly not designed as a backup or recovery tool, because:  

• Retrieving just a single email requires going through 8-10 demanding steps. 
• Based on your licensing plan, your cost of storage may be significantly higher. 

Versioning 

Microsoft automatically saves versions of your documents at regular intervals, so you can just go back and open a previous version, right?     Technically yes, but:  

• You only get the random actual documents. What you don’t get is structure—nothing is where you left it, and there are no folders. So, at scale, this quickly becomes unmanageable. 
• If there is a ransomware attack, all versions may be encrypted. 
• There is zero protection against dangerous and potentially crippling ransomware. 

  Speaking of ransomware attacks, check out our popular Disaster Recovery Guide for a seven-step guide on how to keep your business running in a disaster situation. 

Recycle Bin 

Just like the bins around your office, the Microsoft recycle bins are emptied regularly. How frequently depends on the application. For example:    

• In Exchange: mail items disappear after 30 days, and calendar items after 20 days. 
• In Teams: channels, teams, and group items go away after 30 days. 
• In OneDrive and SharePoint, they’re removed every 93 days. 
• In SharePoint backup, items disappear after 14 days.  

  As useful and convenient as they are for users, these features can lull employees into a false sense of security because if the worst happens, they are not reliable.     Now that you know what’s at stake, let’s dive into the issue of shared responsibility. 

A Crash Course in Shared Responsibility

What is Shared Responsibility?

Although no official dictionary definition exists, in a nutshell, shared responsibility means you and each cloud vendor take shared ownership for accessing your data in the cloud.     Don’t be surprised to learn that Microsoft is not responsible for protecting your data. They are very clear on this issue. You can read a summary of their shared responsibility policy for Microsoft 365 in this short article, and here’s the bottom line (in Microsoft’s own words):    ‘You own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type)’.   Regardless of the type of deployment, the following responsibilities are always retained by you: 

• Data 
• Endpoints 
• Account 
• Access management 

  As you can see in the table below, the division of responsibility between you and Microsoft, depends on your hosting. (For the purpose of this blog post, pay attention to the SaaS column.)  Source: Microsoft 

  As you can see, Microsoft assumes some responsibility for its piece of the cloud service, but it’s up to the customer to protect the critical data that represents the lifeblood of its business.     Microsoft 365 does have some built-in features to retrieve deleted data such as versioning, litigation hold, and recycle bins, however, these also have limitations and are nowhere near viable alternatives to genuine backup. 

Who Uses the Shared Responsibility Model? 

Originally, AWS developed the concept, and today it’s used more or less identically by all cloud services. So, shared responsibility doesn’t just apply to specific vendors or types of services but to cloud computing in general.     If you want to dig deeper and explore how some of the main cloud service providers refer to shared responsibility, follow the links below to learn what each says on their respective websites.   

• Microsoft Azure 
• Google Cloud 
• Salesforce 
• Zendesk 
• Slack 

What Microsoft Recommends Instead: The 3-2-1 Backup Principle 

So, if Microsoft is not responsible for your cloud data, what steps do they recommend?    Simply put, they recommend keeping your eggs in different baskets. The most effective way to safeguard your data is to use the 3-2-1 backup principle, which goes like this:  Store your data separately from your day-to-day operations.     You must keep one copy of your data off site. Years ago, offsite storage was mainly to protect against fire and theft. Today, it’s more complicated than simply separating data geographically. And you can’t fully rely on cloud access, which could be taken offline to protect the providers’ own business interests.    If you want to learn more about what Microsoft recommends what to do if you experience a ransomware attack, you can find a good summary here.      Let’s move on to some actionable advice on what you can do next to bridge the huge security gap left by shared responsibility. 

How to Find a Backup Solution That Works 

If you decide to heed the advice of Microsoft, Google, and the other cloud service providers, and find a reliable third-party backup solution, here are some important considerations: 

1. Find out who is actually responsible for data loss in applications such as OneDrive, Groups and Teams, SharePoint, and Exchange within your organization. Is there a dedicated person or team, or is the responsibility spread across the organization? 
2. Make sure backup copies are stored outside of Microsoft 365’s domain. Always have offsite, immutable, backup copies that are stored separately from your primary data. Never store in the same logical infrastructure as your primary data. 
3. Look for comprehensive coverage for your SaaS data, in order to include as much data and metadata as possible in your backup. 
4. Look for fast and granular recovery so you can recover from a single item, all the way up to the tenant level to achieve precision recovery at scale.  
5. Look for a third-party tool that is compliant and offers long-term retention and a variety of security controls. 

How to Find the Right Microsoft 365 Backup Vendor

There are great solutions available, and like everything else, you need to find the one that best meets your needs. To help you in that regard, here are the most important considerations:    Microsoft 365 coverage 

• Does it support all of Microsoft 365, with all associated data types, such as Teams private chat, channel chat, versioning, and public folders, etc.? 

Data recovery 

• Can you restore all business-critical data in place? 
• Is all data restored in its original format? 
• Is all data restored — from a single item up to tenant level? 

Role-based access control and compliance 

• Can you configure backup admin permissions? 
• Is the audit log tamper-proof? 
• Can you limit access rights across specific data connectors? 

Data storage 

• Are data centers independent from the SaaS provider? 
• Are there options for data residency? 
• Are redundancies built in? 
• Can you store copies of your data in two separate data centers? 

Pricing 

• Is the license model clear and transparent? 
• Is data consumption included? 
• Are there any hidden costs (for example, for departed users)? 

Search capabilities 

• Can you search universally across all snapshots in a single view? 
• Can you preview documents live? 
• Can you control search and restore delegation? 
• Can you perform point-in-time navigation or restore? 

Simplicity 

• Can you easily manage and unify backup sets of cloud apps? 
• Can you share public links to end users, and download all the data types and levels? 
• Is the interface intuitive? 

Backup configuration 

• Is the backup deployment simple and configurable? 
• Can you scale across any size organization? 
• Are the retention policies flexible across the instance? 
• Can you segment Microsoft 365 data to meet business requirements? 

Security 

• Is the storage engine tamper-proof? 
• Are there SSO and MFA options? 
• Are the data centers ISO27001 certified? And what about the software development and operations organization?

Backup management  

• Is the solution 100% cloud-based with no maintenance required? 
• Are new users automatically added to the backup? 
• Can you automate notifications and backups? 
• Is there an open API allowing for third-party integration? 

 

In summary: 

We’ve covered the concept of shared responsibility, touched on what the cloud service providers cover, and where your responsibility lies. We’ve also shared some advice on what you should look for in a backup and recovery solution. I hope you come away from reading this blog post feeling better equipped to perform your cloud data risk assessments. If you have any questions, you are of course welcome to reach out.  

I promised myself I wouldn’t spend any time in this post talking about how the world has changed because of COVID or how people now want / expect / need to be able to do the critical parts of their job from wherever they are, not just from a corporate device on a managed corporate network. So, I won’t.

Instead, let me focus on one specific use case: backup and recovery of Office 365 data. Of course, that’s a huge part of what we do at Keepit, and our customers love it. So do analysts. We all know that disasters can strike at any time—ransomware, human errors, and technical failures can leave you in need of recovery at any time of the day or any day of the year. In the old-school world, starting a recovery meant “drive to the data center, put a tape in the tape library, and then run backup software.” With a cloud-native data protection solution like Keepit, there’s no more driving and no physical tapes, but you still have to start the restore.

That’s where our mobile app comes in! You can check the status of your backup and restore jobs and start recoveries from anywhere your mobile device can get a connection! Let’s take a look at how this works.

Checking Job Status

The Connectors page shows you what’s going on with the current set of supported connectors. Right now, the mobile app supports our Microsoft 365 and Google Workspace connectors, and we’re adding support for our other popular connectors. The connector status page shows you the current size and run state of your connectors. You can see in the example below that I have a current backup using the M365 connector and a separate OneDrive-only backup that just finished its first update.

Restoring Data

One of the unique ways Keepit makes your restores faster is by giving you multiple ways to restore data. You can restore data to its original location (“in-place restore,”) to an alternate location, or via a sharable URL. For the fastest possible restore, just create a shared restore link and send it to whoever needs instant access to the data. The recipient can use that link to browse the backup data you’ve chosen to give them and download only what they need, to whatever device or environment works best for them—without having to wait for you or Office 365 to complete the entire restore.

The Keepit mobile app supports both in-place and shared-URL restores. Tapping the connector lets you quickly create a link that points to the most recent snapshot, but if you want to browse the contents of the snapshot, you can do that too—tap the connector, choose “Open Connector,” and browse until you find the data you need. You can filter and sort the results to make it easier to quickly locate your data items. Once you’ve found what you’re looking for, you can restore it in-place or generate a link to send to the recipient for direct access.

The Future

We’re excited to be the first cloud SaaS data protection solution with a full-featured mobile app, and we have a lot of exciting things planned for the future. (Vic, let’s talk about what you’d like to publicly disclose here). We’re always looking for feedback from our customers, too—you can get the app from the Apple App Store or Google Play Store, and we’d love to hear what you think!

As organizations increasingly rely on SaaS solutions for business-critical applications, it’s becoming apparent that even the big providers eventually suffer outages. Recently, Microsoft customers suffered problems with Teams and Exchange Online. That follows an outage by Atlassian a couple months earlier. These SaaS apps are so ingrained in daily operations that they often contain the institutional knowledge critical to run the business. If you’ve ever experienced lack of access to files, messages, and other critical data, you probably are looking for a backup solution to ensure your business can keep running no matter what happens.

When evaluating a cloud backup provider, you’ll likely need to make a business case for the investment. Perhaps the solution’s features such as automated backup, high security, and an intuitive user experience look impressive, but how about the important question?

What’s the ROI? Can you provide a compelling business case to convince the stakeholders and leadership in your organization?

To understand the financial impact of backup and recovery solutions, let’s first evaluate the different costs involved.

What could be the financial impact of not backing up your cloud data?

1. Impacts of Cyberattacks

A study conducted by IT research firm ESG states that 79% of organizations had a ransomware attack within the past year. A devastating ransomware attack could leave employees unable to use core business applications for days, weeks, and even months at a time.

According to Forrester, a successful ransomware attack resulting in disruption to operations for an organization with 5,000 employees for five days would cost more than US$5 million. The same ESG study found that only 50% of the organizations were able to recover all their data in a clean and recent state.

According to Verizon’s Data Breach Investigations, large data breaches (with 100 million records or more) cost, an average of $5 million to $15.6 million and can top out at $200 million.

2. Accidental Deletions

According to ESG’s Tech Validation Report, accidental deletions result in data loss approximately 20% of the time. Verizon reports that 85% of breaches involve a human element. A single document sometimes is worth hundreds of dollars. A properly implemented cloud backup solution allows employees to restore critical data quickly and reliably, indirectly saving millions of dollars for the business.

3. SaaS Licensing Fees

Companies often must keep ex-employee user accounts active after their exit date to access user data which would otherwise be purged by the SaaS vendor. It is common for approximately 10% of employees to leave every year. This number can be much higher if organizations use a lot of temporary staff or contractors. The license fees to keep departed users active can be saved by using a cloud backup provider that retains your data for as long as you’re a customer.

4. Archiving Costs

Are you investing in data archiving repositories? Typically, organizations depend on separate archiving tools to help move inactive data into long-term storage systems. This helps optimize resources in the active system to help users quickly access data. By having a cloud backup provider – especially with unlimited storage & retention as Keepit offers – you can avoid investing in a separate archiving tool.

5. IT Administration Efficiencies

IT administrators typically spend a lot of time off-boarding employees and searching for documents that have been either intentionally or unintentionally deleted. If the time for off-boarding is reduced from an hour to a minute thanks to a backup solution, the net benefit would be thousands of dollars per year. Likewise, searching for hours to find deleted files is time-consuming and costly but with the right backup solution, IT admins can quickly search and find files in minutes.

A solid return on a critical investment

Keepit commissioned Forrester Consulting to conduct a total economic impact (TEI) study to evaluate the potential economic impact for businesses that utilize the company’s data protection services.

Based on interviews with five Keepit customers across a range of industries, Forrester generated a composite organization from which it produced a financial model that outlined three-year, risk-adjusted potential savings from utilizing Keepit. The TEI includes two categories of savings, quantifiable and unquantifiable. Forrester determined that in addition to unquantifiable savings like recovery from a ransomware attack, Keepit offers a 78% return on investment (ROI) and a net present value (NPV) of $225K. To see how a dedicated backup solution can pay for itself in just six months, download the full Forrester TEI study.

The frequency of ransomware attacks is increasing along with the costs to businesses. Having a plan to respond in the event of a ransomware attack is more important than ever. 

IT research firm ESG conducted a ransomware study surveying 600 enterprise IT and cybersecurity professionals across North America and Western Europe. Here’s what they found: 

• 79% of the organizations had a ransomware attack within the past year 
• Every sixth company gets attacked by a ransomware weekly 
• Every eighth company gets attacked by ransomware daily 

What’s the impact of a ransomware attack? 

When an organization suffers a ransomware attack, there are many negative consequences beyond the financial losses. According to the ESG study, victims of ransomware attacks suffered the following: 

• 40% of the organizations reported a financial loss 
• 50% reported data loss  
• 32% reported reputational damage 
• 39% reported a direct impact on employees, customers, and partners 
• 30% reported compliance exposure 

As an IT Manager or a cybersecurity leader, can you bear these consequences in the organization?  

What’s the best ransomware recovery strategy?

 

Given the high frequency of these attacks, you need a recovery strategy to mitigate damage to your organization. A successful recovery strategy can help you recover data quickly to minimize the impact on operations. 

ESG research recommends cloud backup as the best practice for cyber recovery. The survey also found that the best-prepared organizations are the ones that have a cloud backup solution. 

How Keepit can play a role in your ransomware recovery strategy

If your organization is ready to get serious about protecting SaaS data and is looking for a solution, ESG recommends that you take a good look at Keepit.

Kerry Dolan, Senior IT Validation Analyst, ESG

Keepit offers an extremely simple, secure SaaS data protection solution that uses a proprietary object store to keep data protected and tamper-proof in its independent, redundant global data centers. With automatic snapshots, no backup scheduling is required, and retention is easy to configure and manage according to your compliance requirements.

Each daily snapshot is permanently preserved so that victims of ransomware can simply roll back to a point in time before the attack and restore their data in place.

Bottom Line

With the high frequency of ransomware attacks, IT leaders should focus on protecting their organization’s mission-critical data and digital assets by preparing and practicing to recover it quickly and completely. ESG recommends cloud backup as the best practice for cyber recovery. Keepit helps you in the cloud backup strategy with a backup that is simple, secure, and fast.   

Keepit backup is: 

Cloud independent – With Keepit, data is stored in a vendor-neutral cloud instead of public platforms like AWS, making Keepit a true third-party backup. 

Immutable – preserves your data permanently, even for data types that the source SaaS applications do not protect. 

Innovative storage architecture – allows super-fast data restores and inspection while giving you predictable restore performance and a fixed storage cost. 

To learn more about how Keepit secures data, read our security guide. 

Many companies assume that if they pay for a backup security infrastructure, their business-critical data will be stored and secured on a separate cloud – but this is often not the case.  

Instead, most alternative cloud backup solutions store your backed-up data on the same public cloud infrastructure that hosts your primary data, which potentially exposes your company to several different risks. 

In their Cloud Computing study published in 2020, Foundry reported the top challenges associated with public clouds to be: 

• Lack of cloud security skills or expertise (30%) 
• Compliance and governance (30%) 
• Security challenge and data privacy issues (38%) 
• Controlling cloud costs (40%) 

By choosing to store your backup data in the public cloud, all of your data (including your only backup copy) is being managed under the same administrative infrastructure. And this is still the case if you choose a different data center for your backup that is separate from your primary data. 

The solution: A ‘true backup’ cloud independent of the public cloud

We believe that offering “true backup” means we can guarantee that your company’s backup data is not stored in the same logical infrastructure as your primary data – regardless of the SaaS application or workload needing protection. 

With Keepit, your company’s backup data is stored on an independent cloud infrastructure in two mirrored data centers in the data center region of your choice, ensuring data availability and sovereignty. 

Keepit is the only dedicated SaaS data protection cloud to date – running on autonomous regional data centers, operating on separate hardware, and managed by trusted employees independent of any public cloud.  

The benefits of building your own private backup cloud 

Having a dedicated private cloud is a fundamental requirement for any legitimate backup solution. Choosing Keepit as your reliable, vendor-neutral backup solution compared to other third-party providers comes with considerable benefits for customers:  

• Pandemic-proof: When the COVID-19 virus spread worldwide, the leading public cloud vendors could not handle customer workloads and pushed customers offline. Meanwhile, Keepit’s dedicated private cloud service continued business as usual. 
• Accessible 24/7: With a dedicated backup cloud, you never lose access to your company’s information or worry about duplication or compressed data. 
• Speedy: With Keepit, the licensing model is uncomplicated, allowing you to get up and running in no time. There are no API transaction fees, network fees, or storage consumption fees. Our intuitive and easy-to-use search tools make sure you can locate, preview, and restore data in seconds. 
• Cost effective:  The higher degree of control Keepit has over the supply chain means considerable cost-saving benefits and easily scalable options. As a Keepit customer, you don’t need to worry about storage consumption fees or hidden costs. Storage is included, and you can expect predictable and straightforward pricing. 
• Constantly evolving: Unlike other third-party security and backup providers, we retain the freedom to innovate and develop our cloud storage technology behind the scenes—something that would not be possible if we were using a public cloud.  

The final word: Keep your digital eggs in separate baskets 

In the realm of backup, “divide” and “separate” are positive terms, and adhering to the 3-2-1 principle is the most effective way to safeguard your data by having it stored separately from your day-to-day operations. 

The 3-2-1 principle of backup mandates that you must have one copy of your data off site. In the days of tape backup, where fire and theft were the only credible threats to your backup data, the off-site copy effectively ensured that your backup data would survive any calamity that could befall your primary data and your primary site.  

In the cloud age, however, backups have become much more complicated: geographic dispersal is insufficient to ensure your data is secure, and hidden risks are introduced by relying on clouds that may be taken offline to protect the providers’ primary business interests. 

You can read more about that in our Security Guide: Raising the Bar for Data Protection in the Cloud Era.