Thousands of businesses and individuals across the globe are using Microsoft’s Office 365 services. Many of these users don’t have their data backed up, they assume that because their data is stored within the application that Microsoft is taking responsibility for this data being retrievable and that they’re protected from data loss. This is simply not the case. Not having your own backup puts your organization at risk of losing control and access to your company’s data, internal and external security risks as well as regulatory exposure.
Veeam wrote an article on this issue and within it, published a Responsibility Chart (see below). This chart highlights the responsibilities of your organization and those of Microsoft, making it easy to see what concerns you should have and organizing the data risks, in an easy to digest chart.
Yes, Office 365 hosts your data, but they only have a replicated copy. Office 365 includes built in data replication, this allows them to fail over to the replicated copy if anything goes wrong. This is however a replicated copy, Microsoft’s replicated copy, and not a backup. Just having a replicated copy of your data is not sufficient, a backup and replicated copy are not the same. With a replicated copy all data is copied, whether it was deleted or corrupted, meaning you now have a copy of all good data and bad data. To ensure your data is 100% protected you need both a replicated copy and a backup. Veeam, the global leader in Intelligent Data Management and trusted by 75% of the Fortune 500 recommends that all organizations have both a replicated copy and a backup. Some organizations have specific policies surrounding the backup and retention policies of their data, by failing to have your own backup you are putting your organization at risk of not meeting these internal policies. Relying solely on Microsoft to maintain and host your data puts your organization at risk of losing control and access to your company’s data.
Microsoft protects Office 365 at the infrastructure level. They state that this security extends to the physical level of their data centers and the authentication and identification within their cloud services, as well as the user and admin controls built into the Office 365 UI. As a result, your organization is responsible for security on a data level. There’s lots of data security risks that fall outside the responsibility of Microsoft (as seen in the above responsibility matrix). There’s a multitude of data security risks such as: insider threats (for example: rogue admins abusing access, accidental deletion, malicious insiders, etc.) ransomware, rogue apps, hackers and more. There are many examples of how easily ransomware can take over cloud applications such as Office365, one such video that Veeam references in their article shows how ransomware encrypts email. Without maintaining your own corporate data backup and security policies and procedures you place your organization at an increased risk of a security breach occurring and losing all data if a security breach were to occur.
Microsoft’s role is simply as the data processor; your organization’s role is that of the data owner. This has regulatory implications and will impact how you should deal with data. Dependent on your industry, the type of data you possess, and your region, your organization will be held accountable to specific legal, HR, and compliance requirements. These will determine how you must store your data, the type of backups you must maintain and the security policies you must have in place, etc.
To summarize, without an external backup of your Office 365 data, you will have limited access and control of your data, you are vulnerable to data loss risks, increased risk of internal and external security risks and regulatory exposure. Many of these issues can be solved or minimized by maintaining a backup of your own. By working with a managed service provider such as Cloud Carib, your organization can setup a secure and reliable backup solution that is fully integrated with your Microsoft Office 365 applications. With a backup managed by a provider such as Cloud Carib, you can recover the data you want, when you want, while meeting the requirements established by your stakeholders.