Microsoft Office 365 Data Safety: A Full Overview of the Shared Responsibility Model
Millions of companies use Microsoft Office 365 apps and services daily. These companies process and store large volumes of personal and business data in the cloud. With data stored in the cloud, Microsoft Office 365 users have a false sense of security, as they believe that their data is always safe and accessible. However, contrary to what many think, Microsoft’s shared responsibility model does not suggest any backup and recovery options in case of a data-loss event.
When it comes to users’ data, Microsoft uses the shared responsibility model to divide the responsibilities of ensuring the safety and security of Microsoft Office 365 data between users and Microsoft.
So, what exactly is Microsoft responsible for under its shared responsibility model and what is left up to the user?
Shared Responsibility Model: What Is It?
In the past, organizations managed their own IT infrastructures. That means that they were responsible for the security of the data center and the data within the data center. Companies like Microsoft Azure and Amazon AWS began offering a cloud-based platform for data storage. Organizations started moving their data to those cloud-based storage services. By doing that, they handed over some of the management responsibilities to the cloud service providers.
The shared responsibility model defines the division of responsibilities for the safety and security of data stored in the cloud between the cloud service provider and the user to ensure accountability for the data.
Microsoft’s Shared Responsibility Model: Microsoft’s role
The Microsoft Office 365 shared responsibility model states that Microsoft is responsible for the maintenance and smooth operation of the infrastructure and Microsoft Office 365 applications. These responsibilities include:
- User access control: Microsoft provides security services such as multifactor authentication and identity protection to guarantee that access is only allowed to users with the proper credentials.
- Physical server protection: Microsoft protects the user’s data in its data centers from natural disasters, temporary outages, hardware or software failures, and unauthorized physical access.
- System maintenance: Microsoft assures that the cloud-based applications are available and operate smoothly.
- Hosting infrastructure: This service includes the configuration, management, and securing of the compute and storage services.
- Data replication for redundancy: Microsoft ensures high availability with replication. If files are damaged, the primary workload is instantly failed over to the replica version without disruptions for the user.
None of these responsibilities cover the user’s data safety. Users should not confuse replication with data protection as replication cannot replace backups. Backups allow you to recover deleted Microsoft Office 365 files and offer multiple recovery points. With replication, on the other hand, an unintentional deletion is replicated across every copy.
Shared Responsibility Model: User’s role
Even though Microsoft implements some basic security features against cyber threats and ransomware attacks that can compromise employee or customer information, users are, by and large, responsible for the access, control, management and protection of the online data that rests within the Microsoft Office 365 infrastructure. Users are responsible for security at the data level against threats that can lead to severe financial costs, reputational damage, and operational disruptions. These threats include:
Accidental deletion: Although Microsoft Office 365 offers built-in features like Recycle Bin and Recoverable Items folder to enable users to retrieve deleted files, a short-term retention policy applies to this kind of files. This means that the user needs to recover the deleted files within the retention policy timeline of up to 30 days. Afterwards, the files are permanently lost and there’s no way to recover them through Microsoft. Users can avoid losing data through accidental deletions by using data protection software that supports Microsoft Office 365 and ensure that deleted files can be safely and quickly recovered.
Internal and external security threats: Cybersecurity experts divide security threats that target businesses’ data into two categories:
- External threats: Competitors and hackers use computer network attacks and social engineering to gain access to business data and deploy malicious malware. Microsoft Office 365 provides the fundamental security architecture to protect users from these attacks. However, hackers can gain access directly from employees, exposing the entire business’s data. Using a backup solution can prevent the impact of these attacks and ensure that businesses do not permanently lose critical information or suffer from ransomware attacks.
- Internal threats: Sometimes disgruntled or former employees may sabotage a business’s work by deliberately deleting data from different Microsoft Office 365 applications. The best line of defense any business should have is backup, to instantly recover the lost data and avoid disruptions to their operations.
Regulatory non-compliance: Laws require businesses to maintain data archives to adhere to regulations, present evidence for legal matters, and report consumer data use. Microsoft Office 365 offers limited ability to help businesses keep legal and regulatory requirements through the Litigation Hold feature. Microsoft Office 365 Litigation Hold feature excludes any retention policy or automatic deletion for a particular mailbox so that its content cannot be removed. However, the storage limit is 100 GB and this feature works only for available data (anything previously purged cannot be retrieved). Using third-party backup and recovery solutions can help businesses comply with legal or regulatory rules.
Retention policy gaps: Data management defines how a business should organize the use, storage, and protection of its data. A policy gap emerges when the data management plan fails to manage which data is retained and for how long. These gaps are often the result of:
- Overlooked data of former employees: Any account is automatically deleted by Microsoft after 90 days of inactivity. If this data is not backed up, you will not be able to recover it after the end of the retention period.
- Ineffective backup rules: Microsoft Office 365 does not provide users with a native backup strategy, which means that users must incorporate third-party backup and recovery solutions into their Microsoft Office 365 services. Even with a backup solution, appropriate recovery time objectives (RTO) and recovery point objectives (RPO) must be set beforehand.
- Migrations issues: Microsoft Office 365 can be used on-premises, cloud, and hybrid environments depending on the business’s requirements. Data migrations between these environments may cause data loss, even with established backup processes. Employing a third-party backup solution can keep your data accessible in any scenario.