Below is a lightly edited transcription of our recent webinar:
Microsoft 365 is an amazing suite of tools that helps businesses thrive every day. It’s important to know just how far this service goes, how you can extend it in common scenarios, and why Microsoft 365 backup is critical. Today we have a special pair of speakers representing the two newest acquisitions from our parent company, Dataprise. You’ll recognize our regular webinar host Kelly Culwell. Hi Kelly, with big news, he is taking on a larger role within Dataprise as the Senior Service Transition Manager.
Our guest is a new colleague, Greg Jones, the Senior Director of Cloud Services for Airnet. Greg has spent the last decade deploying cloud solutions for industries including automotive, education, financial services, healthcare, insurance, manufacturing, state, and local governments, technology, and software. He brings a lot of experience to the room. This is our first webinar collaboration between the two divisions.
If you’re not familiar with Global Data Vault, we’re a cloud-based BaaS and DRaaS provider and a Veeam Platinum Cloud and Service Provider. Airnet Group is an IT Professional Managed Services Provider and a Gold Microsoft Cloud Partner. Perfectly partnered with Dataprise, which provides strategic IT infrastructure and cybersecurity services to power your business. I encourage you to find more information about Dataprise at dataprise.com.
The Microsoft Office Myth
What is the Microsoft myth? We’ve all heard it. I hear it every day. It’s when a client says, “I don’t have to worry about it. It’s in the cloud.”
Well, Microsoft doesn’t back things up. You might want to argue that point and insist that because something is in the cloud, that you don’t have to worry about it. That’s not exactly true, so today we are going to look at what Microsoft does and does not do and go through the shared responsibility model that Microsoft themselves actually produced.
Putting Microsoft 365 Backup to the Test
When people talk about protecting their data, a lot of times you don’t consider Microsoft 365 for that simple reason– it’s in the cloud. You think that an organization the size of Microsoft, with all of their offerings, would just automatically do that for you. But the truth is they don’t!
One concern companies have is “where’s my data stored?”. With cloud instances from infrastructure as a service (IaaS) or software as a service (SaaS), you may have no idea where your applications are running. They’re in the cloud somewhere. They’re in some region of the United States or possibly the world and you need to know where your backups are kept. Do you keep your backups in the same region as production data? Or do you have to keep it in a different region for some type of geographic separation?
Is it on this server? That server? Just where is it? Companies are challenged to find that info. There’s no real way to test any kind of protection that Microsoft does with Microsoft Office 365, because a test would just be restoring it and there’s no way to do that.
Another concern is retention and compliance requirements. How long the data is kept and where is it kept? Those are pretty common concerns, so we’ve put together a few real-world scenarios here to address those.
Accidental deletion is common. Just the other day, I was sitting here thinking about something. I have multiple monitors and a wireless keyboard and mouse, and I just happened to move. My hand slid across the keyboard and hit a keystroke combination that sent an email. Now, this was just sending an email. It wasn’t anything bad, no big deal. But it shows how easy it is to accidentally hit a button and maybe delete something.
Maybe you have some emails, documents, or teams messages in a certain folder that you delete by accident. There are lots of ways you can do it, and those are either a soft delete or a hard delete. That’s the difference between putting something into the recycle bin versus something you permanently delete. It’s gone forever.
Yeah, and you know, Kelly, we’ve got this phone call too many times, right. Somebody calls up and says, “Hey, we deleted this. We found out we lost this, could you restore it for us?” and you know, if it’s been 30, 45 days it’s just not there, right? So it’s sort of disheartening when you get that call to have to say, you know what, I hope you can recreate it. So that’s a tough one.
Microsoft’s standard offering for retention of data is 14 or 30 days in the recycle bin. That’s all you get. It’s pretty challenging for businesses to rely on something that really isn’t designed to protect your data or protect it long-term. It’s only intended to be a recycle bin. Something that catches your trash until it gets emptied. It’s not meant for any kind of permanent data control or retention.
Retention Policy Gaps
Our next example is retention policy gaps. Greg has worked on a lot of different industries and different organizations have different retention policies, right? So what is your experience with audit and retention policies in different organizations? Is it typically one year or three years?
It depends on the industry segment. Some of the healthcare, the insurances, they’ve got seven-year retention requirements for some data, and some data is required for a lifetime. So you’ve got to go back, typically to your CPAs and your legal department, and ask, “what are the audit or retention requirements for data in the end of an audit?” Most of the folks in IT typically don’t know, so they pick a random date.
That’s another challenge, so knowing that Microsoft doesn’t protect your data, knowing that different companies are going to have these compliance requirements, how do you detect it? Well, you look at a product like Backup for Office 365– something that can retain and store that data long term. Forever, seven years, 10 years, one year, whatever works for you, but it is definitely a concern for organization of all types.
Internal Security Threats
Everybody has internal security threats, and they can be any kind of thing from accidental deletions to malicious deletions to hacking or anything like that.
Example: “Oh no, we never blocked Bill from the network when he was fired.”
Maybe you had a sudden termination of an employee and somebody forgot to disable his or her Microsoft 365 account or forgot to disable them in Azure AD. That person can come back in and vindictively cause all kinds of havoc, delete things, change permissions, and whatnot. There’s no way to protect against that per se, but you are able to restore your data, get your configurations back, and get your permissions back in certain areas if you’re using a product that was designed for that.
Microsoft doesn’t know if a person is active or inactive long as they have an ID or an account they’re able to access. It’s not Microsoft’s job or their ability to police that.
Deepanshu Kher was a consultant working for an IT consulting company in Carlsbad, California which was contracted to do an O365 migration. Apparently he wasn’t doing a very good job and they fired him but forgot to revoke his access, so at some point later he went in and deleted several thousand email accounts. He actually went to jail for two years because of it.
Deepanshu Kher was caught but what about the data he deleted? If it was over 30 days old, there would be no way to get it back. And if you needed some information as evidence and it’s from some time in the past, it’s going to be really difficult to get. Have you guys seen anything around internal security threats?
Kelly, we see that all the time. Especially in the smaller organizations, there’s this thing called ‘global admin,’ and so when they set up O365, they become the global admin and then they have staff turnover. So that original global admin is never backed out of the system. It’s very common for us to go in and find, you know, 12, 14, 15 global admins and 70% of them are no longer with the company. Some may be gone four or five years, and that’s the whole idea. The phish is to get access to the credits and global admin credits or the keys to the kingdom. So we see this all the time, unfortunately.
Yeah. You might think that if the hackers can get hold of global admin access, that it is okay, it’s just an email address. But if the person they’ve stolen the data for is a global admin, then the hacker using those rights can do a lot of damage.
Yes. We always encourage folks with global admins to use that global admin and ID only for administrative reasons. If they’re going to create an email address, then they create that with a normal user ID. Don’t don’t mix the two up!
Yeah. That’s a good practice! Keep those admin identities separate.
External Security Threats
An example would be an email purporting to be from your bank. It may say something like:
“Your account is overdrawn and a check for $150 was rejected. There will be a $150 fine unless you click on the link below to rectify the situation.”
It’s surprising how many people, even now that phishing is better known, would still click on that link.
We see that a lot, right, Greg?
Yes! It’s from the bank so we must do what it says.
There’s phishing and there’s spear phishing. Phishing is more of a mass tactic–create emails with clickworthy titles and text and let’s see who falls for it. Spear phishing is even more sinister. It’s targeted such that the perpetrators already have some information about their targets, allowing them to make the bait much more tailored to you using information specific to your bank, or to activities that they watched you do on the internet. Yes, they can watch you do things on the internet. That’s why it’s a good idea to be careful about what you do on the internet.
If they get malware in through your email, they can go in and delete all kinds of things and wreak havoc in your organization. If they start deleting stuff that’s older than 30 days, and the only backup is the O365 recycle bin, you’re not going to be able to get that back, and there’s nothing Microsoft can do about it. As it says on their contract, they don’t have to do anything about it.
Legal and Compliance Requirements
Our fifth tip on working with Microsoft 365 backup involves the scary words legal and compliance requirements. Jennifer left and stole intellectual property, and took it with her. We need her emails to send to legal. What are your experiences with this type of thing?
Well, it happens more than people would like to admit. It doesn’t tend to make front-page news for sure, but it is a real problem. If you are a business owner and your patents or patents-in-development go out the door, you’ve potentially lost your business.
So it does happen. A lot of organizations have not considered this as a possibility and so they have not prepared for it, and even if they have, they are not communicating that concern down to the levels necessary to ensure there is proper backup in place. So we do see this more often than we would like.
And e-discovery, is it generally easy? From a user standpoint, would it be easy to search through an entire organization’s mailboxes for specific messages?
No, there are some tools that make that a little bit more efficient, but the average user is not going to have a clue how to do that.
Suppose you have an ongoing legal issue and you need to find any emails which contain specific words about the case. You don’t know to who the emails were sent, or on what dates. You only know which specific words were used. E-discovery lets you search through backups, Outlook, Teams, SharePoint, and all areas within Microsoft O365 to find everywhere those words appear. Let’s say that in an organization’s mailbox, a hundred different emails across 50 different people have this word in them. You can find them all and export them, send them off for legal use or whatever else you need them for.
The other thing is that you can put legal holds on mailboxes. You can specify retention periods and things like that for certain items. It depends on what industry you’re in and what your organizational needs are.
Legal is legal, so that could affect anybody, but different types of intellectual property can get really specific and you really do want to be able to protect that type of information.
As far as compliance goes, there are a lot of regulations out there today that people aren’t even aware of. If they don’t have a tool to help them come into compliance, or once they get into a legal situation, discover what’s out there, it’s a troubling phone call to have to make for sure.
More than once we’ve seen situations like this around HR. Perhaps an employee who left in unfavorable conditions had made a lot of statements and sent out a lot of emails. The organization has got to find all that. And if they don’t have any tools, there’s a high probability, we’re not going to find a lot of it.
Yeah, that’s a good example. I’ve seen one in which legal needed a shared mailbox from HR. Rather than having to give them access to the mail infrastructure and taking that offline while they did whatever, the company was able to export the entire shared mailbox and send it off to the legal team. That was pretty handy.
Our sixth point relates to managing hybrid email deployments and migrations to Office 365. An example here is migrating company data to O365. Data loss during the migration may be a concern.
A large organization may take a phased approach to moving into the cloud. Maybe they decide to move the finance department and accounting departments first, and then there’s HR, the sales department, and the legal department to move, but you also have some type of an on-premises Exchange environment. Companies worry about how they’re able to protect that data in a hybrid environment. It can be tricky. You want to keep an old copy and then start protecting the new all at the same time. How have you seen that work?
Yeah, we get migration requests a lot, right? There are mergers going on, and acquisitions going on. They buy a group down in another state. Now, all of a sudden, they’ve got to pull that company data under the one corporate umbrella. That’s a very common request.
Yeah, we just went through one of those ourselves. One of the concerns we had was what would happen to our old data? Theoretically, nothing should happen to it because you’re only changing the naming structure, but you never really know. So it’s always a good idea to have a backup, to have your data protected. We definitely made sure we did that. Standard IT practice is whenever you’re changing things, before you do, make sure you have a good backup.
You’ve got to define good backup because some people think backup is backup.
If you’ve ever watched any of our other cybersecurity and data protection webinars, you’ll know that that’s not the case.
Teams Data Structure
Some organizations don’t use Teams at all. Some use it only for chat. Then some use it for its integration with SharePoint and the ability to add and remove people to channels and teams and to communicate and collaborate. You know, collaboration’s the big thing.
I’ve seen organizations that basically don’t have file shares or anything like that. Instead, they do it all in Teams. Access to documents and structures depend on which teams and channels one has access to.
But let’s suppose inappropriate material was sent to all members of a project through Teams and HR needs a copy of the deleted transcript. If somebody deletes the channel and deletes documents out of there you’re not going to be able to get that back. Right? There’s no way to go in and recover a deleted Teams chat.
No. And what we find Kelly, is that most companies don’t realize that they lose that data when that happens. They operate in a false sense of security, assuming everything is backed up when it is not. I’m glad you pointed that out.
Yes, it goes back to the sentiment of if “it is in the cloud, I don’t have to worry about it.” Well, yes you do, and in instances like this, it’s neither a Microsoft protection nor an organization protection issue. It’s more of an insider threat, somebody going in and deleting things. How do you recover from that? How do you respond to that?
The other thing might be if you give your clients access to some of the Teams, some of the same data that you’re all working with together, and perhaps they delete it purposely or accidentally. How do you get that back? Because you really can’t control what a client does on their end. You can only control the data that’s in your purview, right?
The other interesting thing about backing up Teams with Backup for Office 365, is that you can back up the settings, configurations, memberships, things like that. So again, if somebody goes in and wipes out a whole bunch of Teams and public channels, it might be pretty cumbersome to figure out who was in what and which channels, documents or directories people had access to. Being able to restore that quickly is highly beneficial. Greg, do you have any other examples about the data structure in teams?
Well, we have a few horror stories, like you just described. It’s very common to have multiple companies working in a single thread through Teams. Then something happens! Something gets deleted, and a lot of times they operate not realizing it’s deleted, until somebody says, “hey, what about this” and then they start looking for it and it’s too late, you know?
No, nobody’s putting the thought process in the front end of this, and you described that well. Thank you for putting the link out there cause they definitely need to do the homework on Teams.
These seven real world scenarios about things that can happen with Microsoft 365 is a short topic. There’s only so many times we can tell you that Microsoft doesn’t protect your data. But we will put the link and some information about the shared responsibility model. Basically, Microsoft is only responsible for the infrastructure, the physical security, and the availability of the underlying components that provide Office 365, which is software as a service, and it has nothing to do with the data.
They specifically say that the actual security of your data, the protection of your data, and the recoverability of your data is your responsibility.
Did Microsoft hide it? Nope! They just didn’t back it up. Like I said, they offer geo-redundancy and, no more than 30 days of recycle bin protection. Microsoft 365 backup should not be an afterthought in an organization’s data protection strategy. It should be something that is integral to your business. It should be something that you consider starting immediately. All it takes is one big ‘oops’, or one big problem to really change people’s minds. Unfortunately, in my experience, that’s what it’s taken for some people to realize what Microsoft does and doesn’t protect.
That’s it’s a good point. You’re right. There is an “it’s in the cloud, it must be protected” mentality. Only, it’s not true. The cloud is protected because Microsoft owns and protects the cloud. But your data is your responsibility. People should take time to read that shared responsibility paper link. It will open their eyes to realize that Microsoft accepts no responsibility for their data, except for what’s in the 14 or 30 day recycle bin. So that’s scary to a lot of people. Frankly, we find most people didn’t have a clue that was case until it is too late.
Questions About Microsoft 365 Backup
What can I restore? Can I restore entire mailboxes? What about individual emails?
Yes. You can get very granular. When we see restores, it’s typically an email, but you can do emails, entire mailboxes, calendar items, contacts, SharePoint sites, SharePoint files, Teams. We mentioned all the things that you can do in Teams. Any kind of One Drive for Business files. It’s pretty extensive, but it’s very granular.
If my data isn’t stored in Azure, where is it? Or is it stored?
Good question. I think that’s the question of the hour.
If you’re protecting your Microsoft O365 data with us, it’s stored in a Dataprise cloud. It is outside of Azure. It is a private cloud that we own and if you wanted to know the data center that it’s at, at any given time, we can tell you that as well. It’s a little different from Microsoft’s answer. But that is the question of the hour. Where is it?
If somebody’s thinking about a DIY approach, what are the benefits of using a third party to back it up?
About the third party, you’ve got to understand what the offer is, right? It’s like it’s in the cloud, it must be protected sentiment. The third-party may say they back it up, so the business owner thinks his data is getting backed up and must be protected. But read the fine print. There are a lot of shallow offerings out there that are very specific to certain things and only certain functionality. So Kelly, why don’t you explain the Dataprise offering?
We talk about the 3-2-1 rule, three copies of your data, two different types of media, one offsite copy, and we consider in this instance, Microsoft/Azure to be on-premises or to be the main copy. We know it’s cloud, but I’m just using it for the example. If you have three copies of that data, you’re going to have one on-premises, one in Azure, one in the cloud, maybe another backup somewhere, and then the offsite would be outside of Azure, outside of Microsoft. We still have to have something outside of your primary data location to protect against site failures, data failures, and complete data loss, and here we go back to the ‘it’s in the cloud.’’ And wait, didn’t you just say that Microsoft protects against all those types of failures? Yes, they do. But have you ever seen AWS’s DNS go down and one-third of the country lose access to Netflix?
Or there’s an Azure issue and half the country’s One Drive breaks. Those are real-life scenarios, and when you talk about businesses that run their entire existence in Microsoft O365, not having that data or the threat of not having access to that data is very real. And it’s a pretty scary thing.
We always talk about maintaining control of the data and getting the copy offsite, and that’s where the third-party solution comes in. Now, the other thing to consider is that it gives you some flexibility with your data to do other things. If you decide as an organization to move away from Azure, if you wanted to go back to on-premises Exchange, you know, anytime that you need to move and do something with that data, you need to have flexibility with it. And that’s something that a third-party tool can bring you as well.
One thing about the fine print, since you mentioned it, Greg, is that a lot of times certain organizations don’t tell you how much it charges, how much it costs to restore things. What all of the extra disk space costs for your backups will be, certain utilization costs your bandwidth and costs on top of this. So just be careful when you think that you are safe because you are using a third-party product.
I’m not throwing Microsoft under the bus, but as we’ve talked about them a bit, I’m going to say when you use a product that Microsoft has in their Microsoft Store, you have to be careful because there may be hidden costs. Maybe the product you are using wasn’t expensive until you need to restore something, and then you get charged burst fees and download fees and all different things. That’s something to consider when you’re evaluating your production strategies, for sure.
Can retention be adjusted based on users?
That’s sort of an open question because retention, like anything, is specific to the backup job and set by an organization. Most of the time, what we do is maintain the data until you delete it, or you tell us to delete it and that’s controlled at the Azure AD level. But now, if you disable somebody in Azure AD and you delete them, we will still maintain copies of that data until you tell us to delete them. We can’t say per user, you know, this person gets a year. That person gets three years, et cetera. It’s more structured at the organization level for that, but we can modify the users as they come and go without any kind of issue.
What does the onboarding process look like?
That is simple. Most of the work is handled on our back end. We configure the environment for the new O365 tenant, and when we meet with a customer to begin backing up their environment, all we ask them to do is to give us an impersonator account, which is basically a global admin account that we can connect into Azure to talk to the Microsoft 365 portion of it.
Then we start backing up the mailboxes, Teams, SharePoint sites, and One Drive. We start pulling all that data in and protecting it, so it’s really very easy to do. The hardest part is generating the account and secret key but it doesn’t take very long at all.