Microsoft 365 Backup: What is the Shared Responsibility Model?

Microsoft 365 Backup: What is the Shared Responsibility Model?

The adoption of Microsoft 365 has become more and more prevalent as companies move to hybrid and remote work environments and embrace digital transformation. With this shift to cloud and SaaS-based applications comes an increased data protection and security risk. More and more companies are adopting 3rd party backup for their Microsoft 365 environments, but Veeam found that, surprisingly, 71% of businesses were still unprotected. The common misconception that Microsoft fully backs up data regularly on a user’s behalf can damage organizations.

While Microsoft 365 provides users with comprehensive services, regular data backup is not one of them. Regarding Microsoft 365 backup, Microsoft employs a limited shared responsibility model.  Microsoft’s primary responsibilities are all focused on keeping their global infrastructure up and running, delivering uptime reliably, and enabling the productivity of their users around the globe. They guarantee maximum uptime for the infrastructure and software that hosts M365. They also provide access controls, including multi-factor authentication and password-based authentication. Microsoft configures and manages the infrastructure that hosts M365, including protection against electrical failures, natural disasters, physical security against unauthorized access, and other possible service disruptions.

Additionally, Microsoft 365 has built-in data replication, which provides data center-to-data-center redundancy. If something goes wrong in one of Microsoft’s global data centers, they can fail over to their replication target without any of the data being affected by the end-user. However, replication is not the same as a backup. A replica is data that is continuously or near-continuously replicated to a second site, but there are issues with a replication-only data protection data protection strategy. For example, deleted and corrupt data are replicated with good data, which means that the replicated data can be corrupted or deleted. This is why it is essential to have a backup solution alongside replication.

In summary, Microsoft’s portion of shared responsibility focuses on providing secure infrastructure with data centers capable of replication and redundancy, ensuring uptime and privacy to their global clients in case of natural disasters, power outages or other unforeseen circumstances that lead to downtime.

Conversely, the primary responsibility of M365 users is managing information & data, accounts & identities, and devices (mobile & PCs) falls onto the customer. Although Microsoft covers a wide variety of services in their shared-responsibility model, users will need to guard against the following risks in M365:

Accidental Data Deletion: Microsoft provides tools such as the recycling bin to prevent accidental data loss, but the data in the recycling bin is only stored temporarily before being lost. Data replicated by Microsoft also isn’t protected against accidental data deletion because copies of the files will also be deleted in the replica.

Cybersecurity Threats: External or internal threats could deliberately delete data or encrypt data and hold it for ransom if they gained access to Microsoft 365 credentials. In the case of a ransomware attack, Microsoft 365’s automatic replication would not protect data from being encrypted and held for ransom, whereas a backup solution would.

Regulatory Compliance: Sensitive data stored in M365 must be managed to comply with regulatory policies for data governance. Many industries have legal obligations to retain data for a certain period and to delete data after a certain period.

Data Retention: Users must ensure that they retain data in M365 for periods specified by regulatory laws or internal company policies. They also may need to delete data after a certain period for the same reasons. Inactive accounts will have their data automatically deleted after 90 days, which may not be enough time to ensure compliance or access essential data from the inactive account. For example, if your CFO had necessary invoices in their M365 account and left the company, others may lose access to the invoices after the 90-day deletion period. Optionally, companies could continue paying for a license associated with an inactive account, but that could be very costly. 

To summarize, in the shared responsibility model, users are responsible for managing and securing their data and information and meeting compliance regulations. Backup solutions are a great way to mitigate the potential risks mentioned above. Without a backup of Microsoft 365, users have limited access and control of their data.

Backup solutions help protect data from accidental deletion, hardware failure, software glitches or malicious activities such as ransomware attacks that lead to critical data loss or encryption. Backups can allow deleted data to be restored and protected from permanent loss in case of these unforeseen events. In addition, regular backups make it easy to meet data retention policies and regulatory compliance. Advanced backup solutions allow users to create data life cycles to delete data automatically when regulations no longer require it. Data backups also ensure business continuity by minimizing downtime and enabling quick recovery in the case of corrupted or inaccessible data.

Regular data backups combined with Microsoft 365 can offer organizations peace of mind knowing their data is protected. Reducing stress and uncertainty of potential data loss enables users to focus on their work without worrying about irretrievable loss.

Microsoft 365 users must note that while M365 offers specific data protection mechanisms, including retention policies and recycle bins, these are not foolproof solutions for comprehensive data backup and recovery. Implementing additional backup strategies, either through built-in Microsoft 365 backup solutions or third-party services, provides an extra layer of protection and ensures the long-term safety of your data.

Subscribe to Updates

Get latest IT trends and best practices