Office 365 Backup & Recovery: Is it Necessary?
Is your organization currently using or considering Office 365? There’s no question that Office 365 has significant benefits — like increased collaboration, lower capital expenses, and less overhead. But have you considered the risk of data loss in Office 365? When you, your users or malicious outsiders cause data loss, how confident are you that you can get the data back?
Listen to this webinar featuring Mat Hamlin, VP of Products, and Andy Rouse, Sr. Product Manager at Spanning, where they discuss the benefits of Office 365, as well as the hidden risks to your data.
In this webinar, you’ll learn:
- The common causes of data loss in Office 365 and the cloud
- What native protection options exist within Office 365
- Why protecting your Office 365 data with 3rd party backup is important
- What you should consider when evaluating cloud backup solutions
Want to see all the features Spanning Backup for Office 365 has to offer?LEARN MORE
Bob: Welcome to this “MS Office 365 CON 2018” focus session. My name is Bob Hanson and I’ll be the moderator for this presentation. As always, please ask questions early and often. And if we don’t have time for your questions today, speakers will follow up directly with you. We welcome in Spanning for this session entitled, “Office 365 Backup and Recovery: Is it Necessary?”
Our speakers today are both from Spanning. Our first speaker will be Mat Hamlin, he’s Vice President of Products. And our second speaker will be Andy Rouse, he’s Senior Product Manager at Spanning as well. So, Mat, take it away.
Mat: Thanks, Bob. I want to start off by saying thanks for everyone who’s in attendance today. We know your time is precious and we appreciate you spending the time with us. Today we’ll talk about Office 365 backup and recovery and whether it’s necessary or not. Let’s start off with a statistic. We did some research recently with an outside firm and did a broad survey of IT managers and SaaS administrators around the world. We found out that 77% of companies that use SaaS have suffered some form of data loss over a 12-month period. And we see causes of data loss events come from a variety of places, whether it’s an internal or external actor affecting your data, employee mistakes or just misconfigurations.
So, there a lot of reasons that the data can get lost or corrupted within a SaaS environment, specifically in Microsoft Office 365 at this point. That number is pretty big, 77%. One of the things I often have conversations with customers and prospects about is whether or not you actually need to have backups in place for Microsoft Office 365. The question becomes, “Don’t they back that data up for me?” And my answer is always, “Yes, they have backups in place. They are better than most organizations that are running an application like exchange online, in the cloud, SharePoint, and OneDrive for Business. They have redundant servers, they have redundant data centers. They’re very good at making sure that they don’t lose your data.”
But what happens is when you move to a SaaS environment, the SaaS vendor themselves are responsible for the things on the left (see image below). All right. Again, they’re focused on ensuring that the data is there and that the application that they’re providing to you is always available. So, they cover things like hardware failure, software failure, natural disasters as I mentioned, right? They have redundant data centers there. Power outages. As well as they’re responsible for clearing out any changes that you ask them to make, like delete requests. And so, when you move to a SaaS environment, responsibility for your data is actually a shared responsibility. You’re responsible for the things on the left side of the slide here and you’re responsible for making sure that you can recover if any of the things on the right occur in your environment.
Again, human mistakes include your end users or anyone else who has access to your data. It could be partners or even customers. A programmatic error if you have integrations or things using your Office 365 APIs. If they are misconfigured or make mistakes, those changes will be carried out by Microsoft. Malicious insider activity, right? You may have an employee who’s leaving, takes data, and then destroys things inside of your environment. External hackers are a large cause of data loss. We see both on-premises on laptops and desktops, but those changes in data instruction events could actually carry up to SharePoint online or OneDrive for Business as well. Ransomware and viruses are also a leading cause. The rise of ransomware within the past four years has been extremely dramatic.
There was a report out recently that the cost of ransomware in 2018 will start approaching $5 billion. It’s a very, very large number. So, when changes are made in your Office 365 environment, those changes will be carried out by Microsoft. If you tell them to delete data, they will delete it. If you tell them to change data, if something is using the APIs to access your data (it says change or delete data), they will carry those out. They don’t know if those are good request or bad requests. If somebody is logged in with proper credentials or proper API access, they assume that those are legitimate changes because they’re being executed as the person who is logged in. So, access is there. Here are just a few examples from our experience with customers:
We had a customer recently who deleted and purged the wrong user from Office 365. So just the normal course of on-boarding and off-boarding users. They actually removed the wrong person from Office 365 which after, you know, not too long that data gets completely purged out of Office 365. They were able to go to their backups and find that user, and then get that data restored back in Office 365 into new accounts. Another common data loss event we see is ransomware. We’ve helped quite a few customers with that problem. In their case, they had an on-premises email but it had been hit by ransomware. As they moved to Office 365, as they were making the change, they knew that it was a critical capability that they wanted to have in their environment (to be able to recover from any ransomware attack), whether that was on-premises (which they have already suffered) or in Office 365, the same types events can still happen and they recognize that.
One of the things that I talk with prospects and customers about as well, especially for having a discussion about whether backups are necessary or not, is for them to think through who is responsible for backup and recovery when you had Exchange on-premises or SharePoint on-premises and how that’s changed overtime. So, if you are running Exchange on-premises or SharePoint on-premises, typically your IT department was responsible for the full stack of that application for network and hardware through OS and application, all the way up through the data and the users, right? Your organization was in control of all these different layers in that application stack.
Again, typically it’s an IT organization. You may have a particular person in that organization that’s responsible for backup and recovery. But when you move to Office 365 or any other SaaS application, what happens is that IT is no longer truly responsible for running that application, right? Microsoft is. Microsoft takes care of the network and hardware, virtualization, operating system, and even the application, right? They serve Office 365 services to your organization. And what’s in that blue box over there (see image below) is really under their control; how they choose to run it, replicate it, and put in infrastructure protections is really up to Microsoft. And so, as you move, what you’re still responsible for is managing the application, right? Configuring it to do what you want it to do in your organization.
The data that you put in there is still under your control and under your responsibility. And then, of course, the users and the user access. Those are the three things that are still the organization’s responsibility when you use Microsoft Office 365. And what we’ve seen is when somebody (an organization) moves from on-premises to Office 365, sometimes backup recovery kind of gets lost in the shuffle. On premises, very clearly it was the IT organization responsible for making sure that Exchange and SharePoint were up and running all the time, that they were redundant, that they had disaster recovery plans in place. And if somebody lost data due to human error, malicious behavior, misconfigurations, or row integrations, that same team would help recover that data.
But when you move to Office 365, typically that IT organization is less involved. There’s no hardware for them to manage. There’s no database snapshots to take. There’s no drive level of duplication to manage. Microsoft is doing all that now. So, I encourage you to talk with your IT constituents in your organization. From the application and end user computing team, to the IT and backup teams (if those exist), and ask this question: Who is protecting your data in Office 365? One thing that we often say is “It’s your data, it’s your job.” We’ve spoken with a number of industry analysts and the vendors themselves over the past six years and they agree.
Microsoft says that it’s part of their SLA. “With Office 365, it’s your data. You own it. You control it.” Which means that if you make changes or request changes to be made, Microsoft will accept those changes and carry out whatever you tell them to do with your data. Analysts also agree, there was a recent report by Forrester, I think it was actually end of last year, where they cover this topic at length, both for Microsoft Office 365 and other SaaS applications as well. And the main takeaway from the report, you’ve got a quote here which is, “Every SaaS provider explicitly calls out that clients are responsible for protecting their own data.” And they recommend, “you must plan data protection for every new SaaS service to which you subscribe.”
So, his recommendation is look at what protections are there. See what the SaaS provider is doing, see how they enable you to correct your own mistakes; if they do, or if they don’t. Gartner also has a report available called “Adopt Microsoft Office 365 Backup for Damage Control and Fast Recovery After Malicious Attacks.” Their recommendation is very similar. They recommend “…investment in a third-party backup tool for OneDrive for Business and SharePoint Online to provide more-secure protection against insider threats and offer consistent recovery points for easier, faster and more flexible recovery options.” All right. So, I’ll hand it over to Andy. He’ll cover a few of the native protections that are currently available in Office 365.
Andy: Thanks, Mat. Office 365 has quite a few different built-in recovery features and these are basic protections to allow users, if they make minor mistakes, to get that data back. Within the different applications throughout Office 365, there’s different types of recovery mechanisms. For example, exchange has two: a primary and a secondary recycling bin folder. So effectively, what happens is items go directly to the deleted items folder, that can be purged at any time by an end-user and then it goes into a secondary recoverable items folder, which can be purged anytime.
We actually had a customer who is recently trialing Spanning and thankfully they were actually trialing. There were 20 years of emails that were deleted accidentally and, thankfully, they were being backed up at that time.
Within SharePoint, it’s a similar, primary, and secondary stage recycling bin. They allow SharePoint admins to go in and recover certain files that have been deleted. They also, within SharePoint and OneDrive, have similar mechanisms which are filed by file recoveries based on versions. So, for example, if you have an item that you made a mistake on, a file that you overwrote something on, you can go back and individually restore those back to a previous version, at a previous point in time.
Again, that is file by file, individual files at a time, so it is a lot more difficult when you’re talking about say 100 files that were corrupted somehow or encrypted through, say, ransomware. OneDrive recently rolled out a new restore feature, so what this does is it allows you to go back to a certain point in time and roll back that data. Now, it doesn’t add any additional functionality, meaning if your data is deleted, it is not able to be restored. It’s also an all or none restore feature, so that means that it’s going to overwrite all changes that had been made since the time that you were corrupted and when you roll it back. So, it can be helpful but there are significant limitations to it.
And again, lastly with users, they allow deleted users to be recoverable for up to 30 days by admin. Now, again, we had a situation recently where a customer deleted a user and then manually purged it. You can personally purge it sooner than that that period of time which they did. Again, thankfully they were backing that user up and hence we were able to quickly restore that data. We often also get the question about archive and eDiscovery. The question of, “Can’t I do that? Can’t I put every user on hold for all time, every user, every item?” And the answer is that they are very different use cases. Archive and eDiscovery is built around a legal use case. This is something that these tools are specifically designed for lawyers, by lawyers, in order to be able to get that data back in typically targeted investigations.
It’s very different from backup recovery which is specifically designed to have a copy of that data, a snapshot of that data where you can restore some or all that back to a previous point in time. Again, it’s the key difference is recoverability. And so, again, eDiscovery is more intended for those types of investigations. eDiscovery solution is typically unlimited as far as their coverage goes and what they actually will allow you to put a hold on. It’s oftentimes only email and chat within the file versions. It typically doesn’t include your previous versions. We had a question actually at Ignite, the customer asked if they could just put everything on hold forever. And he said, “No, it is not intended to scale like that. That is not a replacement for backup.”
And so, backup comes in, it’s the point-in-time snapshot of all that critical data. Going back to it, recoverability. Archive and eDiscovery does not easily allow the restoring of data. It’s intended to be able to export that data out, get it out for lawyers to review, where backup and recovery allows quick recovery, so RTO, the recovery time objective. How quick can you actually get that data back in place? And that’s where if you can have something like an end-user restore, that can significantly speed up the time for that data to get back in place into Office 365. And lastly, access is typically controlled to a very limited set of users and these are often times legal users.
Lawyers, compliance teams — we recently had a customer where they had been using eDiscovery for and doing that trying to put everything on hold for all time. And their legal team said, “No, I’m sorry. We can’t do that. This is a system, a solution that we need specifically for legal purposes.” And so that’s where backup and recovery come in. Again, it’s built for administrators or help desks, as well as allowing end-users to go in and restore their own data.
So, what about Microsoft SLA? Mat brought up a great point about it in the Gartner reports where Guy Creese talks about the fact that the Microsoft SLA has no provision in there to restore the data. So, they have no guarantees that they can ever get your data back.
They talk about ransomware in some of their content and they recommend that you have a backup of your files. They say they can’t guarantee that they’ll be able to recover your data. Also, specifically within their service level agreement, there are major limitations there. These are limitations like unauthorized actions. So, for example, if a contractor gets into your system and has higher privileges than they should have and delete something, that data is likely unrecoverable. There’s also the failure to follow appropriate security practices. So, for example, if I leave my laptop in a library unlocked and I’m an admin and somebody comes in and deletes everything, again, they don’t protect against it. To Mat’s point, what he said earlier, a delete request is a delete request. It doesn’t matter who is doing that. If it’s coming from that system, they can’t distinguish that and they are required to delete that data. I’ll hand it back to Mat.
Mat: Now I’ll go through a few reasons why it is important to your organization to ensure you have data protection in place. First and foremost, and I continue to hear more about this from our customers and our prospects, is that they need to show and prove they have compliant business continuity. Backup recovery is a pillar of, or has been a staple of, IT best practices and compliance frameworks, for a long time. Fundamentally, you’ll have organizations or auditors come in and look at your IT practices, look at what you’re doing for backup and recovery, high availability, scalability to ensure that they don’t believe that there’s a high probability that your business will be impacted by certain actions that could happen in your environment.
Those compliance controls — the auditors that come in and look at your compliance controls and your processes — those don’t really fundamentally change when you move your data to Office 365. The auditors are still going to hold you accountable to prove to them that you can recover data if it’s lost, whether if it’s on-premises, in an Office Exchange environment on-premises, or whether it’s an Office 365. And so, I pulled one of those controls here for us to look at. This comes from the COBIT 5 framework; the way that they measure organizations’ ability to prove business continuity controls. This particular control, which is in DSS04, says that an organization is measured by successful and timely restoration from backup and acceptance by the enterprise.
When you move to Office 365, have you gone through the process to prove to yourself that you can recover data in case of a data disaster? If you haven’t gone through that, obviously I highly encourage you to do so. You may be asked by your internal/external auditor to prove that at some point. And then second, is the time frame in which you can get data back in line with what your business accepts? Is it in line with the controls and the governance that’s in your environment today? How does it compare to how fast you can get data back when you were running on premises shared corner exchange? Has that changed at all? So, take a look at those. Again, we’ve seen a lot more of our customers being asked from their internal and external auditors to prove that they can get data back in their SaaS environments.
To wrap up some of the discussions we’ve had so far, the reasons that it’s valuable for your organization to consider backup and recovery for Microsoft Office 365 and other SaaS services that you use, it really helps close that protection gap. Andy talked a lot about the native features that are there, and there are good controls there to ensure that data doesn’t get lost by Microsoft. And also, if you lose data, there are some controls there — recycling bins and other aspects — that can help you get data back. But a full backup and recovery will really help you prepare for data loss, things that are not covered by your SaaS provider. It will also help you reduce the cost of recovery while making sure than when data loss does occur, you can get data back as fast as possible, in the most correct form as possible.
You’re not having to engage with multiple layers of your IT organization. You can potentially need a legal organization if you didn’t have SaaS backup. Think through that entire process; the data loss event occurring, who in your organization would you have to contact and call? Who they would have to call? Do you need to engage with a legal team or not once you have the data? How do you get it back in to Office 365 and verify that it’s the right data — verify that it’s been shared with or it’s consumable by the people who had access to it before? It’s likely a very long and costly process as opposed to having protection in place directly, where you can just hit a few clicks, be able to find the data that you lost and put it directly back.
Lastly, as I just discussed, the value of your organization is also being able to meet your compliance obligations. You don’t ever want to be in the situation where you’re not sure how well you can perform when asked to recover data back to Office 365 by an internal or external auditor. Our goal today is to help educate and help you start thinking through the different processes that you have related to data, protection for your SaaS data, helping move from potentially fear of data loss or at least unknown processes related to it to a plan to recover — and be confident that you have processes in place, or tools in place, to ensure that you can get data back when it’s lost in Office 365.
When looking at a solution for Office 365 backup and recovery, there’s a few things that I would encourage you to look at.
Total protection: make sure that the solution can protect all of your critical data across your SaaS application. Make sure that it can recover data very, very quickly and correctly. We highly encourage you to also consider whether you want to allow end-users in your organization to find and recover data. The fastest way to get data back for an individual is to let them find it and restore it themselves; it reduces the costs and time it takes to contact support, contact the administrator, and go through that whole process of finding and recovering the data.
And lastly, definitely look at the potential solutions, security profile; what do they do to ensure your data in the backups is highly protected, highly scalable, highly available? Does it comply and conform with all of the industry standards such as SOC 2 Type II, and HIPAA? Are they using controls like OAuth2 for the communications with Microsoft Office 365 instead of just administrative accounts that could be compromised? Look at all those things.
From an operational standpoint, look at how the solution is deployed and managed. A cloud-to-cloud service which is available in the market today, such as Spanning, installs in just a few minutes. There’s no hardware or software require. It’s easy to manage, easy to monitor. They can scale up and scale down with your organization, so if you’re a growing organization, you can add protection for individuals as they come in to your organization. If you divest or if you have reduction in your work force, you can also scale down. Look for, potentially, a way to control your cost and understand what they will be over time with the simple per user, per year subscription options that are out in the market, such as Spanning, that will help you understand the costs and have aligned with the pricing and packaging we already have from Microsoft around Office 365. If you understand how much it’s going to cost per user, per year for all those services in Office 365, that makes your planning much easier and predictable.
Also, look for solutions that have unlimited storage and unlimited retention. That removes all of the headache and hassle, and planning related to acquiring storage to gather all the backup data and Spanning it overtime or procuring new storage overtime. That should all be included and it shouldn’t be a worry for you. All right, I’ll hand it back over to Andy to talk a little bit about Spanning backup for Office 365.
Andy: Thanks, Mat. Spanning Backup for Office 365, we say this is enterprise grade protection for SharePoint, Mail, OneDrive for Business, and Calendars. What do we mean by enterprise grade protection? That really goes back to the last slide where we talked about things like enterprise level security. So, having OAuth2 versus storing service accounts with local credentials that can be compromised. It means cloud-to-cloud. It means something that is automated, that’s very robust and fault tolerant that is going to be able to run in the background, making sure that your data is always protected. And it really aligns with all three of those tenants that we talked about earlier: protect, recover, and comply.
Obviously, in order to be able to recover your data, you absolutely have to have proactive protection. When something is deleted and it is not backed up, there’s no way to get that back. And so that’s where, again, having that protection upfront, ensuring that you’re doing it is critical. The recovery aspect is important and we’ll talk a little bit about this when we go into the demo. The end-user recovery is something we’ve seen a larger uptake with, with our customers especially, rolling it out to their end users. The reason for that is because the recovery time, the ability to get that data back, is significantly faster when an end-user can go in there and actually find their data specifically as opposed to trying to explain where something is and look around with some kind of an IT help desk (or support team) or requiring them to sit with that user. So, that’s absolutely something that we’ve seen a huge benefit for our customers with.
And lastly, what backup does is it helps you to comply with regulatory and legal frameworks. It is becoming more and more important and/or we’re seeing more and more controls around requiring backup and proactive protection in order to comply with that.
Now, we’ll take a look at the product, and we’ll actually go into our customer’s Outlook — it’s just a tile within their Outlook app launcher. So, again, it’s a standalone application that is going to an admin who has the view where they’re able to see all of their users and all of their different backups. We talked about our backups in really two different frameworks. There’s your account level backups which are Mail, Calendar and OneDrive. These are owned typically by users. Each one has a backup as well as SharePoint. SharePoint is a tenant-wide, tenant-owned content. And so, again, both of these are daily automated backups. There’s also on-demand backups as well. And within SharePoint, we backup files — document libraries within team sites as well as group sites and Microsoft teams. We go through and we auto-discover that content.
Microsoft describes this as folksonomy, where users are creating new groups or creating new teams organically. And what that means is there’s a lot of data sprawl out there. Thankfully, that the files of content, the document libraries, for groups, for Microsoft teams are all stored within SharePoint under the covers. We go through and auto discover that and allow that content to be restored in point-in-time frameworks. Just for the sake of time, what we’ll do, we’ll look quickly at a user and their backups. What you see here is a user interface, it looks very similar to a mailbox. This what an end user would see, very similar to an admin.
I’m an admin going into Carol’s account here. And I see the folder structure as well as all of the different users. This is point-in-time framework — I can go back two days ago, I can go back two weeks ago, two years ago, if I have that. There’s unlimited versions, unlimited storage within Spanning. This has been official for, especially, when something gets messed up severely where data gets dragged and dropped into the wrong folder. This allows users and admins to go and find that data however they need to. They can search across backups, they can dig in to different folders and find those backups to restore. Or they can restore entire folders, things of that nature.
When restoring, we’ll actually take a look at OneDrive. This is where the point-in-time framework comes in and is a little bit more important because of the fluid nature of OneDrive. There’s obviously quite a few edits there happening within OneDrive. If I get something like ransomware or if I get massive corruption or massive deletes, I can go back to any point in time. I see the folder structure exactly as it was at that point in time. I can navigate through the different folders and see what that folder structure looks like. Again, it looks very similar to the user interface, the web interface for SharePoint and OneDrive. It’s something we design that way so that when an end user comes in, there’s no trying to acquire whatsoever. They can come in and easily find this data.
Again, either restore entire document libraries, entire folders, or you can view previous versions. And say we wanted to restore this previous version. As an admin, I have the ability to restore directly back to that same user or I can restore to any other user within the tenant. And where that’s really helpful, that is something that if you have an employee who’s leaving, we can restore some or all of the user’s data into say a manager’s account or their replacement’s account where they actually have easy access to that data. We see that that is a huge, very often used feature within Spanning by customers.
An admin is the only one who has this capability. End-users don’t have that capability to actually conduct those. And everything is tracked within the auto logs, so me viewing this data is tracked — any kind of restores, exports, any changes are tracked in and viewed. I’ll hand it over to Mat at this point.
Mat: Thanks, Andy. If you were interested in learning more about Spanning and our products, you can go to spanning.com/resources. There’s quite a few demonstration videos that walk through a number of use cases. We also have the Forrester report that I referred to earlier, the entire report is there if you’d like to go read through that. With that I’ll hand it back over to you, Bob, to field any questions there may be.
Bob: Okay, great. Thank you very much, Mat. And thanks, Andy, for that great presentation and demonstration. Looking at the questions here, we do have a few questions, so I’ll just start with the order that they came in and throw them over to you. The first question is, “We are in Europe, is there an EU data center option?”
Andy: This is Andy. Yes, we actually have data center options in the United States, Ireland, and in Australia.. A customer is able to choose their own data center to satisfy any kind of data sovereignty requirements, and any local regulations.
Bob: Okay, great. The next one is, “How is Spanning backup priced?”
Mat: I’ll take that. Spanning Backup is priced per user, per year, and that does include unlimited storage, unlimited data versions. The list price is $48 per user, per year, or $4 per user a month. We do offer discounts for EDU and non-profits and, of course, volume and multi-year discounts also.
Bob: Okay, great. Last one is, “How many customers do you have?”
Mat: We’re approaching 9,000 or so worldwide. Spanning has been protecting SaaS data since 2011, across our product suite of G Suite, Salesforce and Microsoft Office 365. We’ve got customers all over the world.
Bob: Well, thank you very much and that is all the time that we have today. On behalf of the audience, I want to thank Mat and Andy, and Spanning for sponsoring this session. Please review your email confirmation for the link to the next conference presentation and you may now disconnect. Thank you very much.