Microsoft 365: Effective SaaS Backup Solutions Overview
Organizations worldwide have been accelerating their migrations to the cloud. In addition, prompted by the significant shift to remove work at the beginning of 2020 due to the pandemic, businesses are looking to enable employees to work remotely with the communication and collaboration tools needed to carry out critical business tasks.
Microsoft 365 is one of the top choices among businesses for housing their data, services, and collaboration tools in the cloud. However, with business-critical data stored in the Microsoft cloud, companies must protect their critical data. What features are needed to backup Microsoft 365 environments to ensure data is adequately protected? Are built-in “backup” features for Microsoft 365 good enough for your business?
Microsoft’s shared responsibility model
Cloud Software-as-a-Service environments like Microsoft 365 alleviate much of the burden on organizations for taking care of infrastructure. With cloud SaaS environments like Microsoft 365, the physical infrastructure and security of the data center fall to the cloud service provider. No longer having to take care of the physical infrastructure, servers, network, and all the lifecycle management responsibilities included is a huge benefit.
Microsoft 365 allows businesses to offset the management and lifecycle costs of maintaining infrastructure.
However, there is a critical responsibility that you as the customer retain, even with cloud SaaS environments like Microsoft 365 – protecting your data. Note the following responsibilities outlined by Microsoft with each type of infrastructure offering, from on-premises to SaaS.
Responsibility matrix for Microsoft cloud services
In the Shared responsibility in the cloud document, Microsoft mentions the following:
“For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).
Regardless of the type of deployment, the following responsibilities are always retained by you:
- Access management”
As shown, your data is your responsibility, as outlined by Microsoft in this shared responsibility model.
Relying on built-in Microsoft protection alone is risky
While leaving your data in the hands of a world-class cloud provider with state-of-the-art data centers is not dangerous, relying on built-in features to “back up” your data can be. As already highlighted, from Microsoft’s perspective, protecting your data is ultimately your responsibility. However, Microsoft provides a few built-in features that can provide a measure of “rollback” capabilities if the information is changed or lost.
File versioning in OneDrive for Business and SharePoint allows customers to have the ability to restore a file to a previous version of the file. You can also restore an entire OneDrive account to an earlier version of the data set. However, there are limitations to this capability.
The built-in versioning features do not provide all the “bells and whistles” of a proper enterprise backup solution, including automated recovery features. In addition, the standard versioning found in Microsoft 365 has other undesirable characteristics of versioning. For example, any user who has edit rights to the file can delete the version history.
The built-in versioning is also limited in the number of versions kept by default. Additionally, Microsoft keeps deleted files for a maximum of 93 days by default when it comes to deleted files. This time frame for keeping deleted files may not align with business objectives or compliance requirements. Therefore, businesses must consider these aspects of Microsoft’s built-in versioning and retention when protecting their data from data loss threats.
Features of proper Microsoft 365 data protection
While Microsoft’s built-in versioning and retention can provide a measure of protection from data loss, what capabilities are needed for businesses to protect their Microsoft 365 environments adequately? Let’s take a look at the following capabilities needed:
- Keep backup and production data separate
- Use both hot and archive backups
- Inventory your data
- Encrypt data in-flight and at-rest
- Combine backup with cybersecurity
1. Keep backup and production data separate
When backing up your Microsoft 365 environment, including your business-critical data, it is important to keep your backup data separated from your production data. It is never a good idea to combine locations and infrastructure for the two. Following this, it keeps in line with the best practice principles embodied in the 3-2-1 backup rule.
With the 3-2-1 backup rule, keeping multiple copies of your data stored in multiple (different) locations is advised. While Microsoft’s cloud infrastructure is ultra-resilient, like all cloud service providers, they have experienced outages in the past. With an outage comes the potential for data loss.
Choosing a data protection solution for your Microsoft 365 data that stores the backup data outside the realm of the Microsoft cloud aligns with the best practice of separating your production and backup data.
2. Use both hot and archive backups
There are different types of backups that serve different purposes when protecting your data. For example, most organizations benefit from and require both hot backups and archive backups. Each has a specific function and purpose. Hot backups are the specific type of backup used to recover data that has been deleted, unexpectedly updated, or encrypted with ransomware.
Archive backups are often used for long-term data analysis, auditing, and compliance purposes. For example, archive backups serve this purpose if there is a need to review the information in a specific data set from a particular point in time. Therefore, a well-rounded data protection strategy for Microsoft 365 should include both types of backups.
3. Inventory your data
Without understanding what data you have, it isn’t easy to protect it. Businesses need to understand what information they have in the Microsoft 365 cloud, which services are used, and how their data must be protected. Without this proper understanding and data inventory, it can be challenging to protect business-critical data assets adequately.
Inventorying your data in the cloud is not easy, especially with built-in tools and visibility. As a result, organizations often need a third-party solution that can help understand and catalog data locations.
4. Encrypt data in-flight and at-rest
Data leakage is arguably one of the worst outcomes of a cybersecurity event. Leaking sensitive or confidential information to the public can lead to disastrous consequences. These include lost customer base, damaged business reputation, legal and regulatory fines, and other adverse outcomes.
It is important to remember when you backup your production Microsoft 365 environment, it contains production data. Therefore, if an attacker can easily see information contained in production backups, the result is much the same as compromising production data directly.
Encrypting data in-flight and at rest helps ensure that no data is transmitted or stored in clear text or can be easily compromised. It is one of the standard pillars of data security and regulatory compliance requirements.
5. Combine backup with cybersecurity
Today, business data is squarely in the sights of attackers looking to compromise, extort, and fleece businesses by holding their data hostage. As a result, companies must implement proactive solid cybersecurity measures to ensure data is protected. In addition, strong cybersecurity measures can help prevent cybersecurity incidents and avoid the need to use data recovery altogether.
The native cybersecurity protections in Microsoft 365 are reactive and not proactive when it comes to ransomware. While Microsoft 365 can detect ransomware activity, it only alerts you to the ransomware activity. Note the screenshot below of this notification from Microsoft 365 of ransomware activity.
According to Microsoft:
“When Microsoft 365 detects a ransomware attack, you’ll get a notification on your device and receive an email from Microsoft 365.”
Customers are then given the steps to recover their files from ransomware manually.
Signs of ransomware detected message in Microsoft 365
Another view shows what an end-user sees when logging into their OneDrive account.
OneDrive for Business ransomware activity detected
This reactive approach is not good enough for most companies to support agreed-upon SLAs and Restore Time Objectives (RTOs). RTOs are directly affected by the amount of data that needs recovering. Also, Microsoft and other cloud service providers throttle the use of the API, which is called during restore operations that require “write” calls to the API.
Combining cybersecurity with your backups helps to ensure the “blast radius” of a ransomware attack is contained so that data recovery is minimized. The two go hand-in-hand with today’s cybersecurity risk landscape.
Backup and Secure Microsoft 365 with SpinOne
The capabilities that businesses have to backup and protect their Microsoft 365 environment directly rely on the capabilities of their data protection solution. Relying on the built-in versioning and retention is risky and can leave your data exposed to the ravages of ransomware.
SpinOne is a modern, next-generation data protection and cybersecurity platform that allows properly protecting your Microsoft 365 environment from ransomware and other threats. It effectively uses artificial intelligence (AI) to scan, inventory, audit, and protect Microsoft 365. In addition, it provides the tools and capabilities needed to carry out the best practice features covered and more.
SpinOne’s enterprise-grade backups protect your data with both hot backups and the ability to retain archive backups for regulatory purposes. It allows businesses to have access to the following features:
- Granular backup and restores of Microsoft 365 resources
- Automated backups
- The ability for companies to choose which cloud their backup data is stored in
- Backups encrypted both in-flight and at-rest
- 99.99% accuracy in recovering your data
It allows combining backups and cybersecurity and provides proactive ransomware protection in Microsoft 365. The ransomware protection module in SpinOne provides the following functionality:
- Scans the environment for signs of ransomware activity
- If detected, SpinOne blocks the malicious ransomware process at a network level
- Files are scanned to determine any data has been affected by ransomware
- SpinOne automatically recovers affected files
- Administrators are notified
To learn more about how SpinOne can help protect and secure your Microsoft 365 data, click here.
Ideas to improve your cybersecurity leadership
- Alarming Ransomware Facts & Stats You Need to Know in 2021
- SecOps Management: Challenges and Best Practices 2021
- SaaS Security Governance & Compliance | CISO Guide
- Why Microsoft Native Cloud Security Capabilities Aren’t Enough
- SaaS Security Management: A CISO Guide
- Ransomware – CISO’s worst nightmare: Detect, Block, Prevent
- SaaS Security Checklist | Best Practices to Protect SaaS Data
- Five Risks For Your Mission-Critical SaaS Data