In a previous post titled “6 reasons backing up Office 365 is VITAL” we mentioned the Microsoft Shared responsibility model, but we didn’t go into any more detail than that. We’ve also claimed it to be the “we aren’t responsible model” although that may be a slight exaggeration… In any case, we thought it would be worth diving a bit deeper into what is and what isn’t covered by Microsoft, regarding backups, to allow you to make informed decisions on your O365 backups.
The information in this article is based on Microsoft’s own Office365 Trust Center if you would like to take a look for yourself.
What is the Microsoft Shared responsibility model and what do they leave to you?
Microsoft’s main responsibility with Office 365 is to keep the infrastructure running. There are over 200 million monthly active users around the world, so its not an easy job.
The responsibility of an IT organisation (or the IT team within a company) is to provide complete access and control of data, no matter where it lies. Microsoft do not take and responsibility when it comes to looking after data.
Do Microsoft provide the necessary tools to allow you to look after data?
Office 365 does include data replication, which provides data center to data center georedundancy. This is necessary for Microsoft to provide as part of maintaining their infrastructure as if something goes wrong at one of their data centers they can failover to another one, normally without users noticing any difference.
However, it is important to note that this is not a backup; it’s a replica. On top of this it isn’t your replica, it is Microsoft’s replica. So what’s the difference between a backup and a replica? Are they not both just copies of the data? Not exactly. A replica is definitely important, which is why all of our backups are replicated as standard, but it would be a very risky strategy to just rely on backups. For example, if your data is corrupted, deleted or subject to a virus, the replica will also be hit with the same issue.
Backups would not be affected in the same way as a replica as it is data as it was at an exact point in time.
To be fully protected you need both replication and backups.
What about security?
Again, Microsoft are responsible for security at the infrastructure level. They need to protect the physical data centers and ensure they provide the tools for authentication and identification within the cloud services.
The IT organisation are responsible for security at the data-level. There are so many security risks, which we have covered countless times before, but this includes ransomware, rogue admins, accidental deletion and much more.
Legal and compliance requirements?
In the Office 365 Trust Center, Microsoft are very clear that they are to bee seen as a data processor. They focus on data privacy and are fully qualified and certified to do so, but this means they aren’t covering a lot of things that do need to be covered from a legal and compliance standpoint. This covers things such as granular control on retention periods, access requirements, HR requirements and those specific to different industries.
Companies are putting their trust into O365 to cover them on mishaps with data, but it’s simply not the case, even by their own admission. In a recent survey, over 80% of IT professionals had experienced some form of data loss in O365 and 75% of IT professionals do not have data backed up. Do the math!
Get in touch with backup professionals before it’s too late!