Microsoft 365: Effective SaaS Backup Solutions Overview

Organizations worldwide have been accelerating their migrations to the cloud. In addition, prompted by the significant shift to remove work at the beginning of 2020 due to the pandemic, businesses are looking to enable employees to work remotely with the communication and collaboration tools needed to carry out critical business tasks. Microsoft 365 is one of the top choices among businesses for housing their data, services, and collaboration tools in the cloud. However, with business-critical data stored in the Microsoft cloud, companies must protect their critical data. What features are needed to backup Microsoft 365 environments to ensure data is adequately protected? Are built-in SaaS backup features for Microsoft 365 good enough for your business?

Microsoft’s shared responsibility model

Cloud Software-as-a-Service environments like Microsoft 365 alleviate much of the burden on organizations for taking care of infrastructure. With cloud SaaS environments like Microsoft 365, the physical infrastructure and security of the data center fall to the cloud service provider. No longer having to take care of the physical infrastructure, servers, network, and all the lifecycle management responsibilities included is a huge benefit.

Microsoft 365 allows businesses to offset the management and lifecycle costs of maintaining infrastructure.

However, there is a critical responsibility that you as the customer retain, even with cloud SaaS environments like Microsoft 365 – protecting your data. Note the following responsibilities outlined by Microsoft with each type of infrastructure offering, from on-premises to SaaS.

Responsibility matrix for Microsoft cloud services

In the Shared responsibility in the cloud document, Microsoft mentions the following:

“For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).

Regardless of the type of deployment, the following responsibilities are always retained by you:

Data

Endpoints

Account

Access management”

As shown, your data is your responsibility, as outlined by Microsoft in this shared responsibility model.

Relying on built-in Microsoft protection alone is risky

While leaving your data in the hands of a world-class cloud provider with state-of-the-art data centers is not dangerous, relying on built-in features to “back up” your data can be. As already highlighted, from Microsoft’s perspective, protecting your data is ultimately your responsibility. However, Microsoft provides a few built-in features that can provide a measure of “rollback” capabilities if the information is changed or lost.

File versioning in OneDrive for Business and SharePoint allows customers to have the ability to restore a file to a previous version of the file. You can also restore an entire OneDrive account to an earlier version of the data set. However, there are limitations to this capability.

The built-in versioning features do not provide all the “bells and whistles” of a proper enterprise backup solution, including automated recovery features. In addition, the standard versioning found in Microsoft 365 has other undesirable characteristics of versioning. For example, any user who has edit rights to the file can delete the version history.

The built-in versioning is also limited in the number of versions kept by default. Additionally, Microsoft keeps deleted files for a maximum of 93 days by default when it comes to deleted files. This time frame for keeping deleted files may not align with business objectives or compliance requirements. Therefore, businesses must consider these aspects of Microsoft’s built-in versioning and retention when protecting their data from data loss threats.

Features of proper Microsoft 365 data protection

While Microsoft’s built-in versioning and retention can provide a measure of protection from data loss, what capabilities are needed for businesses to protect their Microsoft 365 environments adequately? Let’s take a look at the following capabilities needed:

Keep backup and production data separate
Use both hot and archive backups
Inventory your data
Encrypt data in-flight and at-rest
Combine backup with cybersecurity

1. Keep SaaS backup and production data separate

When backing up your Microsoft 365 environment, including your business-critical data, it is important to keep your backup data separated from your production data. It is never a good idea to combine locations and infrastructure for the two. Following this, it keeps in line with the best practice principles embodied in the 3-2-1 backup rule.

With the 3-2-1 backup rule, keeping multiple copies of your data stored in multiple (different) locations is advised. While Microsoft’s cloud infrastructure is ultra-resilient, like all cloud service providers, they have experienced outages in the past. With an outage comes the potential for data loss.

Choosing a data protection solution for your Microsoft 365 data that stores the backup data outside the realm of the Microsoft cloud aligns with the best practice of separating your production and backup data.

2. Use both hot and archive backups

There are different types of backups that serve different purposes when protecting your data. For example, most organizations benefit from and require both hot backups and archive backups. Each has a specific function and purpose. Hot backups are the specific type of backup used to recover data that has been deleted, unexpectedly updated, or encrypted with ransomware.

Archive backups are often used for long-term data analysis, auditing, and compliance purposes. For example, archive backups serve this purpose if there is a need to review the information in a specific data set from a particular point in time. Therefore, a well-rounded data protection strategy for Microsoft 365 should include both types of backups.

3. Inventory your data

Without understanding what data you have, it isn’t easy to protect it. Businesses need to understand what information they have in the Microsoft 365 cloud, which services are used, and how their data must be protected. Without this proper understanding and data inventory, it can be challenging to protect business-critical data assets adequately.

Inventorying your data in the cloud is not easy, especially with built-in tools and visibility. As a result, organizations often need a third-party solution that can help understand and catalog data locations.

4. Encrypt data in-flight and at-rest

Data leakage is arguably one of the worst outcomes of a cybersecurity event. Leaking sensitive or confidential information to the public can lead to disastrous consequences. These include lost customer base, damaged business reputation, legal and regulatory fines, and other adverse outcomes.

It is important to remember when you backup your production Microsoft 365 environment, it contains production data. Therefore, if an attacker can easily see information contained in production backups, the result is much the same as compromising production data directly.

Encrypting data in-flight and at rest helps ensure that no data is transmitted or stored in clear text or can be easily compromised. It is one of the standard pillars of data security and regulatory compliance requirements.

5. Combine backup with cybersecurity

Today, business data is squarely in the sights of attackers looking to compromise, extort, and fleece businesses by holding their data hostage. As a result, companies must implement proactive solid cybersecurity measures to ensure data is protected. In addition, strong cybersecurity measures can help prevent cybersecurity incidents and avoid the need to use data recovery altogether.

The native cybersecurity protections in Microsoft 365 are reactive and not proactive when it comes to ransomware. While Microsoft 365 can detect ransomware activity, it only alerts you to the ransomware activity. Note the screenshot below of this notification from Microsoft 365 of ransomware activity.

According to Microsoft:

“When Microsoft 365 detects a ransomware attack, you’ll get a notification on your device and receive an email from Microsoft 365.”

Customers are then given the steps to recover their files from ransomware manually.

Signs of ransomware detected message in Microsoft 365

Another view shows what an end-user sees when logging into their OneDrive account.

OneDrive for Business ransomware activity detected

This reactive approach is not good enough for most companies to support agreed-upon SLAs and Restore Time Objectives (RTOs). RTOs are directly affected by the amount of data that needs recovering. Also, Microsoft and other cloud service providers throttle the use of the API, which is called during restore operations that require “write” calls to the API.

Combining cybersecurity with your backups helps to ensure the “blast radius” of a ransomware attack is contained so that data recovery is minimized. The two go hand-in-hand with today’s cybersecurity risk landscape.

SaaS Backup and Secure Microsoft 365 with SpinOne

The capabilities that businesses have to backup and protect their Microsoft 365 environment directly rely on the capabilities of their data protection solution. Relying on the built-in versioning and retention is risky and can leave your data exposed to the ravages of ransomware.

SpinOne is a modern, next-generation data protection and cybersecurity platform that allows properly protecting your Microsoft 365 environment from ransomware and other threats. It effectively uses artificial intelligence (AI) to scan, inventory, audit, and protect Microsoft 365. In addition, it provides the tools and capabilities needed to carry out the best practice features covered and more.

SpinOne’s Office 365 Backup Solutions protect your data with both hot backups and the ability to retain archive backups for regulatory purposes. It allows businesses to have access to the following features:

Granular backup and restores of Microsoft 365 resources
Automated backups
The ability for companies to choose which cloud their backup data is stored in
Backups encrypted both in-flight and at-rest
99.99% accuracy in recovering your data

It allows combining backups and cybersecurity and provides proactive ransomware protection in Microsoft 365. The ransomware protection module in SpinOne provides the following functionality: