May 15th, 2020
The 1CS Team
Why Microsoft 365 data protections are insufficient:
Microsoft 365, formally known as Office 365, offers various safeguards for user data, however, it does not perform a backup. It offers what we refer to as data protection measures, which restore impaired data in certain situations. M365 data protection measures enhance user ability to restore data but as you will see from reading below, these features do not constitute a backup and come with pitfalls.
Data Protection Measures do not constitute a “backup”
First of all, to properly backup data, regardless of media type, requires data be backed up to a separate media in different location than the original copy. There is more to it than that but one of the most basic backup principals. Imagine you backed up some files located on your C drive to another location on your C drive or another location on your computer, how protected would you feel? If something happened to your computer, both the original copy and the backup copy would most likely face the same outcome. It’s the same concept with M365, one should not backup M365 data to M365, irrespective of whether that be in the form of email, Word Docs, OneDrive or SharePoint.
Just because data resides in the cloud does not necessarily mean it is being backed up. There are 3 different references to backing up your data in Microsoft’s 365 Canadian service agreement. Two of the eferences are in sections 4(a)(iv) and 4(f) where Microsoft talks about the importance of having a regular backup plan for when you close your account or it gets cancelled. Imagine you forgot to pay your subscription fee and your data was removed. The service agreement states:
Microsoft Not Liable for your Data
This is reason in an of itself to backup your M365 data but it gets worse. Further into the service agreement, Microsoft recommends that users have a regular backup plan due to Microsoft related disruptions and outages. It goes on to state that Microsoft will not be held liable for any loss you may suffer. Take a look for yourself in section 6(b). Since there are many possible ways that data loss may occur or that their data protection measures may be inadequate to recover data, Microsoft is covering their tracks. Our final exmaple, they specifically state in section 11 that Microsoft makes no warranty that content loss won’t occur:
If they had a versatile and redundant backup system in place they would boast about it.
If you deleted a file by mistake, any file, M365 does faciliatate it’s retrieval within a set period of time referred to as a retention period. You just need to pull it out of a place where deleted items are kept, otherwise referred to as a recycling bin, but prior to the expiry of the retention period or prior to the recycling bin being manually emptied, otherwise, the file will not be recoverable by this method.
Similarly, if a virus infection takes hold, and deletes data unbeknownst to you, it may be difficult to pull the data from the recycling bin within the retention period when you are not aware it is there. Furthermore, when a long list of individual files is deleted during the course of a malware attack and you do realize, it will be a laborious task to, after differentiating them from files that should be in your recycling bin, comb through the files in the recycling bin and pull out those files which were deleted. Remember, this is not the recycling bin on your desktop, it is a place within M365 where deleted files are retained for a specific period of time, before they are automatically deleted, as per the user’s pre-defined retention policy.
Whereas using backup software designed for the purpose of restoring M365 data is much more efficient and over time likely more cost-effective. Choose to restore a single file or choose to retore a group of files and folders, utilizing easy to use search methods which faciliate the process. Gain the ability to bring back either an individual folder or single user to a specific date and time. Please do not under-estimate the value of thse capabilities in the event of data loss.
M365 and apps do offer varying levels of versioning. Versioning is when the file you are working on is perpetual being saved, automatically without you doing anything. In effort to provide a certain level of protection against data loss. However, versioning does not guarantee you will get your data back. In M365 or apps like OneDrive and SharePoint, you can turn versioning on or off and adjust the number of versions being retained. M365 defaults the number of versions to five hundred. Our Microsoft Support Team can show you how.
Versioning defenses can break down when online attackers use malicious code to change and encrypt your data in an amount of times that exceeds the number of versions your M365 or app is set to store. If you don’t know how many times your data was changed and then copied, even if you can access all of the versions, the process of searching through them to determine the correct-most up to date version would be tedious and extremely time consuming, depending on the nature of your data and the changes which were made by the malicious code.
Online threats trying to get ascertain admin access through techniques known as social engineering, phishing or exploiting weaknesses in M365, yes it’s possible. Once an attacker gains access to your admin portal they can opt for fewer versions or turn versioning off all together. It is worth noting that add-on services such as legal hold may not suffice once on online attackers gain admin authority. This is why we backup critical data and M365 is not excluded.
Now if you started thinking that Retention Lock, an optional component within the “Retention Policies” feature, is the perfect solution to avoid backing up your data , please consider the following. These features are not easy to use. There are many things to know and choose from, making it difficult to properly program retention of M365 and related apps like OneDrive and SharePoint. The summary of information on these topics is in a document which is a little longer than five thousand words, just to give you an idea.
Making one programming error within the settings of these features can significantly weaken your retention measures. What is also worth noting is that the additional versions are retained in your M365 account and some of them counting towards your data limit. Retention measures are good for combating online threats or employees with a grudge but you must be using Retention Lock. Essentially, Retention Lock stops anyone and everyone from changing Retention Policies, including yourself. So you better set it up right to begin with. If the policy that you created for retaining data takes up a lot of space, too bad, you must purchase more space at an additional cost. OneDrive and SharePoint apply these versions to your primary storage allowance.
And what happens if you get a “right to be forgotten” request pursuant to the European Union’s General Data Protection Regulation or The State of California’s Consumer Privacy Act. It is possible that Canada might have similar legislation one day. Or, what happens if you want to get rid of something. In these circumstances, if using Retention Lock, it is not possible to remove the data, and the size of your data will continue to grow at an uncapped cost set by Microsoft.
M365 Retention Policies do not work the same as with Exchange. If you use Exchange, the Retention Policy, if activated, is to store email put into the trash within a folder 100GB in size. When you need more than 100GB, Microsoft supplies another folder of the same capacity at no cost, but what do you think the chances are that Microsoft starts charging for this in the future? The downside [right now] is that it is difficult to search for specific emails as the size of your data grows. This is because one is not able to search across their entire data set, only specific folders. Certain applications designed to backup M365 including email for business and related app data do allow you to search across your entire data set, in one search query.
There are restrictions on the retention policies can do. For instance, retention policies will not rebuild list columns which were deleted in SharePoint. Your sole option is a full site restore. The online version of Exchange will not do a restore of a mailbox at a specific date and time. Not even if you contact the Exchange Support Desk.
If a users mailbox becomes corrupted by uploading another user’s PST file, retention policies will not mitigate this and unfortunately, there is no way to reverse this without a very big project to remove what could be thousands of emails and calendar appointments from the users mailbox. If you utilize software designed to backup your M365 data, you will have the ability to restore a users mailbox to a date and time immediately preceding the event which corrupted the users mailbox.
Retention Policies, the feature, does meet all legal hold requirements, only some, can easily be turned off by bad actors and is complicated to program. Additionally, it does little to collate files for inevitable searching and viewing. All it does is lock user data. Software designed to backup M365 and apps data does a lot to collate files for inevitable data base queries.
Here’s another example, referring to SharePoint this time. Since a SharePoint site gets backed up by Microsoft every twelve hours, if you lose data at a point in time which is in between those 2 daily backups, which are twelve hours apart, the data you lost will not be backed up, and thus not recoverable via this recovery method. Even if you contact SharePoint, the result will be the same. Ask 1CS’s Sharepoint Support Team for a proper backup of your SharePoint data.
Now imagine that you do not know the date and time the SharePoint data was lost. If you restore to the last backup, which could be close to twelve hours prior, you may not be sure if your data will be part of that backup or not. If you choose to restore to the previous version, any data created after the last backup will not be in SharePoint after conducting a full-site restore to the last backup, so you would have to save all that data to a separate location prior to carrying out a full-site restore and then manually inserting that data into the newly restored site, and hoping that the data you lost, but not sure when, is there, as it may not be. Sound risky?
SharePoint’s recovery capability can be carried out to a single site, subsite or collection of sites. Basically, it’s on the site level. If the need arises to rebuild only one person’s account within a site, you will not be able to do it, at least not without Microsoft and there are no gauratees. Microsoft Support Desk has no SLA with respect to data recovery, recovery is done on a best efforts basis. Whereas the backup recovery tool deployed by our Microsoft 365 Support Team will work, and much faster.
PowerShell Script is often touted as a remedy to recover certain Microsoft related data, however, it is understood that PowerShell Script will restore to the previous version, which is the same situation with the SharePoint site, you may lose some data and the process to restore will likely be difficult and time consuming. To bolster our case, check out reviews of this product online.
Proponents of M365 Data Protections
Yes, M365 data protection proponents insinuate or outright state that it is not necessary to backup M365 or related app data because the data protection measures within, some optional, some standard, are sufficient to protect user data. We disagree. There is a myriad of reasons why we do not feel these measures are sufficient, and we have provided our reasoning herein.
Yes, M365 data protection proponents also end up saying that if you are recovering from a malware infection it is likely easier to use a 3rd party backup tool. In other words, even though M365 can get your data back, it will be much easier and less time consuming using a 3rd party backup tool designed for this purpose.
In conclusion, there are many important reasons why M365 should be backed up. When you deploy 1CS’s backup tool to safeguard your M365 and app data, it will be easier to restrieve data, safer from hackers, bad actors, disgruntled employees and may cost less than using M365 protection features, after considering additional storage usage with respect to utilizing retention periods and locks. But what is best is that recoveries can be at any level of specificity (e.g. email, file, folder, user, site, or subsite) and they come with a durability not offered by Microsoft. Microsoft states that users should utilize a third party backup solution to backup M365 and we couldn’t agree more.
Discover how 1CS’s Microsoft 365 Support Services reduce the risk of data loss.