How to fill in the gaps for Microsoft 365 data protection

Subha Rama, Sr. Product Marketing Manager, SaaS Apps

When I worked as a technology analyst, one of the questions that used to come up frequently in customer conversations was — what tools can we deploy to secure our enterprise perimeter? A few years down the road, the conversation has moved to a slightly different topic — how do we secure our cloud data?

My answer is, surprisingly, still the same. You can deploy a hundred security tools and still have a data breach. Just take Microsoft 365’s native security features for example. They are nothing short of impressive. A wide range of tools that span across OS, applications, endpoints/devices, identity, authentication, and data. Yet, as we discussed in part one of this blog series, the service is one of the most attacked and most breached.

If I can modify a quote from a prominent CISO — data security is more than a matter of IT. In the modern era of cloud computing, your data is dynamic, constantly moving around, shared, and flowing in and out of your organization. So, in all likelihood, there is always a chance that your data is likely to be breached. It is not a question of if but when. 

What should organizations focus on?

As we are talking about Microsoft 365, let us look at the two native options that customers have for protecting their critical data — data classification and protection, or what is popularly referred to as Data Loss Prevention (DLP), and Advanced Threat Protection (ATP), which offers a combination of rule-based and a smattering of machine learning tools to protect data residing in your Exchange Online, SharePoint, OneDrive, or Teams. from inbound attacks.

Neither of these is new, nor were they designed for the cloud. They originated from the days when Microsoft predominantly operated behind a firewall and have been repurposed to fit the cloud environment. Circling back to the earlier question of foolproof protection, there are enough examples out there to demonstrate that these are not. So what is missing in Microsoft 365 data protection?

No guarantees for data recovery 

One of the common misconceptions among Microsoft 365 customers is that Microsoft is responsible for protecting their data in the event of a breach. I invite them to go through the Microsoft SLAs for each of the applications that make up the Microsoft 365 service. You will notice that the SLA and the service credit clauses are centered around service availability and not for data loss in the event of a breach or accidental deletions. More interesting still, Microsoft does not offer any recourse to recovering your lost data. So, a key question that organizations need to ask themselves is, “If I lose my data, is there a way to recover it?”

M365 security

Source: Druva

Limitations in Microsoft 365’s DLP capabilities

Data loss can arise out of an infinite number of human errors — system misconfigurations, a typing mistake, clicking on a link when your guards are down, responding to a phishing email, or as I once did — spilling coffee on my Mac. Microsoft’s answer to data loss is to rely on a set of static rules to detect accidental data loss and encryption. Not only is this approach inefficient, but can lead to a significant disruption in end-user productivity. For example, say you configure a rule that all emails sent to a previously unknown recipient should be flagged. If you work for a law firm or a bank, or any professional organization that deals with a number of new customers every day, you would be inundated with warning messages every time you try sending an email to new customers, though these are perfectly legitimate emails being sent to perfectly legitimate recipients. 

Data immutability

Another area of confusion among Microsoft 365 users is around data storage and a true enterprise backup. I have heard business leaders say that they back up their data on OneDrive. What they really mean is that they are synchronizing the folders on their laptops/computers or mobile devices to folders in the cloud. However, this does not make your data immune to accidental or malicious deletions, ransomware encryption, or malware. To put it simply, your data is not immutable. If your data is prone to modification, then it has failed one of the critical tests of a true backup.

The key to securing your data

Every one of your security building blocks needs to be validated against the data recovery functions they support. Not just handing you multiple versions of the data in a format that needs a lot of effort from your administrators to piece together, but the ability to restore data from any point in time with file structure, metadata, and labels intact. This offers the flexibility to restore exactly what was lost and not just do a CSV data dump. The quality of the data recovered will also determine the time it takes to get you back to business or what the backup industry calls the recovery time objective (RTO).

Microsoft’s fundamental approach to data recovery is to empower users first to recover data from accidental deletion, with longer-term or admin-driven restores being a more complex process. It takes a lot to just understand the several recovery options available across the different Microsoft 365 applications and execute these for data recovery. Exchange Online alone has Search Mailbox, eDiscovery, and PowerShell cmdlets to recover data. Unlike Druva, there is no single dashboard to view, manage, govern, and restore data across multiple applications. The available options for restore all require significant configuration, taxing the scant resources of IT organizations. Another common issue is that multiple versions of the same file are stored in SharePoint and OneDrive, which can make recovery even more cumbersome.

Contrast this with the highly efficient recovery routes provided by Druva, allowing quick and granular data recovery. Searchable backups for granular file recovery significantly optimize recovery time and precision.

Protect and preserve data for eDiscovery and compliance

Preserving data of departed employees with Microsoft 365 is a hotly debated issue. Though there are some workarounds being offered (such as placing litigation holds), these are not always the most efficient ways to retain data and can have implications for data storage consumption. For example, some companies tend to place a retention policy on all data for three years from the last date they were modified. 

With a third-party data protection solution like Druva, you can preserve users until you reach the deployment limit of 110 percent of total licensed users.

Granular data recovery becomes all the more relevant in the context of eDiscovery. Microsoft offers metadata classification for SharePoint and Teams, but this does not mean you can automatically make your files easier to find or increase your search efficiency multi-fold. There is significant effort needed to get your metadata schemes planned and set up, something Druva does in an automated fashion. This becomes enormously important when you are involved in litigation. A court can summon you to produce data on short notice, which is not possible if you are simply relying on native Microsoft 365 eDiscovery tools. With Druva, there is zero wait time for accessing eDiscovery data, which helps organizations stay prepared for presenting litigation data on-demand.

I will leave you for now with one parting thought. The real value of your data protection does not lie in ensuring that you back up your data, but in how fast and accurate your recovery is. How soon can your business be up and running after suffering a data breach? How well can you curb the impact of data loss? If your data protection vendor does not pass this litmus test, it is time for you to look for another who does.

Read the new white paper, Overcome native data protection gaps in Microsoft 365, to explore the intricacies of cloud data protection for Microsoft 365, and watch the demo below for a look at how Druva addresses these challenges with its proven solution.