Druva Blog > News/Trends, Tech/Engineering


Do You Really Need to Backup Office 365?

There are a few scenarios where an Office 365 backup is needed, but those scenarios don’t happen to most companies. If it does happen to you, you’ll be relieved you did a backup, but how do you know if you need a backup at all? All you need to do is find out in advance whether or not you are “most companies.” That shouldn’t be too hard…right?

Office 365 offers basic protection to deal with some of the things that could damage your data, but there are things it doesn’t protect you from. Even if you feel you are well protected, the restore might be time intensive and quite a bit more work if you don’t have a third-party backup tool. So, maybe backup is a Good Idea™ after all.

If, for example, you accidentally delete an email, OneDrive file, or SharePoint item, Office 365 has a Recycle Bin that allows you to get it back for a set period of time. You just need to locate the deleted item in the Recycle Bin before it expires (and hope it wasn’t manually emptied by an admin – rogue or otherwise). But what if malware deletes files you don’t use frequently so you won’t notice the deletion? You will only be able to recover them if you notice the deletion within the specified retention period. And if you don’t notice in time – because the malware is hoping you won’t – you lose the data forever. In addition, if malware deletes hundreds or thousands of files, you will be spending quite a lot of time in the Recycle Bin locating each file and putting it back, since Office 365 can only restore a single file at a time. Many refer to this method of recovery as “dumpster diving,” which no one should use as their backup method.

There is no easy method to restore your entire account to the way it looked just before an attack happened…unless you back it up. Then you can simply specify a user or folder and what point in time it needs to be restored to.  One step, instead of thousands of them.

SharePoint and OneDrive also offer versioning to protect against accidental mistakes. Versioning is enabled by default in newer Office 365 accounts, but may not be enabled in your account if you’ve had Office 365 for a while. You can check whether or not versioning is currently enabled. This protects you from typical user errors, but malware may be able to  change or encrypt your file more times than the number of versions you store.

An attacker intent on doing your company harm might also attempt to gain administrative access to your Office 365 account via phishing, social engineering, or even taking advantage of a vulnerability in Office 365 itself. A rogue admin can easily disable versioning. Even features like Legal Hold – which some people use for extended retention – will not stand up to a rogue or fake administrator. This is why we backup data that matters to us, and Office 365 is no exception.

In Office 365 for IT pros, by Tony Redmond, et al, there is a chapter, “Backup for Office 365” which starts with the sentence (emphasis mine) “Backup for Office 365 data isn’t strictly necessary.” Although the author seems to be arguing against backups, I believe a few quotes from the chapter will actually prove my point (again, emphasis mine):

“Many companies believe that backups are a good thing because they would like to have a method of restoring data should the need arise. … to go back to a specific time in case a tenant is infected with ransomware … to meet regulatory requirements … have multiple copies of important corporate data outside the control of a single provider. The ability to recover from administrator error…. If [users] make a mistake and if they don’t [recover deleted items] before the retention period, they won’t be able to retrieve the data.” He says that “Office 365 includes mechanisms to address some but not all of these requirements.” That seems like a whole lot of reasons to backup!

He also mentions that Microsoft backs up your SharePoint site every 12 hours, but that “a full restore of a site collection [which overwrites your entire site] is the only option.” You will have to download from the current site any data you need to keep. You will be responsible for determining which recovery point to use, and “determining that time can be quite a challenge.” That sounds like a huge operation and a big risk of lost data from recent work.

As to versioning, he verifies that administrators can “disable versioning or limit the number of versions of an item to keep.” (So it does not protect you against a rogue or unauthorized admin.) He also says “if a virus or ransomware attack hits a tenant and infects all the files in a library, it might be possible to redress much [but not at all] of the damage by restoring the previous version.” He references a PowerShell Script that can help you with that, but there are multiple comments on that site from people that experienced the kinds of scenarios mentioned above.

The author’s final sentence in the “Backup for Sharepoint” section is, “recovering from a virus infestation or malicious deletion is likely to be easier with a third-party backup.” So, even if Office 365 is able to restore your deleted or corrupted data, it is likely going to be much easier with a third-party backup tool.

Let’s return to the original premise of the article – do you need to backup Office 365? The answer could be no, as long as:

  • None of your admins become disgruntled employees, as admins can defeat all previously mentioned safeguards
  • No one steals your admin credentials and does the same thing
  • No one leverages a security vulnerability to gain admin access to your Office 365 account
  • None of your user’s files are deleted and not noticed before they expire out of the recycle bin
  • A rogue admin doesn’t disable versioning on your SharePoint/OneDrive data
  • Your organization isn’t attacked by a sophisticated malware tool designed to confuse versioning
  • Data is not discretely deleted so as not to be recognized during the recovery window
  • You’re OK with resetting your entire SharePoint site – and losing any recent data – if you get hit by an aggressive ransomware attack

So, as long as you know for sure that none of the above is going to happen to your company, you’ll be fine. “Most” companies won’t have any of these problems, right? All you need is a 100% ability to predict the future, like a TARDIS or something, and you’ll be fine. Of course, based on this logic, most companies don’t need a DR plan, either. That can’t be right.

Learn more about how Druva can help close the gaps In Office 365 data protection.


Leave a reply

Your email address will not be published. Required fields are marked *