Why Exchange Online Backup is necessary
Microsoft Exchange Online is an industry leading, fully hosted email service that offers generous mailbox space and online calendaring capabilities. All emails are hosted in Microsoft’s Azure data centers on their popular Exchange Server software, enabling multi-device synchronization. Users can access emails, share calendars, contacts, and tasks even while they are on the move. Exchange Online can be easily accessed from a user’s desktop, through the web with a browser, or from a mobile device. Users can subscribe to Exchange Online as a standalone service or through a Microsoft 365 subscription.
Why is Exchange Online popular
1. Generous inbox space
Microsoft Exchange Online provides 50GB of mailbox storage space by default. It can be increased up to 100 GB with a Microsoft 365 E3 or E5 license. With its auto-expanding archiving feature, one can get an additional 50 GB of storage space or nearly unlimited storage space, depending on the Microsoft 365 license purchased. With such a generous storage offering, employees and administrators generally don’t have to worry much about managing mailbox growth.
2. Email security
With its data loss prevention (DLP) capabilities, Exchange Online can keep messages encrypted even when sent outside the company’s email domain. Employees can send encrypted emails to anyone. If the recipient responds or forwards the message to someone else, the encryption remains intact, preventing the potential loss of sensitive data.
3. Always on and up-to-date
Exchange Online is one of the fastest evolving solutions in the market. Microsoft automatically provides product enhancements and software updates without any intervention from users or administrators. Automated updates mean less time maintaining and more time growing.
4. Multi-device sync
Exchange Online allows users to synchronize their email, contacts, calendar, and tasks directly to desktops, laptops and even handheld devices like mobile phones and tablets. This allows employees to get their work done anytime, from anywhere.
Why it is important to protect Exchange data
So, is it necessary to make a copy of data in Exchange Online? An important reason organizations have backup policies is to retain data belonging to employees even after they have left an organization. And that includes employee email. Businesses need to preserve employee email for compliance, legal, or business reasons. To that end, they need to ensure that employees don’t (maliciously or accidentally) delete emails before they leave.
Exchange Online’s native protection mechanisms
1. Deleted Items Folder
The Deleted Items folder is a temporary residence for emails that are deleted from the primary mailbox. Deleted emails are retained in this folder, usually for a fixed period of time (like 30 days). Users are however free to remove emails out of the deleted items folder sooner than this period. So long as items are present in Deleted Items, they can be easily recovered. In addition to regular email, users can also retrieve contacts, events, or tasks out of the Deleted Items folder.
2. Recoverable Items Folder
Exchange Online usually purges the Deleted Items folder every 30 days. However, there is an option to recover emails even after they are deleted from this folder. This is because emails deleted from this folder are moved and preserved in the Recoverable Items folder for 14 more days. Unless other retention mechanisms are in place, deleted emails will no longer be accessible after this time.
3. Online Archive mailbox
Each Exchange Online email has an account feature called an Online Archive mailbox. Every Exchange Online Archiving subscriber initially receives 100 GB of storage in the archive mailbox. If auto-expanding archiving is turned on, additional storage space is automatically added when the 100 GB storage capacity is reached.
You can also use Archive Policies to define when an email should be moved from the primary mailbox to the Online Archive mailbox. In the online archive mailbox, emails do not get purged automatically, but a user can choose to remove emails out of an archive mailbox anytime they wish to. Automatic purging of emails from an archive mailbox can also be achieved via retention policy – which we’ll discuss in the next section.
Note, that in all of the above cases, users can delete their emails and remove them if they wish to – whether from Deleted Items, Recovered Items folder, or the Online Archive mailbox. So, by themselves, these features don’t serve to retain email for employees who leave the company. A determined enough employee can ensure that email is cleared out of all these locations in case they wish to inflict damage on an organization.
A determined enough employee can ensure that email is cleared out of all these locations in case they wish to inflict damage on an organization.
So, what else does Microsoft provide?
To protect against user deletions, Microsoft does provides some additional features.
1. Retention policies and labels
Using retention policies and retention labels, you can assign retention settings to your content in Online Exchange. Retention tags allow users to tag their own mailbox folders and individual items for retention. By applying Retention Policies for emails, enterprises can retain emails in Exchange Online for an extended period, which is not limited to the 30+14 days.
2. eDiscovery Holds and Litigation Holds
Microsoft bestows another layer of protection against potential data loss via a feature called eDiscovery features. In Exchange Online, eDiscovery is used to place a hold on content locations in Exchange mailboxes. Nothing complex is needed to deploy eDiscovery, but there are some prerequisite tasks that an IT admin and eDiscovery manager have to complete before an organization can start using eDiscovery to search, export, and preserve content.
Litigation Hold is yet another feature of the eDiscovery capability in Exchange Online. Putting mailboxes on Litigation Hold prevents users from permanently deleting all or chosen content. It provides both partial and whole mailbox protection using filters and conditions. The main function of a Litigation Hold is to protect against data deletion in case there is an active lawsuit, and some email might be considered discoverable as evidence. Litigation hold can suspend deletion of email and retain email indefinitely.
The problems with these approaches
First off, eDiscovery Holds, Litigation Holds or Retention policies require a Microsoft 365 E3 or E5 license – which are considerably more expensive than an E1 or Business Essentials license that most organizations purchase. The licensing costs place a significantly higher investment burden on enterprises.
Secondly, neither Retention Policies nor Litigation Hold may be enough to qualify as a backup and, more specifically, be able to protect data for users who are leaving the organization. Why?
1. Holds and Retention Policies may let users retain emails in their mailboxes indefinitely. But these features do not really provide a secondary copy of email; they just retain the primary copy for longer. This means, the retained email basically resides in the same location as the primary email. And this violates the first principle of a backup operation which is that it should succeed in making a secondary copy of data in an alternate location. By keeping your backed-up email in the same location as your primary email – you are making it just as vulnerable as the primary copy. Therefore, any compromise or damage to the Microsoft 365 tenant infrastructure or a ransomware attack would make the retained copies just as susceptible to these data security threats as the primary mailboxes.
2. There is no way in these approaches to restore or transfer data from a user who left the company to an alternate user (like their supervisor or peer). You will need to provision a license to the original mailbox and retrieve the data.
3. Also, while litigation hold may allow you to retain data for a user who has left the organization, you will have to continue paying Microsoft for their license, which is an additional investment. Litigation holds are permanent and don’t have any retention rules built into them. For this reason, holding things in litigation hold has many downsides. Litigation hold is a measure that businesses should take only where there is a need to make evidence discoverable for a specific user mailbox because of an ongoing legal process. Turning on litigation hold indiscreetly for all users would make ALL the emails for ALL users discoverable evidence in the case of any future litigation. It may not be a favorable position to take from a legal standpoint. It also makes the search process complex and time intensive.
The Answer: A Backup Strategy
Without regular and reliable Exchange Online backups, enterprises risk losing valuable data. Microsoft, in fact, agrees. In the Microsoft 365 services agreement, they say:
“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
Why BluVault for Exchange Online Backup?
Parablu’s BluVault is a cloud-to-cloud backup solution that does not impact end-user experience in any way. Moreover, it does not demand anything in terms of additional storage infrastructure on your premises. It also has the ability to utilize OneDrive storage within the M365 tenant as a backup target, thus bringing down the TCO on your backup solution significantly. It is hosted out of world-class data centers with a global presence and gives enterprises the support they need from a regulatory standpoint, while helping defend against ransomware and insider threats.
1. Alternate copy of data
BluVault protects Exchange Online emails by making a safe copy of the data OUTSIDE Exchange Online. The backups are scheduled, automatic, incremental, checkpointed, and time logged.
2. Immutable data copy
BluVault ensures that the backed-up data copies are kept safe with appropriate barriers against alteration, deletion or other type of tampering. This property of a backup to maintain an unalterable copy of data is called immutability, and it is an important characteristic of enterprise-class backup solutions. Users do not have direct access to the backup data and cannot alter the content of their backups – even if it is for their own data. Even an administrator cannot alter the data in the backups – except in specific scenarios which are audit-logged.
Backup to maintain an unalterable copy of data is called immutability, and it is an important characteristic of enterprise-class backup solutions
3. Backup reassignment
BluVault allows enterprises to take a mailbox belonging to a user who has left the organization and let an Administrator restore those emails. Or better yet, it also supports “backup reassignment”, using which one can simply assign restore privileges over the backup data to an alternate user in the organization.
4. Regulatory Compliance
Regulations like SOX, HIPAA, GDPR, and others have data protection and retention requirements that BluVault helps meet. BluVault’s reports and audit trail help to keep organizations on a defensible platform when it comes to regulatory compliance, It also offers the ease of archiving the entire mailbox into a PST for enterprises where such a step is a regulatory requirement.
5. License cost savings
BluVault always keeps a secondary copy of your data in a vendor-neutral format. This means the business doesn’t have to pay Microsoft to preserve licenses of users who have left the organization. BluVault also helps enterprises overcome limitations imposed by the Microsoft 365 license around storage quotas and the amount of data they retain. With BluVault, enterprises can rest free knowing that a copy of their data is always accessible, irrespective of storage or mailbox size limits imposed by the Microsoft license.
6. Policy-based Management
Enterprises can also define retention rules around their backup data using policy-based management. For example, how long they would like to preserve emails. It also allows the administrator to control all elements of backup behavior easily – backup schedules, folders to include/exclude, email domains (or senders) to include/exclude, attachment size limits, user quota limits, etc.
7. Powerful eDiscovery
BluVault also has an eDiscovery feature that will let you search all backed-up data and find emails in a matter of minutes. Powerful search features enable eDiscovery for legal, compliance, HR, or other needs. Searches are possible by keywords or even by fields such as To, From, Subject, or any combination thereof. Users can find any email from the backup vault at any time and can even navigate directly to the email and download it right away. Or if the search yields a collection of emails – they can be downloaded together as a PST for review later. Searches are capable of identifying keywords inside email attachments as well, and can be executed for specific mailboxes only as needed.
BluVault also supports a Legal/Litigation Hold feature that allows administrators to assign special policies to identified users which align with Legal Hold requirements. The aging of backup data is suspended for users in such policies while eDiscovery searches might be ongoing.
8. Deleted email discovery
BluVault also has an option to specifically view emails that the backup detected as ‘deleted’. This can be especially useful to examine mailboxes of users who the IT team may suspect of having deleted any email deliberately.