More and more companies today are using Microsoft 365. This SaaS service from Microsoft is hugely popular these days. One part of this service is that data is stored in the Cloud at Microsoft. This offers many advantages and works efficiently. But how is it arranged if there is a calamity? In this blog post, we look at the need to back up this data (which is, therefore, in the Cloud).
Why Backup Microsoft 365 data? It is a common misconception that Microsoft 365 data does not need to be backed up because Microsoft already does this. This is not the case! Microsoft offers a number of possibilities to secure and retrieve data, but this is often insufficient.
Microsoft offers limited retention periods
Microsoft does offer retention and recovery options, but these are often insufficient for a professional organization. For example, creating a so-called “point-in-time” backup is impossible, meaning you cannot recover a deleted email after a few months with the default settings of Microsoft 365.
Also, these settings do not provide a backup in case of a hack, ransomware attack, accidental deletion of contacts, emails or files, or internal threats. It is therefore essential to arrange an external backup yourself. Microsoft itself recommends using an external backup in the terms and conditions.
(Microsoft also offers some additional features, which I will cover further up in this article)
Mandatory for some industries
Is your organization active in the financial, healthcare, or legal sectors? Then chances are you are bound by additional data access and backup regulations. For example, HIPPA, GDPR, Can-Spam, and other regulations often require you to keep data for years. In the event of an audit, you don’t want to find out that needed information has disappeared, and a backup is, therefore, often a requirement.
You don’t always notice data loss
Imagine: you and your colleagues worked on a major project last year. Shortly after setting it up, one of those colleagues deliberately deleted some unnecessary documents from the folder. Only after six months do you discover this colleague accidentally deleted the entire folder. In a small, inattentive moment, the critical information is gone. A backup ensures that you can always restore old data. This is useful when you need the documents again, if an audit takes place or if you unexpectedly need files for a legal process.
Staying one step ahead of cybercriminals
Cybercriminals are getting more innovative and nimble. A few years ago, you could recognize phishing immediately, but nowadays, fake emails are almost impossible to distinguish from real ones. Perhaps you have opened one yourself by accident. One inattentive moment from a colleague is enough: one click with enormous consequences. Hackers can use such a link to encrypt all company data so that no one can access it. They only release the data after payment. So they say…
If you use a backup, you are not dependent on the promises of a cyber-criminal. Instead of transferring money to get your data back, you restore an earlier copy of all your data. That makes you feel safe, right?
What options does Microsoft offer?
Is there a disaster? Then Microsoft offers a data recovery option. You must request a “Restore” from Microsoft yourself. A time-consuming activity where the moment of recovery is not yet precise. Your Office 365 environment can be restored for twelve hours. This is not possible for individual mailboxes or SharePoint environments. Data can be recovered for up to fourteen days.
Recycle Bin Process
If you delete data, Office 365 stores it in the primary recycle garbage can. For emails and SharePoint, there is a second recycle garbage can. If an email is in the recycle garbage can, these messages are permanently deleted after 30 days. Sharepoint retains files for up to 93 days.
Version management
It is possible to save different versions of data. This is done with version management. For email, this is linked to retention. Email version management is only possible for E3, E5, and Exchange Online users. When you activate email retention, versions of a message are automatically saved. Think of changes in subjects, text, attachments, senders/receivers, or data. Sharepoint version control is not limited to specific subscriptions. It is separate from retention. Version control allows you to view the change history of items, track changes to Helpdesk tickets, track content changes, restore previous versions of documents, and compare versions.
eDiscovery and legal hold
For technical and legal research, Microsoft offers eDiscovery and legal hold. Electronic discovery, or eDiscovery, is the process of identifying and providing electronic information that can be used as evidence in legal matters. This data can be held (at additional cost) for an additional period of time and can also be exported. The export function is then done to a local computer and, therefore, not back to the original format (email, teams chat, etc.).
Retention policies
Do you have an E3, E5, or Exchange Online subscription in Office 365? If so, there are several retention options.
Retention policies and labels are used to prevent permanently deleting Office 365 data such as files, documents, and emails. They also ensure that necessary information is stored for the mandated period of time. Office 365 retention policy is used to implement rules on all items and documents, with minimal exceptions. In addition, retention labels allow customized settings for a single folder, document, file, and email. Retention labels can be applied both automatically and manually by users. (Note: you must have global admin permissions to manage retention policy and labels).
It is possible to retain data longer than the standard period or automatically delete it after a specific time. You do this with retention tags. When a user applies a Microsoft 365 retention label (a label configured to retain content or retain content and then delete it) to a folder or item in the inbox, retention is placed in the inbox as if the inbox had been placed in legal retention or assigned to a Microsoft 365 retention policy. It is possible to apply retention tags automatically or manually. If done manually, it may be forgotten or the incorrect retention label may be chosen, causing data to be retained unexpectedly for too short or too long.
Microsoft Compliance Retention Policies is a powerful tool to comply with legal and regulatory requirements for Microsoft 365 applications and their data types. When a retention policy is enabled, existing artifacts and all new data will remain secure in Microsoft 365 for a defined period of time.
Retention Policies in Office 365 allow you to keep data, delete it, or keep it first and then delete it. Retention Policies define how long email messages should be retained before they are permanently deleted. These policies depend primarily on specific government regulations and vary by industry. When you keep all the data, you increase the chances of data breaches. And when an account is taken over or falls victim to a ransomware attack, data cannot be recovered as well or as quickly. Retention policies are therefore of great importance. But are retention policies enough?
Unfortunately, it is a misconception that Retention Policies are enough for retaining data. Retention Policies are part of the solution, but Retention Policies alone are not enough to retrieve the information you need. You can only retrieve deleted data within the retention period that has been set. Company policies may only allow you to keep data for a limited time. Restoring large amounts of data also takes a lot of time.
Limitations of the Microsoft 365 Retention Policy
- If users or admins delete the data, it will override the retention policy (!), and the data will be removed from Microsoft 365. These items will still be available using eDiscovery or the Preservation Hold library. As the library is included in the site’s storage quota, you may need to increase your storage when you use retention policies for SharePoint and Microsoft 365 groups
- An email or document can have only a single retention label applied to it at a time. • For Exchange, calendar items are not retained, as are site looks/themes and related settings
- For SharePoint & OneDrive, (membership) permissions, sharing, and access permissions are not preserved
- For Teams/Groups, while chats are retained, chat attachments and Group data not linked to SharePoint are not retained. No permissions, user membership, and metadata are secured with retention policies
- The storage costs of retention can be high, crossing the 11TB limit of Office 365. These costs can rack, especially if you plan to use Retention policies as a backup for multiple years. That will require you to purchase additional storage while incurring license upgrade costs to the most expensive Enterprise plan
While Office 365 retention policies may work to adhere to compliance requirements and protect some sensitive data, they fall short when considered as a backup and recovery solution. Consider looking at the BDRSuite for Microsoft 365 backup! This product will secure all your Microsoft 365 data from loss while allowing you to recover data from any point-in-time or granularity level in minutes and ensure regulatory compliance. This ensures you the best protection against ransomware, crypto viruses, or unwanted deleted data. The Microsoft 365 backups are stored on your own storage or in the (public/private) Cloud.
Vembu also offers a free version with some limitations, but you can use this excellent for trying out their product and its features. I’m planning to write an in-depth review of their latest version.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.