“Most companies have now realized that a significant part of their value comes from their data. Their protection must be guaranteed wherever they are stored – in the company’s Data Centre or in the cloud. When it comes to Microsoft 365, it is crucial to think about securing the content of the messaging app, and the data created through SharePoint and OneDrive. One must also not forget that Teams could very well contain crucial data,” explains the expert. He underlines the fact that more and more companies are now exchanging critical documents via emails or collaboration tools, turning them into key elements that absolutely need to be protected and kept under control.
Managing responsibilities and rights
Therefore, companies and their employees must be aware of everyone’s responsibilities when it comes to data and their use. Several shared responsibility models have been developed by major SaaS players over the past years.
“In most cases, SaaS service providers are responsible for the availability of their service, yet the responsibility of data management and user access stays within the frame of the client,” highlights Nicolas Kléber. As explained in the Microsoft documentation, the Redmond company mainly protects data to be able to restore it after facing an incident on its own infrastructures, and clearly indicates that it does not cover all the data protection needs of its clients. “As the Data Owner, the client remains responsible for the security of its data. Being responsible does not only mean backing up data, but also making them available to the people who need it and can actually access it. Therefore, managing rights is key, as well as the classification of data and its lifecycle,” highlights the expert.
Migrating to the cloud does not take the data responsibility away from companies: it remains their job to ensure the security of data. As explained by the expert, “integrated point in time recovery” does not necessarily cover all scenarios. “Therefore, in order to ensure the highest level of security and compliance, companies and IT managers should make sure that their backup solution is external to Microsoft 365 and Azure. This way, they can mitigate risk of data lost, even if the hypothesis of a disaster leading to the loss of the whole infrastructure and the housed data remains highly improbable within M365”, underlines Nicolas Kléber. Regulated entities are even more concerned, and abide by data protection laws: in Luxembourg, the CSSF (Commission de Surveillance du Secteur Financier) requests an external backup of the data stored in a public cloud, as it guarantees the ability of the regulated entity to maintain its activities and services if the cloud service provider were to face a crisis or to be used in an exit plan strategy if the service is stopped by the cloud provider. “In fact, re-building the activity and continuing to provide the services to customers would often simply be impossible with data not available anymore. If a clear exit plan is mandatory in many regulated sectors, it is just common sense for any type of business using XaaS services today.”, adds the Innovation Consultant.
Backing up data to allow business continuity
Multiple surveys conducted by leading firms such as IDC, Gartner, McAfee and others, have demonstrated the need for companies to backup Microsoft 365 data, but also that this need is highly underestimated by a majority of users. For instance, 70-80% of users actually do not save these pieces of information at all, thinking that Microsoft fulfills this specific obligation. “A bumpy and unexpected return to Earth happens too many times: when the user accidentally deletes his/her data or even the entire account, following an external cyberattack, a malware, or when a third-party tool is not optimally configured, etc.” adds Nicolas Kléber.
In the current digital environment, TBRS 365 is the first step to secure and master the company Microsoft 365 data. “This service allows the company and its employees to backup the following content: Exchange online, SharePoint online and OneDrive. The data shared and created via the application Teams are also protected if stored within SharePoint. This offer is customizable and can be adapted to the specific needs of every client,” says Mr. Kléber. Just like any other service proposed by EBRC, TBRS 365 offers a clear shared responsibility model. “As service provider, EBRC takes care of the continuous service delivery. If needed, your teams can be trained to use the platform and assisted in the definition of a robust backup policy,” first explains the Innovation Consultant, who continues. “As the data owner, the client has to define its own data retention policy and backup strategy directly linked to it. As the administrator of Microsoft 365, the client is also in charge of the daily operations such as validation of backup tasks and specific backup plans”. Moreover, if the availability of the messaging app is essential to the company’s operations, a specific and customized approach can be defined. The combination of the client’s Microsoft 365 resources, TBRS 365 and EBRC Hybrid Recovery for Exchange option will guarantee business continuity in case of major crisis. A similar service will be available in the months to come, securing SharePoint and OneDrive uses.
Key points and conclusion
With data being a key element of enterprise development and success, its lifecycle management has never been so important.
In most cases, when using SaaS solutions, the client remains the data owner and is still in charge of securing data.
It is key to backup these data outside of the cloud you use on a daily basis. The risk of seeing your Microsoft 365 data disappear is close to zero, but what if you were to enter a conflict with your current service provider? Make sure to read properly contractual documents.
It is also crucial to differentiate “backup” and “archives”, as archiving only consists in keeping one single copy of the data, with no “second external one” which could be used in case of deletion, corruption or malwares.
EBRC, thanks to its 20 years of experience on digital resilience and data life cycle management, is well placed to advise its clients in the adoption of data protection services. “We combine flexibility, security, and resilience to offer local Trusted data protection services hosted in multiple Tier IV Data Centres in Luxembourg. TBRS 365 is a new key element of this Portfolio” concludes Nicolas Kléber.