Microsoft Teams data protection and recovery — your questions answered

Vanessa Toves, Microsoft 365 Solution Architect

While the cloud has long enabled efficient collaboration between workers, amid the ongoing global pandemic, many corporations, governments, organizations, and institutions are relying heavily on these SaaS-based applications, such as Microsoft 365 , for the management of their business-critical data. Microsoft Teams is a proprietary business communication platform and part of the Microsoft 365 family of products. Teams offers workspace chat and videoconferencing, file storage, and application integration, and is a replacement for other Microsoft-operated business collaboration platforms, such as Skype for Business and Microsoft Classroom. Throughout the global pandemic, Microsoft Teams has become a de-facto leader in the business communication space as the typical workplace environment has shifted to a virtual environment.

We recently spoke with Vanessa Toves, Druva’s Microsoft 365 Solution Architect, on the complexities of protecting Microsoft Teams data in the enterprise environment. In the Q&A below, Vanessa breaks down some of today’s pressing questions regarding Microsoft Teams data protection and recovery.

What do companies use Microsoft Teams for?

Companies use Microsoft Teams for a number of purposes. It depends on where an organization is with how it uses the Microsoft 365 family of products.

For companies that used Skype for Business, they looked to Microsoft Teams to replace that functionality. It took a while for many of the core features to be baked into Microsoft Teams, and for larger organizations to replace Skype for Business. Those core features are chat, phone replacement (VoIP), and video conferencing. You have to remember that there were manufacturers that made devices to work specifically for the original Microsoft applications that supported this functionality — Lync and Skype for Business. Not everything was plug and play with Microsoft Teams. If a company had hundreds or thousands of desktop phones that weren’t compatible with Microsoft Teams, it was a barrier to that transition. Ultimately, the companies that had no hardware connection to Skype for Business found it much easier to jump into the core functionality Microsoft Teams had to offer.

Microsoft Teams data protection and recovery

File management falls into the next phases of how a company would use Microsoft Teams. There’s still a progression with that as well — “This is where we save our files.” It may not represent true “collaboration,” but for companies that saved files on their desktops and shared them via email, it was a much needed improvement. For companies or organizations that had a file share, it was a replacement for that technology. They moved from the “Save it on the X drive” mentality to using the cloud storage in Microsoft Teams. 

Once a company is in Microsoft Teams, they are able to see and use the collaborative functions around the files they were saving. “Collaboration” features have been around a while and have been improving over time, but not many people actually took advantage of editing a document in SharePoint vs. downloading it first. If you weren’t aware, SharePoint, among other things, is the backend storage for Microsoft Teams. Collaborative features have been elevated by Microsoft Teams.

As Microsoft Teams becomes increasingly adopted by a company, they will typically find users stumbling across other apps and bringing those apps into their different teams or channels. Some companies have the support needed to roll out training and help employees learn more about the features of Microsoft Teams, while others don’t have the time or support needed. With the latter, it is often left to the users to explore and self serve.

Centralized hub for collaboration

This is where Microsoft Teams makes a transition to be the central hub of where work is done. As other associated apps to the team are brought in, and as third-party apps (integrated or not) are brought into the team, the employee often begins to rely upon Microsoft Teams more. The only other app that is relied upon more is Outlook. As processes are replaced or created with solutions within Microsoft Teams, the employee shifts where they work. Less files need to be downloaded, and more work can be accomplished in the app, or browser, of Microsoft Teams.

Can you talk about security and compliance for Microsoft Teams?

This is a key topic. I would start by asking a company about their overall approach to security or compliance and if there is a tie into Microsoft 365 — there should be a correlation. If there is a security policy or a compliance policy where information is concerned, companies should align those policies with how Microsoft 365 is configured. 

If a company has a CSO, infosec, information security team, etc., the policies created by those teams could be enforced within Microsoft 365; otherwise, there is a large part of information that is not adhering to those policies. I would challenge anyone responsible for creating security or compliance policies to understand how Microsoft 365 enables them. To some extent, I also believe that those groups should “own” that part of the Microsoft 365 administration.

A key transformation comes when a company adopts a data classification model and aligns it with the security and compliance features of Microsoft 365. Companies that define their data classification model can use Microsoft 365 services to help enforce the model. Similar to the training provided to employees about phishing emails, the same investment in training is needed to educate employees about data security and the classification model. 

To your original question of Microsoft Teams’ security and compliance, it becomes a responsibility of the tenant. I would recommend a company think about Microsoft 365 security and compliance first before they think about just Microsoft Teams. 

How can a company maintain control over Microsoft Teams while still allowing for open collaboration?

This question applies to so many other applications beyond Microsoft Teams. It’s hard to find a balance between the control the administration must have and the ability of the employee to use all aspects of an application to help get work done. In some cases, the control needed is driven by policies where the admin has no influence. The initial answer lies with how a company addresses security and compliance. Some companies have Microsoft Teams locked down and only a small set of admins can create groups or teams. This doesn’t stop the users from leveraging Microsoft Teams to be collaborative. 

Microsoft Teams data protection and recovery

For many years, I’ve recommended companies put in place a review of SharePoint sites, and now SharePoint sites related to Microsoft Teams as well. If no one has been to that site in six months, is the content still needed? Does it need to be kept? Does it need to be moved somewhere else? Who are the owners of the content? There are tasks that the admins can do to maintain “control” while still allowing users to create freely.

Microsoft Teams data protection and recovery

Are companies being strategic about how they use Microsoft Teams?

To be strategic, one must have a vision and a plan. Microsoft Teams is a technology we use for audio and video conferencing. That could be a vision statement, and all a company needs to do is enable it for the organization and send out an email. So, the word “strategic” is dependent on who has the vision and what the vision is. 

Companies that look beyond the features of online meetings and chat, and consider the employee experience can state a completely different vision. My sister owns Common Cider Company, and I took them into Office 365 early in their life as a company. She made this statement, “I want our sales team to be able to access all the sales data in Teams. It needs to be easy and they can do it from their phone.” That vision statement drove the first initiative for how they were being strategic with their sales data, Microsoft Teams, and the employee experience. 

In the case of Common Cider Company, as a strategic move, they looked at how Microsoft Teams could help their sales team in the field. There are numerous business problems that could be addressed or alleviated by building a solution within Microsoft Teams. The first step towards being strategic is asking the question, “What problems do we have and can Microsoft Teams help us solve those problems?”

Is Microsoft Teams safe from data loss?

I think the better way to ask this question is, “Can a company experience data loss with Microsoft Teams?” 

As an application that is part of a bigger platform, Microsoft doesn’t “own” the data, so any loss experienced would be that of the subscriber. 

As a platform, it’s growing and will continue to grow, but like any applications that hold business data, it’s not perfect. In the early days of Microsoft 365, there were times I would go back to a SharePoint site and something I fixed the day before was back in place. It almost felt as if the SharePoint site had been restored from a backup. It’s been a couple of years since something like that has happened. The platform is more stable today than it was last year or five years ago. 

As for the data, I think the loss of data would be more rooted in the admins, users with access, and yes, people with intent to do the company harm. 

How can a company protect their information in Microsoft Teams?

As a solution architect, I’ve designed solutions within the Microsoft ecosystem that typically included multiple applications. Solutions weren’t always built using any one app. I believe the same applies to protection of information for Microsoft 365. The security and compliance of Microsoft 365 is unparalleled, but companies don’t always take advantage of what is available. Microsoft’s assumed breach methodology is in place to help their customers do everything possible to keep their information safe, but customers have the responsibility to build upon this foundation.

It was never a question that a company protect their investment, infrastructure, and content behind the firewall. They backed up their VMs, their SQL Servers, their file servers, etc. They did so because they needed to recover from situations they didn’t anticipate or consider.

The same should apply to the content within Microsoft 365. With the widespread adoption of Microsoft Teams over the last year, the importance of being able to recover information in Microsoft Teams can’t be overstated. Using a data protection platform such as those offered by Druva should be part of how an organization maintains control and supports security and compliance requirements. As an organization explores how Microsoft Teams can help in its business goals, it will need to take measures to ensure it can recover from harmful acts, whether intentional or unintentional, such as ransomware

Do you have any parting thoughts you’d like to share about Microsoft Teams?

I have many, but I’ll keep it to one.  I’m not fond of private channels. I believe that every Microsoft Team created should have a purpose and the users with access to that team be able to see and interact with any information in the team. The purpose stated drives what is there and the model of security for that information. So, if the purpose changes and now there are several private channels with different purposes, each one of those private channels has lost the ability to take advantage of what an independent team could do. As an architect, I consider things like data classification, security models, and the end-user experience; so instead of having one Microsoft Team for marketing that has a private channel for managers, just create another team for marketing managers. I could go into more detail about this topic, but I’ll save it for a different session.

Looking to further explore how to enhance workplace productivity and address data protection gaps with Microsoft 365? Download our cloud architect’s guide for tips on transforming your Microsoft 365 strategy.