Office 365 offers basic protection to deal with some of the things that could damage your data, but there are things it doesn’t protect you from, and there are side effects to some of the optional protection features. Even if you feel you are well protected, the restore might be time intensive and quite a bit more work if you don’t have a third-party backup tool. So, maybe backup is a Good Thing™ after all.
The first reason why Office 365 should be protected by a 3rd party is the age-old concept of the 3-2-1 rule of backups. Three copies of your data on two different pieces of media, one of which should be offsite. Using Office 365 to protect itself violates every one of these basis data protection concepts. The protections built into Office 365 are built into Office 365. It’s like backing up your laptop files to another slice on your local hard drive. An app should be protected by something that isn’t the app.
Even Microsoft agrees. Here is what they say in their service agreement for Office 365:
Why might Microsoft say this, you ask? Because there are more ways to destroy your data, Horatio, than are dreamt of in your philosophy. (My apologies to the Bard.)
Say, for example, you accidentally delete an email, OneDrive file, or SharePoint item. Office 365 has places where it stores deleted items that allow you to get it back for a set period of time. You just need to locate the deleted item in the Recycle Bin before it expires (and hope it wasn’t manually emptied by an admin – rogue or otherwise). But what if malware deletes files you don’t use frequently so you won’t notice the deletion? You will only be able to recover them if you notice the deletion within the specified retention period. And if you don’t notice in time – because the malware is hoping you won’t – you lose the data forever. In addition, if malware deletes hundreds or thousands of files, you will be spending quite a lot of time in the Recycle Bin locating each file and putting it back, a process some refer to as “dumpster diving,” which no one should use as their backup method.
A third party backup tool would allow you to easily find and restore as many files as you need, or even restore an entire user or folder to a point in time. One step, instead of thousands of them.
SharePoint and OneDrive do offer versioning to protect against accidental mistakes, and Office365 now enables 500 versions by default. You can check whether or not versioning is currently enabled in your account, and you can reduce or increase this number as required. While 500 versions sounds like a lot, you should know that Office 365 is continually saving versions while you are working on a document. I’ve seen plenty of complaints about this online.
Versioning protects you from typical user errors, but malware may be able to change or encrypt your file more times than the number of versions you store, which would mean you do not have a valid version to restore. If malware really wanted to mess with you, it would encrypt all your files random numbers of times so that you’d have to dig all over time and space to find the right version. What. A. Mess.
An attacker intent on doing your company harm might also attempt to gain administrative access to your Office 365 account via phishing, social engineering, or even taking advantage of a vulnerability in Office 365 itself. A rogue admin (or well-meaning admin attempting to save space) can easily disable versioning or reduce it to a very low number. Even features like Legal Hold will not stand up to a rogue or fake administrator. This is why we backup data that matters to us, and Office 365 is no exception.
Office 365 does offer a new feature called Retention Policies that provides additional protections against some of the things mentioned above, if you use an optional feature called Retention Lock; however, there are some things you should know about these features. The first thing I’ll say is that they’re not that simple. The “Overview” of how they work is 25 pages and over 5,000 words long. There are a variety of options in this tool, any one of which could be configured incorrectly and result in a reduction in protection.
Perhaps the most important thing to understand about retention policies is that the additional versions of files that they store are kept in your Office 365 account, some of which is counted against the storage allocation of your account. In addition, retention policies are only effective against hackers and rogue admins if you enable Retention Lock. It prevents bad actors from undoing the retention policy you put in place by not allowing anyone to undo a retention policy once you have activated retention lock. The downside is that you can never undo this change. If you use up your storage allocation, you will be required to buy however much additional storage you need, at whatever price Microsoft wants to charge you for it.
Another problem with retention lock is what happens if you get a right to be forgotten request from GDPR or California’s upcoming CCPA. By design, there is no way to satisfy these requests. This is a potential very serious side effect of using Office 365 to protect itself.
With SharePoint and OneDrive data, the extra versions you will keep go directly against your main storage allocation. (This is why there was an uproar in the online community when Microsoft enabled 500 versions by default. It was seen as forcing customers to increase their storage allocation, which they now have to pay for.) Imagine how much storage you will need if you store every version of every file for multiple years; it will significantly increase the amount of storage you need for Office 365.
The impact of using Retention Policies is different with Exchange Online. When you have a retention policy, deleted emails are moved into a 100 GB archive folder. If that folder fills up, you are given another 100 GB archive folder, and so on. At this time, you are not charged for this additional storage, but that could change in the future. And the more archive folders you have, the harder it is to find old emails. You cannot search across your entire account; you must search within each archive folder. A 3rd party backup and long-term-retention system would allow you to easily search across your entire account.
There are also limitations to what retention policies can restore. For example, with SharePoint they can’t restore deleted list columns. The only option to restore those would be a complete site restore – more on that later. With Exchange Online they can’t do a point-in-time restore of a mailbox. I read on Spiceworks the other day of an admin that had accidentally corrupted one user’s mailbox by uploading another user’s PST file to it. (Their first names were the same.) If all you have is retention policies, there is no way to undo this change, short of manually deleting the hundreds of emails and calendar entries for the other users. But if you used a 3rd party tool, you could easily restore that user to just before an event that corrupted an entire mailbox.
Retention Policies also do not address legal hold requirements. Yes, Office 365 does have a legal hold capability, but it requires many steps to activate, and can be easily deactivated by a rogue administrator. More importantly, all it does is lock the data of a user. It does nothing to cull the data and prepare it for the e-discovery process. A 3rd party backup tool can do all of that much simpler than Office 365 can.