It has become apparent that many Microsoft partners and consumers genuinely do not understand the need for backup and recovery services for their Microsoft 365 deployments. Even our own research highlighted that nearly 40% of survey respondents believed that Microsoft provides everything they need to protect their Microsoft 365 environment. I genuinely believe that this lack of understanding comes from two issues:
- Customers are not familiar with the distinction between email archiving and data protection
- Customers believe that Microsoft’s highly resilient Software as a Service (SaaS) offering protects all data and applications
Email archiving provides eDiscovery, regulatory compliance, and legal protection of your email data. Put simply, it captures every email that has been sent and received by your organisation, and ensures that these messages can be found and retrieved. A good archiving solution also has the following qualities:
- The archived emails and attachments cannot be changed or manipulated.
- Items can be retrieved by using clever searches grouped together or complex searches called “Tags.”
- Search results can be placed into Legal Hold so that they are not purged and can be easily retrieved as needed. This feature is most often used for compliance audits, litigation, or related reasons.
- End-users are able to search an retrieve their own messages as needed, according to the policies configured by the System Administrator.
I strongly recommend that all businesses have a good email archiving solution in place to protect the company from potential compliance and legal incidents. The risk of not having an archiving solution in place leaves a company wide open and exposed to any legal ramification that relies on email evidence.
Email archiving is not a backup
Even if you have email archiving services in place, you should still maintain a backup and recovery solution for Microsoft 365. Archiving can hold and retrieve specific messages, but it cannot restore a complete mailbox and all of its contents to a single point in time. Imagine the following scenarios:
- Somebody hacks your Microsoft 365 account, deletes everything in your mailbox, and empties the recycle bin. This type of deletion is common during account takeover attacks, so that there is less evidence of the attack left behind.
- You accidentally delete a sub folder containing important work email and various documents (attachments). You may not notice this straight away as often you have lots of sub folders in your mailbox and this type of thing is easy to do by mistake on your phone.
- A former employee’s account was deleted and you realize you need to restore his mailbox. Using an email archiver for this task would be tedious and require multiple steps outside of the archiver.
- A cyberattack, a human error, or a catastrophic event has caused data loss in OneDrive for Business, SharePoint Online, or Microsoft Teams. Email archiving does not store this content.
With an archiving solution you could search and retrieve specific email items from the archive, but even if you knew what to retrieve from the archiver, do you have the time to reconstruct your inbox structure and contents?
Can you remember what your mailbox looked like last night or last week? How long would this take if you have lost your calendar items, contacts, tasks, journal items, etc.? And as noted above, email archiving doesn’t protect everything in Microsoft 365.
Disaster Recovery – Who does what?
Microsoft has a highly resilient infrastructure that rarely suffers an outage, which is good, because Microsoft is responsible for making sure your Microsoft 365 environment is always available. This makes it easy to assume that you should not have to provide a third-party disaster recovery service for Microsoft 365. Disaster recovery appears to be Microsoft’s responsibility.
Unfortunately that is not the case. Microsoft is only responsible for the Microsoft 365 infrastructure that supports your data. It is not responsible for the data in your Microsoft 365 environment. Microsoft calls this out in their Managed Services Agreement – Section 6B – “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps”
Recycle bin is not a backup
Microsoft provides a recycle bin for Exchange Online, SharePoint Online and One Drive for Business – so even without an archiver there is some native protection for these items. However, the recycle bin is not a backup. Similar to a PC recycle bin or a Mac trash can, the Microsoft 365 recycle bin is just a folder that contains items that you have deleted. You cannot do a point-in-time recovery from your deleted items folder, because this folder only holds items that were deleted and would not contain the good emails or files that you need to restore. Additionally, the maximum extended retention of the Recycle Bin is 93 days, and your items may be purged and unrecoverable after that time.
What about GDPR?
This is a great question, because even though Microsoft hosts your data in Microsoft 365 and ensures the environment is always on, they are simply custodians of your data. The responsibility of protecting the data lies with you (the customer) because the data belongs to you. If you have an Exchange email server, SharePoint server, or file server running in your data centre or Microsoft, you would almost certainly have it protected with a good data backup solution? You should think of your data in the cloud the same way you think of your data on-premises. Microsoft will keep the lights on and the platform running, but they are not backing up your data or archiving your messages! If you lose the data, you’re the one who will be in breach of GDPR.
Could I pay extra for my on-premises backup solution and backup my Microsoft 365 data to an on-premise backup server?
Yes you could, but does it really make sense? Pulling your Microsoft 365 data back from the cloud to your on-premises backup server? You moved all your Microsoft data and Exchange into the cloud to begin with when you signed up for Microsoft 365. You also need to pay for additional storage to hold these backups. And because you just got rid of your Exchange backup and your file server backup in your data centre, you also need to factor the licenses required to backup Microsoft 365 as well. I can tell you it’s much more cost effective and easier to backup your Microsoft 365 and keep it in the cloud.
Barracuda Cloud-to-Cloud Backup
That’s where Barracuda Cloud-to-Cloud Backup comes in. It can restore your whole mailbox or individual emails, contacts, and other items back to any daily revision (recovery point) very easily. Barracuda Cloud-to-Cloud Backup audits and tracks what content was backed up every time it runs an incremental backup to make it easy to put your email back to exactly how it was for the date you want it restored back to. This is what we call point-in-time recovery. It’s a complete backup solution for Microsoft 365 that operates entirely in the cloud.