News/Trends, Tech/Engineering

Do You Really Need to Backup Office 365?

December 26, 2018 W. Curtis Preston, Chief Technologist

As a person who has dedicated their career to backup and recovery, one of the things I find hardest to comprehend is when someone says “X is so good, it doesn’t need to be backed up.” The biggest example lately are proponents of Office365 that suggest that it “performs backups” for you, which simply isn’t true.

Office 365 offers basic protection to deal with some of the things that could damage your data, but there are things it doesn’t protect you from, and there are side effects to some of the optional protection features. Even if you feel you are well protected, the restore might be time intensive and quite a bit more work if you don’t have a third-party backup tool. So, maybe backup is a Good Thing™ after all.

The first reason why Office 365 should be protected by a 3rd party is the age-old concept of the 3-2-1 rule of backups.  Three copies of your data on two different pieces of media, one of which should be offsite. Using Office 365 to protect itself violates every one of these basis data protection concepts. The protections built into Office 365 are built into Office 365.  It’s like backing up your laptop files to another slice on your local hard drive.  An app should be protected by something that isn’t the app.

Even Microsoft agrees. Here is what they say in their service agreement for Office 365:

Why might Microsoft say this, you ask? Because there are more ways to destroy your data, Horatio, than are dreamt of in your philosophy. (My apologies to the Bard.)

Say, for example, you accidentally delete an email, OneDrive file, or SharePoint item. Office 365 has  places where it stores deleted items that allow you to get it back for a set period of time. You just need to locate the deleted item in the Recycle Bin before it expires (and hope it wasn’t manually emptied by an admin – rogue or otherwise). But what if malware deletes files you don’t use frequently so you won’t notice the deletion? You will only be able to recover them if you notice the deletion within the specified retention period. And if you don’t notice in time – because the malware is hoping you won’t – you lose the data forever. In addition, if malware deletes hundreds or thousands of files, you will be spending quite a lot of time in the Recycle Bin locating each file and putting it back, a process some refer to as “dumpster diving,” which no one should use as their backup method.

A third party backup tool would allow you to easily find and restore as many files as you need, or even restore an entire user or folder to a point in time. One step, instead of thousands of them.

SharePoint and OneDrive do offer versioning to protect against accidental mistakes, and Office365 now enables 500 versions by default. You can check whether or not versioning is currently enabled in your account, and you can reduce or increase this number as required. While 500 versions sounds like a lot, you should know that Office 365 is continually saving versions while you are working on a document.  I’ve seen plenty of complaints about this online.

Versioning protects you from typical user errors, but malware may be able to change or encrypt your file more times than the number of versions you store, which would mean you do not have a valid version to restore. If malware really wanted to mess with you, it would encrypt all your files random numbers of times so that you’d have to dig all over time and space to find the right version. What. A. Mess.

An attacker intent on doing your company harm might also attempt to gain administrative access to your Office 365 account via phishing, social engineering, or even taking advantage of a vulnerability in Office 365 itself. A rogue admin (or well-meaning admin attempting to save space) can easily disable versioning or reduce it to a very low number. Even features like Legal Hold will not stand up to a rogue or fake administrator. This is why we backup data that matters to us, and Office 365 is no exception.

Office 365 does offer a new feature called Retention Policies that provides additional protections against some of the things mentioned above, if you use an optional feature called Retention Lock; however, there are some things you should know about these features. The first thing I’ll say is that they’re not that simple.  The “Overview” of how they work is 25 pages and over 5,000 words long. There are a variety of options in this tool, any one of which could be configured incorrectly and result in a reduction in protection.

Perhaps the most important thing to understand about retention policies is that the additional versions of files that they store are kept  in your Office 365 account, some of which is counted against the storage allocation of your account. In addition, retention policies are only effective against hackers and rogue admins if you enable Retention Lock.  It prevents bad actors from undoing the retention policy you put in place by not allowing anyone to undo a retention policy once you have activated retention lock.  The downside is that you can never undo this change.  If you use up your storage allocation, you will be required to buy however much additional storage you need, at whatever price Microsoft wants to charge you for it.

Another problem with retention lock is what happens if you get a right to be forgotten request from GDPR or California’s upcoming CCPA.  By design, there is no way to satisfy these requests. This is a potential very serious side effect of using Office 365 to protect itself.

With SharePoint and OneDrive data, the extra versions you will keep go directly against your main storage allocation. (This is why there was an uproar in the online community when Microsoft enabled 500 versions by default. It was seen as forcing customers to increase their storage allocation, which they now have to pay for.)  Imagine how much storage you will need if you store every version of every file for multiple years; it will significantly increase the amount of storage you need for Office 365.

The  impact of using Retention Policies is different with Exchange Online. When you have a retention policy, deleted emails are moved into a 100 GB archive folder.  If that folder fills up, you are given another 100 GB archive folder, and so on. At this time, you are not charged for this additional storage, but that could change in the future. And the more archive folders you have, the harder it is to find old emails. You cannot search across your entire account; you must search within each archive folder.  A 3rd party backup and long-term-retention system would allow you to easily search across your entire account.

There are also limitations to what retention policies can restore. For example, with SharePoint they can’t restore deleted list columns. The only option to restore those would be a complete site restore – more on that later. With Exchange Online they can’t do a point-in-time restore of a mailbox.  I read on Spiceworks the other day of an admin that had accidentally corrupted one user’s mailbox by uploading another user’s PST file to it. (Their first names were the same.) If all you have is retention policies, there is no way to undo this change, short of manually deleting the hundreds of emails and calendar entries for the other users.  But if you used a 3rd party tool, you could easily restore that user to just before an event that corrupted an entire mailbox.

Retention Policies also do not address legal hold requirements.  Yes, Office 365 does have a legal hold capability, but it requires many steps to activate, and can be easily deactivated by a rogue administrator. More importantly, all it does is lock the data of a user.  It does nothing to cull the data and prepare it for the e-discovery process. A 3rd party backup tool can do all of that much simpler than Office 365 can.

The “anti-backup” crowd

In Office 365 for IT pros, by Tony Redmond, Paul Robichaux, et al, there is a chapter, “Backup for Office 365” which starts with the sentence (emphasis mine) “Backup for Office 365 data isn’t strictly necessary.”. Although the author seems to be arguing against backups, I believe a few quotes from the chapter will actually prove my point (again, emphasis mine):

“Many companies believe that backups are a good thing because they would like to have a method of restoring data should the need arise. … to go back to a specific time in case a tenant is infected with ransomware … to meet regulatory requirements … have multiple copies of important corporate data outside the control of a single provider. The ability to recover from administrator error…. If [users] make a mistake and if they don’t [recover deleted items] before the retention period, they won’t be able to retrieve the data.” He says that “Office 365 includes mechanisms to address some but not all of these requirements.” That seems like a whole lot of reasons to backup!

He also mentions that Microsoft backs up your SharePoint site every 12 hours, but that “a full restore of a site collection [which overwrites your entire site] is the only option.” You will have to download from the current site any data you need to keep. You will be responsible for determining which recovery point to use, and “determining that time can be quite a challenge.” That sounds like a huge operation and a big risk of lost data from recent work.  This system has two levels of granularity: Site collection and subsite. If you only need to restore a folder within a single user, there is no way to do this. I spoke directly to Microsoft about this process, and they said it could take anywhere from a few hours to a few weeks, although weeks was considered the exception. Microsoft also verified that there is no SLA for recovery; it is a best effort process. Compare that to the five 9s of durability you get from Druva inSync.

As to versioning, Tony Redmond verifies that administrators can “disable versioning or limit the number of versions of an item to keep.” (So it does not protect you against a rogue or unauthorized admin, unless you use a retention policy with a retention lock.) He also says “if a virus or ransomware attack hits a tenant and infects all the files in a library, it might be possible to redress much [but not at all] of the damage by restoring the previous version.” He references a PowerShell Script that can help you with that, but there are multiple comments on that site from people that experienced the kinds of scenarios mentioned above.

The author’s final sentence in the “Backup for Sharepoint” section is, “recovering from a virus infestation or malicious deletion is likely to be easier with a third-party backup.” So, even if Office 365 is able to restore your deleted or corrupted data, it is likely going to be much easier with a third-party backup tool.

Summary

In summary, there are a lot of good reasons to backup Office 365.  Using a 3rd party service like Druva inSync to protect your Office 365 will be easier to use, safer from hackers and rogue admins, and might even cost less expensive than the alternatives, once you consider the extra storage requirements of using retention periods and retention locks.  Most importantly, recoveries can be at any level of granularity (e.g. email, file, folder, user, site, or subsite) and they come with a durability guarantee not offered by Microsoft. Microsoft says you should use a 3rd party service to backup Office 365 and we agree.

Learn more about how Druva can help close the gaps In Office 365 data protection.