How safe is OneDrive against Ransomware?
A number of businesses of late have come to rely on OneDrive for Business as their sole means of endpoint data protection. With Microsoft 365 becoming widely prevalent, businesses are viewing OneDrive as ‘free’ endpoint backup. Some have even gone to the extent of discarding their commercial-grade endpoint backup solutions in favor of using OneDrive to save costs.
I’ve written before about why this misconception can be dangerous. While OneDrive has several fine features to recommend, one of the things it definitely is NOT is a backup solution.
While OneDrive has several fine features to recommend, one of the things it definitely is NOT is a backup solution.
And businesses that rely on OneDrive exclusively for data protection may end up finding this out the hard way. But for this blog post, let’s focus on ransomware.
Conventional wisdom now states that one of the best defenses against ransomware is a reliable backup. Having a safe, secondary copy of your data means you don’t have to negotiate with the attacker while being held hostage. You can restore your data back on your terms and thus control your own destiny. The question is whether the data copy in OneDrive is adequate to protect you against ransomware.
1. Exposure to ransomware
OneDrive is a sync solution that is designed to quickly replicate file changes on your endpoint system to the cloud. This means all modifications to files on the endpoint – good and bad. Changes, deletions, and alterations caused to files due to a ransomware attack can also be faithfully replicated to OneDrive without delay. So, as it turns out, your backup copy can be just as susceptible as your primary copy. Not a great defense against ransomware.
OneDrive does allow file versioning, which means that even in the case of a ransomware attack, it should technically be possible to go back and retrieve previous file versions from before the attack.
But there are a few wrinkles here:
1. Versioning seems to work only if you have a Microsoft 365 subscription – not if you purchase OneDrive a la carte.
2. Second, it is also unclear whether file versioning is turned ON by default. Several customers have complained that they have discovered it is OFF by default, and they have no way to turn it ON in bulk for all their users. Powershell scripting is involved.
3. When versioning is turned ON, the default set of versions preserved is 500 with a lower limit of 100. Again, changing this across the organization to a uniform setting can be challenging because of no centralized control.
4. It seems not to be possible to restore back a whole folder back to an earlier version. You have to do it file by file – making the process extremely cumbersome.
3. The Site Recycle Bin
But there is a somewhat better way. Remember that ransomware usually deletes the original files and creates a new substitute file with a mangled name and encrypted contents. So, a lot of the original files end up in the SharePoint site recycle bin. This bin has a 30-day clock ticking against every file that lands in it. So, assuming the recycle bin hasn’t been deleted by anyone in those 30 days, an individual user can restore their OneDrive to a previous time. In fact, Microsoft recently introduced a new feature called “Restore your OneDrive” which allows you to roll your OneDrive back to an earlier point in time – up to 30 days ago.
Now, remember, there’s no centralized way to do this for multiple users. You’ll have to get each of your affected business users to do this with their OneDrive accounts. So, imagine doing that with several hundred users, who are not necessarily technically savvy, racing against a 30-day clock.
4. The Site Collection Recycle Bin
If you miss this 30-day period (God forbid), for the next 63 days, these files get moved to the site collection recycle bin – which only a SharePoint Admin can access. At this point, individual users can’t do the OneDrive restores on their own.
The SharePoint Admin has to restore for them. Now, imagine going through this type of restore process for several hundred users with a 30 or 60-day deadline dangling over your head.
5. Ransomware continues to get better
Most important – all this assumes that your versions and the recycle bins are immune from the ransomware attack. Ransomware authors continue to innovate each day, and the word is that there are new strains of ransomware designed to compromise the recycle bin(s) – which then naturally leaves the OneDrive user (or administrator) with no recourse but to negotiate with the ransomware attackers.
What you can do
1. Use a commercial-grade backup solution
If you are protecting endpoints, invest in a commercial-grade backup solution. In my opinion, this is a no-brainer and is non-negotiable. Don’t try to cut corners by using OneDrive – it’s just not worth it.
2. Make sure your backups are immutable
Look for backup solutions that have invested time and effort in ensuring that they have an immutable copy of data. This data is typically not only encrypted and versioned; it is stored securely away to prevent tampering and to keep it insulated from changes that happen on the user endpoint. To learn more about immutable and tamper-proof backups, check out Parablu’s BluVault.
3. Ensure you can control retention times
Not only can many commercial-grade backup solutions go back in time to a previous copy of data (from before the ransomware attack), they also let you control the retention, which means you don’t have a pre-determined 30, 60, or 90-day clock looming when you already have your hands full recovering from a ransomware attack.
4. Make sure your restores are a breeze
And with solutions like BluVault, data recovery is simple. Select a device, folder, file, or even a file version. Click and walk away. Data is restored faithfully, including folder and sub-folder structure to the destination of your choice.
5. Look for centralized management
And you should be able to manage multiple users/devices – all from a centralized console. You may delegate users to do their own recovery if you wish – but you should still be able to see what they did, when they did it, whether they were successful – and how many users you still have left to go. There should be no guesswork.
6. Use a commercial-grade backup solution
If you still would like to use OneDrive to protect your users, that’s fine. But then, make sure to backup your OneDrive for Business data. Solutions like Parablu’s BluVault for Microsoft 365 offer cloud-cloud backups of your Microsoft 365 assets like Exchange Online and OneDrive for Business. Having frequent and reliable copies of your OneDrive data to an alternate cloud destination is a sure-fire way of defending yourself against a ransomware attack.
This way, if the OneDrive versions and the recycle bin fail you, you know you have a safe backup you can fall back to.
A sound backup strategy should be a critical part of every organization’s Information Technology plan, including user endpoints. With many employees now spread out and working from home, in unsecured and unsupervised environments, it is all the more important to ensure that their data has enterprise-class protection. Modern, enterprise-class backup solutions like Parablu’s BluVault can use your OneDrive storage securely to provide you with a commercial-grade backup solution – giving you the best of both worlds.
OneDrive for Business is a great business productivity tool designed to sync file data for immediate and easy accessibility. But businesses would be remiss in mistaking it for a backup and relying on it entirely for ransomware protection.
I hope this blog post has helped the reader understand the anatomy of the recovery process from OneDrive. Think through the ramifications of the decision you make regarding your endpoints – before you choose to use OneDrive exclusively.
Parablu’s BluVault is designed to enable robust data backup from user endpoints, SaaS workloads (Microsoft 365), and edge servers. Our patented integration with Microsoft 365 and OneDrive for Business also means that you can deploy BluVault without spending a penny for backup storage. Sound interesting? Reach out to us and learn more.