The Need for Cloud Backup with Microsoft 365
When discussing cloud backup of Microsoft 365, a question I hear again and again is “If we are using Microsoft 365, aren’t we already protected?”
While there are many benefits to using the Microsoft 365 platform, there are some legitimate risks associated with any software-as-a-service (SaaS) application suite or platform, including Microsoft 365. To mitigate the risks associated with using any cloud platform, you should first understand the risks – and the steps you can take to protect your intellectual property.
What Are The Risks?
We hear about all of the dangers of nefarious outside actors, but the reality is that the majority of security issues comes from the inside. That’s where having an automated cloud backup solution can ensure that you, your partners, and your customers are truly secure. In a recent webinar, I shared a number of risks outlined by Forrester that make this case:
- Accidental deletion. This is the most basic and common cause of the loss of both on-premises and cloud-based data. This can be problematic, especially if the user fails to notice deletion immediately and the data ages out of their trash can. Accidental deletion can also take the form of accidentally overwriting correct information with incorrect information — something that many SaaS providers can’t easily reverse in their platforms.
- Departing employees. As employees leave your organization, what happens to the data associated with their accounts in your SaaS application? The rules vary significantly from vendor to vendor, but for many, deactivating a user account also means deleting the data stored there. Most organizations wish to keep this data but may not have a good way of exporting it or transferring it within the application.
- Hacktivists. Every news cycle brings a new story of a cyberattack. Today, cybercriminals most often target on-premises systems, but they’ll quickly shift targets as enterprises store critical data in SaaS and other cloud-based systems. Quite often, the client is responsible for securing the data hosted in SaaS. Financially motivated criminals want to steal copies of customer data and intellectual property that they can easily monetize. Politically and socially motivated cybercriminals (known as hacktivists), however, may expose or destroy data in retaliation for some real or perceived offense.
- Malicious insiders. Whether it’s a disgruntled employee, a resentful contractor, or some other insider with the intention to do harm, malicious users are another common cause of data loss, both on-premises and in cloud environments. The scope of damage will depend on the access and authorizations granted to the user. If it’s an individual contributor with a narrow range of responsibilities, the damage may be limited, but if it’s a power user, the damage can be extensive.
- Rogue applications. With the ecosystem of add-on applications for popular SaaS solutions growing by the day — Salesforce’s AppExchange now boasts more than 3,300 apps and
- more than 4 million installs — we’re seeing growing concern about rogue third-party applications causing damage. What happens when the app that’s supposed to consolidate duplicate records accidentally deletes or corrupts unique records?
- Prolonged outages. An unexpected and prolonged outage at your SaaS provider can be the remote incident that cripples your business. Unless you have a plan for how to handle such circumstances, it’s highly unlikely that you’ll have access to your data. Insurance brokerage firms in the UK using services from SSP Worldwide were rendered helpless when SSP faced a three-week-long outage. Brokers could not issue new policies, look up the expiration dates of existing policies, or communicate with their clients. SSP Worldwide couldn’t recover some clients’ data from backup instances — and to brokers’ utter dismay, SSP Worldwide assumed no responsibility for losses they suffered due to the outage.
- Data retention policy for audit or compliance purpose. While your organization’s policy or regulatory compliance mandates require you to retain data for few months or years, your SaaS providers won’t preserve data for that long. ServiceNow only keeps a rolling backup of the past 28 days and the Oracle SaaS service retains data for 60 days from the last backup.
What Does Microsoft Provide?
Microsoft provides you with a number of protections at the infrastructure level, including:
- Physical security. From 24-hour monitoring and restricted physical access, to multi-factor authentication and biometric scanning for data center access.
- Logical security. Dedicated threat management teams, port and perimeter scanning, and intrusion detection to prevent malicious access.
- Data security. Encryption at rest and in transit, constant security management, and data/file integrity detection services.
- Admin and user controls. Rights Management Services (RMS), certificate-based email access, Data Loss Prevention (DLP) controls, and message encryption to protect sensitive data.
You should have high confidence in the infrastructure and workload security that Microsoft provides against external threats. But for internal threats and more robust data security controls — which may be needed based on your industry or regulatory requirements — you’ll want to investigate cloud backup solutions.
What Does AvePoint Provide?
By leveraging AvePoint’s Cloud Backup solution, our customers are able to leverage AvePoint’s Azure storage or bring their own storage option. With our Multi-Tenant & Multi-Geo Accessibility and Management capability, we can scale to meet any of our customer’s needs. And with AvePoint’s Virtual Assistant (AVA), we enable end-users to find and restore lost or deleted files by responding directly to Microsoft Teams chats.
To learn more about AvePoint’s cloud backup offerings, be sure to check out “How and Why to Backup Your Office 365 Tenant“
Still not convinced that cloud backup is needed for Microsoft 365? Check out “The Great Debate” that I moderated before I joined the AvePoint team in late 2020, between John Hodges, VP of Product Strategy at AvePoint, and Microsoft MVP Tony Redmond, Principal of Redmond and Associates. You can find it on-demand here.
Check out this fun (and campy) pre-show analysis with Dux Raymond Sy and Hunter Willis: