Microsoft 365 Backup vs. 3rd Party Cloud Backup

As organizations increasingly adopt and become dependent on cloud-based services like Microsoft 365 to run key areas of their business, ensuring the security and recoverability of data stored in these environments becomes a high priority. Part of that process would be instituting a backup methodology. There are many options available for backing up Microsoft 365 (and other SaaS data) and recently Microsoft themselves have introduced their own backup solution, “Microsoft 365 Backup”. It’s gone from beta to general availability over the past 9 months. 

Let’s explore more of what Microsoft’s new-ish backup product offers and some commentary on why using a 3rd party backup may be a smarter choice. 

About Microsoft 365 Backup

Microsoft’s recently launched Microsoft 365 Backup is designed to protect organizational data across SharePoint, OneDrive, and Exchange. This backup solution offers a variety of capabilities, from rapid recovery to extensive compliance features, aimed at maintaining business continuity and protecting against data loss. Keep in mind the following is a summary of what Microsoft outlines their backup tool provides. 

Microsoft 365 Backup capabilities include:

Comprehensive Data Protection

Microsoft 365 Backup offers extensive protection for data stored in SharePoint, OneDrive, and Exchange. This ensures that all critical information, including emails, files, and collaborative documents, is backed up and easily recoverable. The service provides full-site and mailbox restores, allowing organizations to recover large sets of data efficiently.

Fast Backup and Restore

One of the purported standout features of Microsoft 365 Backup is its speed. The solution is designed to perform quick backups and restores, minimizing downtime and ensuring that users can access their data with minimal disruption. This rapid recovery capability is crucial for maintaining productivity, especially in environments where data access is time-sensitive.

Backup Retention

The backup retention policy in Microsoft 365 Backup spans one year, with frequent recovery points. This means that organizations can recover data from various points in time over the past year, providing flexibility and assurance that older data can be retrieved if needed. This extensive retention period is particularly beneficial for regulatory compliance and long-term data management.

Mitigating Ransomware and Accidental Deletions

Microsoft 365 Backup plays a critical role in mitigating the effects of ransomware attacks and accidental deletions. By maintaining immutable backups—backups that cannot be altered or deleted—organizations can recover from ransomware attacks without succumbing to ransom demands. Similarly, the ability to restore accidentally deleted data ensures that users can quickly rectify mistakes, reducing the potential for significant data loss.

Geographic Redundancy

To further enhance data protection, Microsoft 365 Backup employs geographic redundancy. This means that backup data is stored in multiple, geographically dispersed data centers. Geographic redundancy ensures that data remains available even if one data center experiences an outage or disaster, providing an additional layer of security and reliability.

Data Immutability

Data immutability is a cornerstone of Microsoft 365 Backup’s security features. Immutable backups ensure that once data is backed up, it cannot be altered or deleted until the retention period expires. This is particularly important for compliance with various regulatory standards that require data integrity and protection against unauthorized changes.

Compliance

Microsoft 365 Backup is designed to comply with a wide range of industry standards and regulations, ensuring that organizations can meet their legal and regulatory obligations. This includes compliance with standards such as GDPR, HIPAA, and more. By adhering to these standards, Microsoft 365 Backup helps organizations avoid potential fines and legal issues associated with data protection non-compliance.

Integration with Partner Applications

Enhanced Functionality

Microsoft 365 Backup integrates with various partner applications to enhance its functionality. These integrations allow organizations to leverage additional features and capabilities provided by third-party vendors, tailoring the backup solution to meet specific business needs. Whether it’s advanced reporting, additional security measures, or specialized recovery options, these partner applications can significantly augment the base functionality of Microsoft 365 Backup.

Simplified Management

Integration with partner applications also simplifies the management of backup and recovery processes. By centralizing control and providing a unified interface, administrators can manage backups more efficiently, monitor data protection status, and respond to issues promptly. This streamlined management approach reduces the administrative burden and ensures that data protection strategies are consistently applied across the organization.

Microsoft’s Shared Responsibility Model

We also think it’s important to understand the Shared Responsibility Model in Microsoft 365, where Microsoft and the customer have distinct roles in data protection and security.

Microsoft’s Role:

• Protecting data centers, hosts, networks, and physical equipment.
• Ensuring the security of Microsoft 365 cloud services.
• Provide file versioning, retain deleted items, and maintain basic compliance within the Microsoft cloud.

Customer’s Role:

• Safeguard data residing on Microsoft 365 services.
• Set up security controls, access permissions, and securing endpoints.
• Manage data retention beyond Microsoft’s provisions, aligning with business and compliance needs.
• Create multiple data copies and separating production from backup data.
• Ensure adherence to business-specific legal standards.

The bottom line is Microsoft 365 Backup (along with any other solutions in the market) is not 100% failsafe alone. There is still a responsibility within businesses themselves to ensure their data security and retention. Backup software is a key part but not the only step. 

It is because of this shared responsibility model that we encourage businesses to look at 3rd party backup solutions versus using the same company that hosts your primary data for your backup needs. As long-time security engineers, if you’re concerned about a primary data source like Microsoft 365 becoming compromised we question why you’d want to depend on the same source for your backup. What’s to say the primary and backup data sources won’t be compromised simultaneously? 

It’s this point alone that should give security professionals pause before they implement such an important step in their organization’s backup process. Relying on the same company to host your primary and backup data does not seem like the best choice when considering the shared responsibility model outlined above. 

Put differently, a data security professional put it this way: 

“I would not backup anything in Microsoft 365 to Microsoft 365. Is it safe? Probably. But for backups, I do not want my production data and my backup data controlled by the same company.

Why? IMO, unless you can get in your car and physically check out Microsoft’s data centers, I would not assume that Microsoft is doing truly immutable, separated backups. There is no way to be sure from the outside.

With an outside provider like AWS or Wasabi, there is a physical break between the two without you having to do intense investigative work.

Put another way: imagine Microsoft’s infrastructure became compromised. How do you know that the infrastructure controlling Microsoft’s production systems is not also controlling their backup systems? Even if Microsoft says they’re separated, how do you know? How do you verify?

A third-party provider provides that guarantee by its nature.”

Benefits of Third-Party Backup Solutions vs. 1st Party Backup

Using third-party Microsoft 365 backup software offers enhanced data protection with comprehensive backup and restore capabilities for Exchange Online, SharePoint Online, OneDrive, Teams, and other Office 365 data. These solutions protect against data loss and ransomware, ensuring robust, reliable data management. 

As mentioned, they guarantee a physical separation of primary and backup data by nature which is different from using Microsoft to secure data for and with their own products. 

Additionally, you are avoiding vendor lock-in and ensuring data portability when using a 3rd party backup vendor. 

Third-party backup solutions also often provide more extensive and flexible data protection options compared to Microsoft’s native offering. These tools typically support a wider range of data types and offer more granular control over what is backed up and how frequently. Microsoft 365 Backup is designed just for Microsoft 365 whereas 3rd parties have the bigger picture in mind. 

Third-party solutions are also designed to integrate seamlessly with various other tools and platforms used within an organization. This includes support for hybrid environments, where data is stored both on-premises and in the cloud. Microsoft doesn’t have the same incentive to integrate. 

The bottomline is relying on third-party backup solutions provides a level of vendor neutrality that can be advantageous for organizations. This means that your data protection strategy is not solely dependent on Microsoft, reducing the risk associated with vendor lock-in and ensuring that you have multiple options available should you need to switch providers or use additional services.

While Microsoft 365’s native backup offering provides a basic level of data protection, third-party backup solutions like SpinBackup for Microsoft 365 usually offer superior features, flexibility, and security. By choosing a third-party provider, organizations can benefit from enhanced data protection capabilities, more comprehensive recovery options, better integration and support, and overall greater control over their backup and recovery strategies. This makes third-party backup software a more robust and adaptable choice for businesses looking to safeguard their data in the cloud.