It has become apparent that many Microsoft partners and consumers genuinely do not understand the need for backup and recovery services for their Office 365 deployments. Even our own research highlighted that nearly 40% of survey respondents believed that Microsoft provides everything they need to protect their Office 365 environment. I genuinely believe that this lack of understanding comes from two issues:
- Customers are not familiar with the distinction between email archiving and data protection
- Customers believe that Microsoft’s highly resilient Software as a Service (SaaS) offering protects all data and applications
The Barracuda Cloud Archiving Service provides a complete solution solution for Office 365. Get a free trial of this SaaS solution here
Microsoft can provide email archiving for Office 365, but it may not be the best service in terms of features and functionality, or the most cost effective in terms of value for money. The archiving service from Microsoft can get expensive depending on which services you purchase. For example, , if you have the standard E3 or lower Office 365 Bundles, Microsoft will charge you £2.30 (2.5 Euro) per user per month to add the archiving service to your Office 365 Plan; or if you have deeper pockets you can get it included with the E5 Plan for approximately $35.00 (£28.00) per user per month (total cost for Office 365 per user).
Email archiving provides eDiscovery, regulatory compliance, and legal protection of your email data. Put simply, it captures every email that has been sent and received by your organisation, and ensures that these messages can be found and retrieved. A good archiving solution also has the following qualities:
- The archived emails and attachments cannot be changed or manipulated.
- Items can be retrieved by using clever searches grouped together or complex searches called “Tags”
- Search results can be placed into Legal Hold so that they are not purged and can be easily retrieved as needed. This feature is most often used for compliance audits, litigation, or related reasons.
- End-users are able to search and retrieve their own messages as needed, according to the policies configured by the System Administrator.
I strongly recommend that all businesses have a good email archiving solution in place to protect the company from potential compliance and legal incidents. The risk of not having an archiving solution in place leaves a company wide open and exposed to any legal ramification that relies on email evidence.
Email archiving is not a backup
Even if you have email archiving services in place, you should still maintain a backup and recovery solution for Office 365. Archiving can hold and retrieve specific messages, but it cannot restore a complete mailbox and all of its contents to a single point in time. Imagine the following scenarios:
- Somebody hacks your Office 365 account, deletes everything in your mailbox, and empties the recycle bin. This type of deletion is common during account takeover attacks, so that there is less evidence of the attack left behind.
- You accidentally delete a sub folder containing important work email and various documents (attachments). You may not notice this straight away as often you have lots of sub folders in your mailbox and this type of thing is easy to do by mistake on your phone.
- A former employee’s account was deleted and you realize you need to restore his mailbox. Using an email archiver for this task would be tedious and require multiple steps outside of the archiver.
- A cyberattack, a human error, or a catastrophic event has caused data loss in OneDrive for Business, SharePoint Online, or Microsoft Teams. Email archiving does not store this content.
With an archiving solution you could search and retrieve specific email items from the archive, but even if you knew what to retrieve from the archiver, do you have the time to reconstruct your inbox structure and contents? Can you remember what your mailbox looked like last night or last week? How long would this take if you have lost your calendar items, contacts, tasks, journal items, etc.? And as noted above, email archiving doesn’t protect everything in Office 365.
Disaster Recovery – Who does what?
Microsoft has a highly resilient infrastructure that rarely suffers an outage, which is good, because Microsoft is responsible for making sure your Office 365 environment is always available. This makes it easy to assume that you should not have to provide a third-party disaster recovery service for Office 365. Disaster recovery appears to be Microsoft’s responsibility.
Unfortunately that is not the case. Microsoft is only responsible for the Office 365 infrastructure that supports your data. It is not responsible for the data in your Office 365 environment. Microsoft calls this out in their service agreement – “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps”Archiving? Not backup. Recycle bin? Not backup? Take a closer look at how to protect your #Office365 dataClick To Tweet
Recycle bin is not a backup
Microsoft provides a recycle bin for Exchange Online, SharePoint Online and One Drive for Business – so even without an archiver there is some native protection for these items. However, the recycle bin is not a backup. Similar to a PC recycle bin or a Mac trash can, the Office 365 recycle bin is just a folder that contains items that you have deleted. You cannot do a point-in-time recovery from your deleted items folder, because this folder only holds items that were deleted and would not contain the good emails or files that you need to restore. Additionally, the maximum extended retention of the Recycle Bin is 93 days, and your items may be purged and unrecoverable after that time.
What about GDPR?
This is a great question, because even though Microsoft hosts your data in Office 365 and ensures the environment is always on, they are simply custodians of your data. The responsibility of protecting the data lies with you (the customer) because the data belongs to you.
If you have an Exchange email server, SharePoint server, or file server running in your data centre or office, you would almost certainly have it protected with a good data backup solution? You should think of your data in the cloud the same way you think of your data on-premises. Microsoft will keep the lights on and the platform running, but they are not backing up your data or archiving your messages! If you lose the data, you’re the one who will be in breach of GDPR.
Could I pay extra for my on-premises backup solution and backup my Office 365 data to an on-premise backup server?
Yes you could, but does it really make sense? Pulling your Office 365 data back from the cloud to your on-premises backup server? You moved all your office data and Exchange into the cloud to begin with when you signed up for Office 365. You also need to pay for additional storage to hold these backups? And you just got rid of your exchange backup and your file server backup in your data centre, you also need to factor the licenses required to backup office 365 as well? I can tell you it’s much more cost effective and easier to backup your Office 365 and keep it in the cloud.
Barracuda Cloud-to-Cloud Backup
That’s where Barracuda Cloud-to-Cloud Backup (CCB) comes in. It can restore your whole mailbox or individual emails, contacts, and other items back to any daily revision (recovery point) very easily. CCB audits and tracks what content was backed up every time it runs an incremental backup to make it easy to put your email back to exactly how it was for the date you want it restored back to, this is what we call point-in-time recovery. It’s a complete backup solution for Microsoft Office 365 that operates entirely in the cloud.
You really should have an integrated Cloud-to-Cloud Backup of your Office 365 data. GDPR compliance requires you to have the software and policies in place to protect your business and employees. For the most comprehensive protection, you should have both an archiving solution and a backup solution in place.
Remember, the data held in the Microsoft Cloud is just like the data in a data centre or on-premises. You still need to back it up and protect it.
Learn more about the difference between backup and archiving for Office 365 in this whitepaper.
Charlie Smith is a Consultant Solutions Engineer specialising in Data Protection and Disaster Recovery, with over 22 years’ experience designing and architecting both on-premises and cloud-based solutions, he helps organisations mitigate against the risk to data loss, ransomware and malware attacks. Charlie works closely with regional sales and SE teams who utilise his knowledge and expertise to support and drive data protection projects across EMEA for Barracuda.