Thousands of businesses and individuals across the globe are using Microsoft’s Office 365 services but many of these users don’t have their data backed up. There is a widespread assumption that because their data is stored within the application, Microsoft is responsible for this data being retrievable. The truth is, if your data isn't independently backed up then your data IS NOT protected from potential data loss and brings with it the possibility of regulatory exposure.

In an article on the subject, Veeam published a Responsibility Chart (see below). This chart highlights the responsibilities of your organization and those of Microsoft, making it easy to see what concerns you should have and organizing the data risks, in an easy-to-digest chart.

 Yes, Office 365 hosts your data, but they only have a replicated copy. Office 365 includes built-in data replication, this allows them to failover to the replicated copy if anything goes wrong. This is however a replicated copy, Microsoft’s replicated copy, and not a backup. Just having a replicated copy of your data is not sufficient, a backup and replicated copy are not the same. With a replicated copy all data is copied, whether it was deleted or corrupted, meaning you now have a copy of all good data and bad data. To ensure your data is 100% protected you need both a replicated copy and a backup. Veeam, the global leader in Intelligent Data Management and trusted by 75% of the Fortune 500 recommends that all organizations have both a replicated copy and a backup. Some organizations have specific policies surrounding the backup and retention policies of their data, by failing to have your own backup you are putting your organization at risk of not meeting these internal policies. Relying solely on Microsoft to maintain and host your data puts your organization at risk of losing control and access to your companys data.  

 Microsoft protects Office 365 at the infrastructure level. They state that this security extends to the physical level of their data centers and the authentication and identification within their cloud services, as well as the user and admin controls built into the Office 365 UI. As a result, your organization is responsible for security on a data level. There are lots of data security risks that fall outside the responsibility of Microsoft (as seen in the above responsibility matrix). There’s a multitude of data security risks such as insider threats (for example rogue admins abusing access, accidental deletion, malicious insiders, etc.) ransomware, rogue apps, hackers, and more. There are many examples of how easily ransomware can take over cloud applications such as Office365, one such video that Veeam references in their article show how ransomware encrypts email. Without maintaining your own corporate data backup and security policies and procedures you place your organization at an increased risk of a security breach occurring and losing all data if a security breach were to occur.  

 Microsoft’s role is simply as the data processor; your organizations role is that of the data owner. This has regulatory implications and will impact how you should deal with data. Dependent on your industry, the type of data you possess, and your region, your organization will be held accountable to specific legal, HR, and compliance requirements. These will determine how you must store your data, the type of backups you must maintain and the security policies you must have in place, etc.  

 To summarize, without an external backup of your Office 365 data, you will have limited access and control of your data, you are vulnerable to data loss risks, increased risk of internal and external security risks, and regulatory exposure. Many of these issues can be solved or minimized by maintaining a backup of your own. By working with a managed service provider such as Cloud Carib, your organization can set up a secure and reliable backup solution that is fully integrated with your Microsoft Office 365 applications. With a backup managed by a provider such as Cloud Carib, you can recover the data you want, when you want, while meeting the requirements established by your stakeholders.