Office 365 Backups – Really?

It is a common misconception that data in SaaS repositories (such as Office 365) are automatically protected by the SaaS vendor.  If you think that, you may be in for a rude surprise.

Customers with Microsoft Office 365 (or any SaaS vendor for that matter) mistakenly believe that they don’t need to worry about data backups for their assets in the cloud.  The misconception is rampant at many levels.  So, let’s try and break this down systematically.

Why are backups necessary in the first place?

Admittedly this part is Backup 101 and applies to all business data (not just data in SaaS applications) – but for the sake of completeness, let’s cover this.

The most obvious case for a backup solution is data loss.  A user loses a folder, file or email message and wants it back.  And most times when we think of a backup use case – this is what comes to mind. However, enterprises invest in commercial grade, 3rd party backups for several other reasons.  A few important drivers are:

Regulation

Regulations – We’ve all heard of these.  Like SOX, HIPAA, GDPR.  As the world becomes global and companies start doing business overseas – like in the US and the EU, these regulations are hard to ignore.  If you do business in the US, you most likely have to worry about SOX.  If you are in healthcare, you need to care about HIPAA.  If you have even a single customer in the EU, you fall under the ambit of GDPR.  GDPR specifically was all over the news last year as it came into effect in the EU and famously levied penalties on the likes of Google and Facebook.  It is a regulation with the most teeth and clearly defines accountability around data losses.   Several developing countries are also modeling their regulations after GDPR.  The long and short of it is – Regulations are only getting stricter and holding businesses more and more accountable for data losses.

Ransomware

For those of you who may be unfamiliar with it, ransomware is an insidious form of malware which attacks endpoints and ends up encrypting all data on the disks – while demanding a bitcoin ransom in exchange for the encryption key.  It is very hard to defend against because the attacks come in the form of phishing or spear-phishing emails – so it is more of a social engineering attack, targeting unsuspecting, non-technical users.  All it takes is for an unsuspecting user to click on an attachment – which will then silently drop the deadly payload on their endpoint.  Within a matter of hours, ransomware will have done its damage.  It has the potential to rapidly spread across LANs to other user endpoints and even servers and databases.  Famous ransomware attacks like WannaCry and Petya made the news a few years ago as they wreaked havoc worldwide.  Many businesses simply have had to shutdown because they couldn’t afford the ransom or they simply didn’t get their data back even after paying it.  Ransomware has proved that it can get around the best security defenses.  And in the end, as it is now fairly well accepted, the best defense against ransomware is actually to have a solid backup strategy.

Insider threats

Insider threats – This is damage usually caused by trusted actors – usually inside the company.  Many times, the data losses may be due to accidental actions.  But (sometimes) they could also be due to malicious deletion of data by employees.  Many businesses want to keep a regular back up of all their user data – with or without the users’ knowledge – to hedge against this kind of action.

Ok. Next question.

Can you really lose data in a SaaS application?

Interestingly the answer is yes – and the number of data loss scenarios with SaaS is more than you may think.  Close to a third of enterprises have reported having some type of data loss or another when using SaaS applications.   Here are some statistics:

  • A whopping 47% of data losses are due to end user deletion.
  • The next highest statistic is Administrative errors – 17%
  • Losses due to external threat actors contribute to 13% of the problem.
  • 7% is caused by malicious insiders.
  • Another 7% are due to bugs in the SaaS application itself
  • 13% of these are because you simply decide to stop using the SaaS application.

The last one blew my mind!  Who knew?  You may end up losing your data in a SaaS application simply because you decided to terminate the contract!

But isn’t the SaaS vendor accountable?

That’s a great question.  Let’s further break it down into 2 sub-questions:

  1. Shouldn’t the responsibility or accountability of protecting data also move to the cloud – along with the data itself?
  2. The SaaS vendor should backup the data for their own protection anyway – right?

 To answer the first question – the accountability for data protection stays with you as the organization.  Most regulators draw a clear distinction between the owners of the data and hosters of the data.  The latest regulation which made the news last year – GDPR actually calls them data controllers and data processors respectively.  While hosting companies (or data processors) can provide services, the majority of the accountability around data breaches or losses that could occur – stays with the data owners (or controllers).  And this is not likely to change in the near future.

A simple way to state this is that you can’t contract away responsibility.  So, the answer is YES – as an organization you still remain responsible.

Now to answer the second question.  Doesn’t the cloud vendor perform backups?

Well, they do, and they don’t.  SaaS application providers do backup or replicate their data, but at a tenant level.  These backups are geared for them to recover the entire platform in case of an outage, but are not really designed for granular recovery. There is also no option for an on-demand backup – for instance, if you wish to make sure you have a backup right now, before you get started on a large scale internal project – you won’t be able to do that with a SaaS application.

For these reasons, many SaaS application providers admit that although they have data protection measures in place, customers should also perform their own backups in case there is a loss of data due to various factors outside their control.

And Microsoft does the same when it comes to Office 365.   If you read the Office 365 Service agreement text, it clearly states:

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

But wait…. How’s that possible? 

But, how can a SaaS vendor get away with that?  Not taking responsibility for backups?

Because of the model in which SaaS vendors operate under.  It is called a Shared Responsibility Model.  You will find that no matter which SaaS you are using, if you read the fine print of the contract closely – almost every one of them will refer to this in one form or another.

 

The gist of the Shared Responsibility model is that while SaaS vendors will take responsibility for several things – like infrastructure, uptime, power, communication links, network connectivity etc. – they also leave a few things out which you are supposed to be responsible for, as a customer.  And those are mainly your data, and security.  Those always remain your organization’s responsibility.

So, if you are under the impression that the SaaS vendor is responsible for everything including your data, backups, and security – it is time to shed yourself of that fallacy – and the sooner the better.

But Office 365 has built-in archiving functions…

Businesses with the more expensive Office 365 licenses (E3 and above) get the benefit of Office 365’s built-in archiving for email.  To understand why the built-in archive is a poor substitute (if at all) for a reliable backup, please read my blog post about “Why you need to look beyond Office 365 in-place archiving”. 

Make the right choice

The long and short of it is – if you are using a SaaS solution, and especially one such as Office 365 where so much of your critical business data resides, you would be remiss not to consider an enterprise-class, commercial-grade backup solution for your office 365 assets.