Think your Microsoft 365 data is automatically protected? Think again.
While Microsoft may host the infrastructure, it doesn’t include comprehensive data protection or disaster recovery. What they offer doesn’t provide the levels of data protection needed to satisfy today’s stringent data protection, disaster recovery, legal and compliance requirements.
Data can be damaged or lost based on a number of unforeseen situations, including accidental changes and deletions, as well as malicious activities like viruses and ransomware.
Here are some common misconceptions regarding the protection of Microsoft 365 environments:
1) Microsoft 365 data in Azure Cloud is always available, so there is no need for backup
The Azure cloud is basically a large, distributed physical data center and suffers from all the same challenges as your own data center.
Example: For 3 hours on 02 May 2019, customers experienced connectivity issues with Microsoft cloud services including Azure, Microsoft 365, Dynamics 365 and Azure DevOps. The outage was caused by a failed DNS change implemented by Microsoft themselves. https://status.azure.com/
SharePoint and OneDrive do offer versioning to protect against accidental mistakes, but what happens when these systems are not even available? IT organizations need complete access and control of their data at any point of time. Performing backups allows you to restore business-critical data to another location including on-premises, to reduce risk of business downtime that affects your revenue stream, reputation and company productivity.
2) My Microsoft 365 data is protected against human error
Accidental deletion of an email, OneDrive file, or SharePoint item is the most common cause of data loss in a Microsoft 365 environment. Microsoft 365 Geo replication has a domino effect on data deletion – causing deletion of all replicated data. Even IT administrators have made serious errors, sometimes deleting entire volumes of data by mistake. By performing backup, you can recover lost or damaged data.
3) Microsoft 365 is a SaaS product, so it has all the data protection and security I need built in
There are a number of ways people can attack your Microsoft 365 data. Consider the following:
- Malware/ransomware deletes or encrypts files.
- Microsoft 365 account hacking via phishing is a real threat.
- Access key, Secret Access key and domain are all you need to impersonate a Microsoft 365 administrator.
- Vulnerability in Microsoft 365 itself is also possible.
- OAuth2 protocol can be used to gain programmatic access via Azure AD and there are vulnerabilities in OAuth2 itself.
Bottom line, no software is 100% safe from security vulnerabilities, and without a true backup and recovery solution, organizations using Microsoft 365 are at great risk.
4) Microsoft 365 retention policy and version control provide all the data protection I need
Microsoft 365 does offer a retention policy where documents can be retained for 93 days and emails for 14 days. But this is not really considered long-term data retention required by numerous compliance regulations.
Retention policies do not protect files if they are accidentally or maliciously changed or deleted. Also, retention policies don’t deliver a 3-2-1 backup strategy – having multiple copies of data on separate devices and in different locations.
Additionally, there is no point in time recovery. This is basically a replication copy. If you corrupt a mailbox or item in production, you corrupt it in the retention archive folder too.
Microsoft also offers a versioning capability for OneDrive and SharePoint. Versioning can help recover an older file version if the current file is lost or damaged, but it’s not backup and recovery that protects the most current version. And a lot of work could be lost (that was created after the last version) recovering an older version of a file. Also, malware could find its way to all the versions and delete or damage them all.
In a worst-case scenario, since all versions are not kept offsite and independent, if you lose OneDrive, you lose all the versions.
Performing backup is a better approach to data protection and recovery and having multiple copies of your backups on different devices and locations is your best bet against malicious attacks.
5) Microsoft offers high availability for Exchange online through Data Availability Groups (DAG) so I don’t need backup
Every mailbox database in Microsoft 365 is hosted in a database availability group (DAG) and replicated to geographically separate data centers within the same region. The most common configuration is four database copies in four data centers; however, some regions have fewer data centers (databases are replicated to three data centers in India, and two data centers in Australia and Japan). But in all cases, every mailbox database has four copies that are distributed across multiple data centers, thereby ensuring that mailbox data is protected from software, hardware, and even data center failures. Out of these four copies, three of them are configured as highly available. The fourth copy is configured as a lagged database copy.
Protect all your systems, applications and data.
While DAGs are a very good disaster recovery mechanism, it’s not meant for typical backup and restore where you may need to recover an individual mailbox, email or attachment. The lagged database copy can only be prevented from synchronization up to every 14 days, so afterwards any accidental or malicious changes or deletions are applied to even the lagged database. Plus, according to Microsoft itself, “DAGs are not intended for individual mailbox recovery or mailbox item recovery. Its purpose is to provide a recovery mechanism for the rare event of system-wide, catastrophic logical corruption.”
Reducing risk
Ultimately, protecting your Microsoft 365 data is your own responsibility. Data loss due to human error, malware, ransomware attacks or a wide range of IT disasters can impact your company’s productivity, your customers and your business reputation. In addition, your organization most likely must comply with increasingly strict compliance regulations — or face steep penalties.
Believing these myths above may lead to data loss and business downtime.
Be protected… perform your own backup.