Best practices — Microsoft Exchange Online and OneDrive protection

Stephen Manley, CTO

Your organization uses Microsoft 365, will soon use Microsoft 365, or is considering using Microsoft 365. Organizations of every size in every industry in every part of the world need email, home directories, messaging, and collaboration tools, but there is no business advantage to running those services yourself, so your organization is turning to software-as-a-service (SaaS) solutions. 

The business value of Microsoft 365 comes not from the technology itself, but the information your users create, exchange, and store. Microsoft provides a resilient service, but the data is still your responsibility. 

In this blog, we’ll share our best practices for building an active protection solution for the data in Microsoft Exchange Online and Microsoft OneDrive, including how to manage the transition from on-premises environments, and how to lay the groundwork for protecting future services like Microsoft SharePoint Online and Microsoft Teams. 

Why you should protect the data in Microsoft 365

Your data is your responsibility. Whether the data is in a VM on VMware Cloud, on AWS, Amazon Aurora, or Microsoft 365, it is your data and you need to protect it. The reliable, resilient services provided by VMware, AWS, and Microsoft are not the same as data protection. 

The hardware and software may “disappear” into the cloud, but the threats and regulations do not. Cyber-attackers can break into your environment and corrupt and delete data in Microsoft 365 just as easily as they did servers and NAS systems. Rogue employees can still destroy environments. Privacy regulations like GDPR, industry-specific regulations like HIPAA, and corporate best practices guidance still apply to data in Microsoft 365. In fact, Microsoft 365 creates new compliance issues. Since the data resides in the cloud, you can’t just store a closet full of laptops from departed employees. 

Data protection requirements don’t disappear when you adopt Microsoft 365 — they just evolve. 

The basics

Microsoft 365 data protection best practices begin with the fundamentals of data protection. 

First, follow the “3-2-1 rule.” You need at least three backup copies of your data, on two types of media, with at least one copy offsite. Since the data resides in the Microsoft cloud, we recommend storing the data either in another cloud or on your premises. 

Second, consider data residency requirements. Users can put any type of data in Microsoft OneDrive, including information that is subject to local restrictions. Therefore, it is important to ensure that your backups are not sending the data into locations that violate regional laws. Druva recently announced multi-geo support for the protection of Microsoft 365 data, including SharePoint and Teams. This functionality delivers visibility and management across all remote sites, enabling customers to easily meet data residency requirements. Read more about this functionality in our blog.

Third, factor in API limits. Virtually all SaaS applications place a limit on the number of API calls you can make in a time period. Since backups generate a large number of reads, you can hit API limits on those that affect your application. Therefore, it is important to stagger your protection process. 

Microsoft Exchange Online protection

To protect Microsoft Exchange Online, you need to think beyond passive backup and recovery and embrace active protection with security, eDiscovery, and compliance.

  • Protect everything — mailboxes, contacts, calendars, emails, attachments, tasks, and the recoverable items folders. When something goes wrong, users want to recover the environment as it was.
  • Ensure you can search for and put a legal hold on emails because there will come a day when eDiscovery matters.
  • Scan emails for data compliance risks, so you can be aware of potential issues and address them before they become a problem. 

To protect Microsoft Exchange Online, it is not sufficient to have passive backups, sitting on idle storage. You need an active protection environment — one that brings dynamic compute and storage resources together.

Microsoft OneDrive protection

As unstructured data continues to explode, more organizations are shifting their home directories and small projects from NAS systems to Microsoft OneDrive. While the move helps manage user data, they struggle with unstructured data sprawl. They must protect:

  • Microsoft OneDrive, on-premises NAS, cloud NAS — Most customers still run many workloads on their NAS systems — including technical applications, custom applications, and high-performance computing. Some are even adding cloud NAS offerings to their portfolio. Regardless of where it lives, all the data needs to be protected.
  • Historical backups — Unstructured data often has significantly longer retention periods than structured data. Just because the active data migrated to OneDrive, the backup copies are still associated with the NAS system. Organizations need to map between the old and new. 

We do not recommend protecting Microsoft OneDrive in isolation because it is only a part of your unstructured data infrastructure and does not contain the complete history of your data.

We recommend treating Microsoft OneDrive as one component of your environment’s unstructured data. You want to connect all your unstructured data with a common policy definition, data catalog, and the flexibility to evolve as your environment does — retaining the historical backups, even as the data migrates. 

Protecting SaaS with SaaS

Most of our customers start with Microsoft Exchange Online and Microsoft OneDrive, but they quickly move to Microsoft SharePoint Online and Microsoft Teams.

Therefore, Microsoft 365 is not only going to be a part of your environment, but an increasingly large and important service provider to your organization. Now is the time to lay a solid foundation for protecting Microsoft 365. 

There is only one environment with the flexibility to handle unstructured data sprawl, on-demand expansion, and active data management — the cloud. Furthermore, there is only one way to manage the myriad of compliance regulations, requirements, and recovery requests that comes with a SaaS data environment — SaaS data protection. 

Thus, the final best practice for data protection of Microsoft 365 is simple — don’t try to do it yourself. You moved your workloads to SaaS for a reason — move your data protection to SaaS for those same reasons. 

The future is coming

Microsoft 365 is the latest in a series of SaaS offerings allowing you to focus on your business, and SaaS will continue to expand. While SaaS can simplify your environment, you are still responsible for your data. 

There are four basic steps to meet best practices for Microsoft 365 protection:

  1. Convince your organization that it must protect the data in Microsoft 365 
  2. Apply the standard protection practices 
  3. Build an active protection environment for Microsoft Exchange Online, so you can support recovery, eDiscovery, compliance, and archival 
  4. Integrate Microsoft OneDrive in a comprehensive unstructured data protection solution, so that no matter where your data is stored, created, or accessed, it will always be safe 

We believe that the best way for you to achieve best practices for Microsoft 365 data protection is to start with Druva. If SaaS solves your production data challenges, why not try it for your data protection challenges? For an in-depth look at how Druva comprehensively protects Microsoft 365 data, we invite you to watch the demo below.