Office 365 is a Software-as-a-Service (SaaS) offering from Microsoft that allows you to run a suite of common Microsoft office automation applications, including e-mail and SharePoint, as a service. As with most services, you’ll invariably generate data that becomes important to you as time goes on.
This data will be in the form of e-mail messages, documents uploaded to SharePoint or stored on OneDrive, all kinds of stuff. In the old days, when something went wrong with these environments, and you lost data, you needed to recover that data to get up and running again. You’d imagine that the same rule would logically apply to Office 365 data as well. Unfortunately, a lot of enterprises are storing data in Office 365 and not protecting it.
There are many features in Office 365 that mimic backup, but there isn’t an actual backup capability, at least not using the built-in features of the product. It’s all just versioning of one form or another. OneDrive gives you versioning, for example, and e-mail comes with a recycle bin capability. These features are useful as far as it goes, and you can even add retention policies on top of them. The problem with this is that it’s just, as W. Curtis Preston describes it, “additional references in the same database”.
Why is this a problem? Isn’t it more efficient to keep links to the same data? It’s a problem because a true data protection solution has a requirement to keep data in some location other than the one the original data is stored in. For some time, the “3-2-1 Rule” has been a way for enterprises to ensure their data is protected. The rule is simple: three copies of your data (1 original and two replicas), stored on two types of media, with one copy off-site. The problem with the out of the box data protection experience for Office 365 is that it doesn’t adhere to this rule. The retention policies are nice, but they’re not designed for backup and restore, they’re meant for e-discovery. To retrieve any data, you have to use the e-discovery workflow that creates a special download file.
This isn’t just a problem with Office 365 either. Plenty of SaaS products prove difficult to protect using the native tools. A number of the major SaaS solution vendors suggest that you use third-party tools to protect your SaaS data, as the in-house services on offer are light at best and offer little guarantee of a rapid or full recovery.
Why is this such a problem? What could possibly go that wrong with my Office 365 data that I need to worry about protecting it with third-party solutions? It’s not that Microsoft are offering a service that isn’t resilient. Indeed, Microsoft offers some significant resilience guarantees when it comes to the underlying platform used to deliver its SaaS offerings. But, just like the on-premises applications of yore, things can go wrong with the data itself. If malicious folks get access to your environment, or you suffer from a ransomware outbreak, what are you going to do? What if someone manages to access your account and change your versioning back to 1? What about all the data that used to exist before that version got reset? How do you get that back?
There hasn’t yet been a publicised outage where customers have lost data with Office 365. But there have been some on some of the other major SaaS provider platforms. Ostensibly smart people look at SaaS and make a basic assumption that, because it’s a service offering, backup is part of the service. Unfortunately, this isn’t the case.
If you’re not using data protection for your SaaS data, should you panic? No, of course not. But you should seriously evaluate the importance of the data that you’re storing in that SaaS platform and ask yourself just how critical it is to you. If you think it’s important, doing something about protecting it makes sense. If losing that data to a ransomware attack means the end of your business, or some significant financial pain, then data protection for your SaaS data should be a priority. It doesn’t have to be a particularly onerous undertaking, and the worst thing you can do is nothing at all.