Microsoft’s Office 365 public cloud platform is an excellent productivity solution for modern businesses. It allows organizations to offload their IT commodity services, allowing their IT resources to focus on driving value-added, differentiating business solutions. There is, however, a misconception when it comes to the delineation of roles and responsibilities of who is ultimately accountable for data protection on this platform.
On Office 365, Data Protection is a Shared Responsibility
Office 365 operates on a Software as a Service (SaaS) model. Under this model, Microsoft is responsible for managing and maintaining the global infrastructure which hosts Office 365, and the subscriber is responsible for managing the configuration of the service, and most importantly, managing the data. This shared responsibility model means the subscriber, and not Microsoft, is ultimately responsible for protecting the data.
If we break down this shared responsibility model even further into the supporting technology, security, and regulatory roles, the distinction becomes evident.
Microsoft’s responsibility when it comes to protecting data on Office 365 is to ensure the service is always available. Microsoft attains this high-availability by replicating live data on their platform to multiple hosts located in various data centres across the world. This high-availability ensures the data is always available, but availability is not backup.
Microsoft provides services such as recycling bins and retention policies, but these are not a real backup solution as a subscriber is not able to restore an offline, independent copy of data to a specific point in time. A backup solution should give organizations the ability to recover any data, and Office 365 does not offer a comprehensive restore feature.
Security and Regulatory Policies
When it comes to securing data on Office 365, Microsoft is responsible for physical, logical, application security in addition to managing and maintaining user and admin controls. These data security measures do not, however, protect the subscriber’s Office 365 data from risks such as accidental deletion, security threats, and retention policy gaps.
Due to the one size fits all model Office 365 operates, organizations hosting their data on this platform may not meet specific legal and regulatory compliance requirements relevant to their location or industry. Microsoft’s regulatory compliance obligations are limited to data privacy and industry data protection certifications. These obligations do not necessarily meet specific regulations needed to comply with data retention requirements.
Retention Policies Do Not Offer Complete Data Protection
Retention policies offered by Office 365 fall short when it comes to comprehensively protecting data. For example, the standard retention period for items in an individual's inbox is two years after which it is archived.
This retention policy does not prevent accidental deletion as the retention period for an item in the recycle bin is only 30 days, so if data is deleted and not detected within that period, losing that data is a real possibility. Furthermore, Office 365 administrators have the power to empty recycle bins at any time. This administrative ability increases this risk even further as they have the power to delete the data within the 30-day window.
Office 365 retention policies are also complicated to set up, manage, and monitor. This complexity also increases the risk of data loss due to the possibility of a misconfigured policy. If we take a look at Office 365’s auto-archiving feature as an example, it is set to a single month, i.e., any item over a month old, which is not in an Office 365 inbox, is automatically archived.
Furthermore, Office 365 automatically deletes Junk Mail after 14 days, and if an employee leaves an organization, their mailbox is permanently deleted after 30 days. These multiple rules and complex policies make managing retention on Office 365 exceedingly complicated.
The fact is, the data management and protection offered by Office 365 is limited, and organizations utilizing this service need to put additional measures in place to protect their information.
Fill the Retention Policy Gap with Probax and Veeam
Probax offers Veeam Backup for Office 365 which provides the essential features organizations need to protect their data on Office 365. With Veeam, organizations can protect their data from accidental deletion, security threats, and retention policy gaps, and quickly restore individual Office 365 items. Furthermore, by utilizing Veeam’s Backup for Office 365 offering, organizations can rest assured their data is fully backed up and meets any legal or regulatory compliance requirements.
*** The information in the image above is based on Microsoft’s default MRM Policy, and can be customised by the IT Admin. But in some cases, the ability to extend these retention periods is limited to certain licenses or require additional fees.