A resilient O365 Environment (Part One)
Backup and Disaster Recovery
Often when a company moves from an On-Premises or Service Provider Exchange service to O365, it is assumed that the setup and coverage provided by Microsoft's O365 offering is "identical". If this was the case, there wouldn't necessarily be demand or investment by third party vendors around the O365 ecosystem. There are a significant number of vendors in the Security and Disaster recovery space that have features that augment the many features and functionality within O365.
In this blog post we will look at the case for an external backup regime and why a business needs to consider such a strategy.
As with most Cloud Services, O365 and other
Microsoft Cloud Services operate under a Shared Responsibility model.
Essentially with O365, Microsoft provide their Backup and Recovery features
through an "Availability model". This ensures that they are able to meet the
uptime SLAs of 99.9%.
Microsoft will ensure that the Infrastructure is available and backups are done,
however they take no responsibility for the data stored within O365.
They provide a limited number of toolsets and options
to restore data in the event of data loss. Often well
short of the flexibility companies and administrators are used to when utilising third party tools in a more traditional environment. Further, there is no isolation between the "backup" data and the live data.
Where O365 may impede your recovery
Traditionally companies would not have delivered a solution within their business without satisfactory backup and DR features. So why should O365 be any different? Sure Microsoft do provide different retention policies, ransomware protection mechanisms and file versioning. O365 relies on Recycle Bins and file version history as recovery mechanisms for businesses (Exchange Online is more mature and provides more tools, but granularity and control are still limited).
If you find that data is lost retrieving that same data through the Microsoft channels and tool set(s) may be a long and drawn out process.
Consider the following use cases and the risks they present to your business:
1. Accidental Deletion - In the event of an Administrative error, when a user is deleted, it is replicated across the O365 network and it's gone for good!
2. File Corruption
3. Accidental Deletion of Files
4. Internal Security Threats/ Insider Attacks
5. External Security Threats; Although there have been significant improvements in ransomware protection, as always the final line of defence is your backup data repository.
6. Legal and compliance requirements - Being able to access data in the event of legal actions or to meet compliance requirements.
By implementing a third party backup solution, the risks to your business would be greatly reduced if these use cases were to play out in your business.
Retention Policy Gaps
A significant risk in recovering from the loss of data is ensuring that retention policies are corretly configured. O365 makes this a little difficult with varying policies across each of the applications. This diagram (source from Veeam 2018) shows the differing policies. There are also other considerations around O365 licensing to take into account as well. As with any backup strategy there should be a consistent backup and retention policy in place.
And our next topic
In conclusion, businesses need to be aware of the actual coverage and tools provided by Microsoft natively within O365. This post has by no means been a deep dive into this space, however there is a place for third party solutions in the DR space to assist businesses meet retention requirements and recovery objectives. In the event of a serious incident across an O365 environment in our opinion the current Microsoft tool sets would be insufficient during response and recovery activities. It's a discussion that should be had more often. Just because your data is in the cloud with uptime SLAs, doesn't mean as a business you no longer have any responsibility to ensure that the data isn't lost.
In continuing our focus on building a resilient O365 environment in a future blog we will take a look at the security of O365.