Solidify your Microsoft 365 business strategy

In a recent Barracuda survey conducted early this year, which looked at the state of backup and recovery inside Office 365, the survey found that 70% of organisations indicated that they were relying solely on the capabilities built-in Office 365 to backup and to recover Office 365 data. Most of the businesses surveyed thought that Microsoft 365 does a complete protection for them, not fully understanding the native offerings they were working with or knowing the caveats and limitations until there is a problem.

Busting 3 common myths:

1. “Doesn’t Microsoft already have backup built-in?”

Microsoft does not have backup incorporated into their Microsoft 365 or Office 365 service offerings. They have retention policies, but these are not the same as backup and cannot cover every recovery scenario.

2. “I don’t need backup. Microsoft is obligated to take care of it”

While Microsoft does have a minimum SLA requirement to maintain the service level, they certainly do not make any guarantees when it comes to protecting or backing your data.

3. “Microsoft do not recommend or support third-party backup”

On the contrary, Microsoft not only highly recommends you do, but they also specifically mention it in their service level agreements (SLA).

Microsoft vs Your responsibility

Microsoft’s responsibility only covers the service level, the infrastructure, up time of cloud, and the apps in Microsoft 365. If organisations rely fully on Microsoft’s native data-retention features to protect data loss, there is a risk to their business continuity.

The need to backup and retain data

We have heard this repeatedly, the pandemic has changed the world – the shift to remote working and with people using more and more productivity and collaboration tools, protecting your data has become an increasingly pressing requirement.

During a recent webinar, Thomas Ferguson, Sales Engineer at Barracuda presented an in-depth look at what Microsoft 365 has to offer – what is and what isn’t taken care of. According to Ferguson, there is a widely referred backup rule of thumb, the 3-2-1 rule, which states, three copies of your data, two different locations/platforms and one offsite copy but this rule is tied to old on-premises style environment. In today’s cloud environment, Ferguson suggested that we could do away with this rigidity. Microsoft does take care of one of these copies to a degree with its in-built redundancies, retention policies, and online protection systems but Ferguson recommends aiming for a minimum of one complete separate copy, on a different platform and offsite to primary production data (Office 365).

The key to backup is not necessarily the ability to back up or retention of data, but to provide restoration of services of data or to get the data back when it is needed.

What Microsoft has to offer

The data from the Barracuda survey revealed that 70% don’t believe they need to backup Microsoft 365 data. As Ferguson stated in a recent Channel Talk podcast, ‘the reality is the products in Office 365 each has its limitations and a part of understanding the product is knowing the risks and making the decision to bolster and offset that risk with a third-party blanket cover product’.

Microsoft does say in their agreement that they recommend customers to “regularly back up data and content you store using third party apps and services’ [Microsoft service agreement 6b].

Microsoft only guarantees the availability of their services and not the retention of its data. This means that if the customer loses data, they may not be able to retrieve it without a third-party backup product. In addition, Microsoft does have lines in their product description pertaining to the fact that they do not have back up.

Microsoft have retention policies, end periods, litigation holds inside Microsoft 365 to help to a degree ensure you have some data recovery available.

Microsoft Enterprise plans have the options for litigation hold service which while active, effectively makes many of the emails undeletable. This does not necessarily extend to changes or versions of data, so you cannot hard delete an email. And it leaves a question mark around malicious changes, and if the administrator accidentally disables the litigation hold featuring system, the data will then be immediately destroyed based on the default retention period in the system.

Microsoft does have limited functionality by default without any extra configuration.

If you do go for the upper plans inside 365, E3 provides a basic tenant wide retention policy that gives you an unlimited retention period on your data and E5 while expensive, gives you a rule based granular policy system to help retain the data.

Users need to understand they will still need human configuration, it is not set up by default, and it is not managed, and things can still go wrong.

Referring to the example of KPMG, where a basic human error of changing a single retention policy without realising what it was impacting and immediately destroying 145,000 users’ data overnight which was unrecoverable.

The bottom line: Native retention tenant management is a complex process to manage, with many components that needs to be pulled together to ensure that you have a complete copy of all data. Just because Microsoft 365 is a SaaS product, does not mean that everything would work perfectly. It comes down to risk vs ROI decision to make around whether you are better off using a third-party product plan coverage as opposed to absorbing all the increasing costs inside Office 365 tenant.

Including third-party in your strategy

It is easy to see why a third-party product might be a better option; it is not bound by all those 365 caveats and limitations but simply provides a blanket coverage of everything.

For CSP providers and channel partners, this is a good talking point to start with your customers, who may not be as educated enough as they need to be to understand the decision they need to make about what have they got in their plans to recover from something that occurs, where are their risks, educating them of the technical aspects around the risks posed by only using native options in the system and where they are better off shifting the risk onto a third party.

Take for example ransomware, which is a particularly pertinent risk, when it does occur, you do not want to be asking where your retention periods are, what are your options, you want to know you already have a blanket system available to recover everything.

Barracuda Cloud-to-Cloud Backup (CCB)

Barracuda CCB is an easy-to-use SAAS solution that provides comprehensive, cost-effective, scalable backup and recovery for Microsoft Office 365 data, including Teams, Exchange Online, Share Point, and One Drive. CCB offers unlimited storage and retention – there are no caveats, and no requirements to configure retention policies, just a simple blanket coverage for the 4 products.

CCB is easy to deploy, all-in-one-solution

• Simple per user licensing
• No hardware or software to maintain
• Unlimited scalability
• Zero to running first back up in 3 minutes

Developed with Microsoft, CCB lives inside Azure which means data transfers are kept inside Microsoft’s network, with fast backup and restore speeds.

For CSPs, this is a very easy way to completely offset the risks of the native product offerings with little time consumed to set up.

Barracuda CCB can be purchased as stand-alone or bundled with their Essentials Complete Services or Total Email Protection Package.

Image source: ‘Solidify your Microsoft 365 business strategy’ webinar

Wrap up

It really is about identifying and understanding the service offered by Microsoft. There is an opportunity to pair third- party services with new Microsoft 365 sales and migrations or offer it as an upsell to existing customers as an additional revenue stream that can be added on without really having to displace anything competitively.

Deploying a service like Cloud-to-Cloud backup provides a blanket coverage of data in Microsoft 365 that your customers can fall back on, and it also serves as a protection for CSPs and MSPs to know that if there is an incident in an environment that you manage, and you need to restore or recover the data, you can be sure you have a complete separate copy available.

Source and credit: Some content in this article is extracted from ‘Solidify your Microsoft 365 business strategy‘ webinar held on 3 August 2023.