Office 365… A New Hope

Written by Christoan Smit

16 Aug, 2019

In a server room far, far away, there is a hard drive with your Office 365 data on it.

There is, however, a small problem with that – whether you knew this or not, you’re completely on your own. Yes. Microsoft does not provide backup for your data – their Ts & Cs are quite clear on that. In other words: It’s your problem.

Another point of confusion is geo redundancy, which sounds like backup, but isn’t. Geo redundancy simply means that internally, Microsoft have multiple data centres around the globe that share the load and provide backup for one another. They do not, however, provide specific backup of your data – again, that’s your responsibility, and the questions of where exactly the data is stored, raises some GDPR issues to boot.

What are the risks of using Office 365 “as is”?

If you delete a user, by accident or by design, the deletion is replicated across the entire 365 ecosystem, including SharePoint and OneDrive.

The “soft” delete/”hard” delete option does give you a bit of leeway, but not much. The 365 backup and retention policies are very limited and really designed for situational data loss, not proper backup and archiving.

The ability to restore to a specific point in time simply does not exist in the world of 365. This raises the additional problem of legal and regulatory compliance – you might not necessarily have all the backups you need, going back as far as they should.

Another problem with 365 is that it offers zero protection against an internal threat such as a disgruntled employee. Files can be moved, copied, deleted or hidden by users with sufficient access rights, and Microsoft has no way of telling the difference between legitimate and nefarious activities.

Lastly, believe it or not, your 365 network can be infected by malware. Microsoft does malware scanning through Exchange Online Protection (EOP), but brand new viruses can sometimes slip through even the best of defences. The fact that 365 offers only very limited Data Rollback, means you could still be in trouble – your data could have been destroyed (or worse, surreptitiously altered) with no way of getting it back.

How to get around it?

Some people have been using the Litigation Hold feature to fudge some sort of backup, but this is not best practise and Microsoft might very well pull the plug on that feature or put some abuse prevention in place, as they have done in the past with some of their other services. It also only offers 180-day retention, which means you still don’t have proper backups and archiving for legal & regulatory purposes.

 The best option then is to create a full backup set using something like Veeam or Ahsay. This means you either need your own servers (which in turn should be backed up to cloud) or you need a cloud provider who can create a full-feature repository into which you can backup your entire 365 environment.

The latter option – a full cloud repository – can give you, depending on the provider:

  • Undelete of any accidental/intentional deletions for 365 days
  • Indefinite archiving for legal & regulatory purposes
  • Top-notch malware protection
  • Full rollback in the event of a disastrous infection that somehow slipped through. At least this way you’ll be back in the same position you were in before the attack, with typically only a few hours’ worth of productivity being lost.

A good cloud provider will also provide support for 365 and migration support should you wish to switch up to Hosted Exchange and Hosted Office.