Everything in the world of backup was going just fine before the Cloud came along.
Server rooms used to look the same: Racks with servers slotted in. The beauty of this setup (from a backup point of view) was that you could see where your data sat and therefore, you knew everything about the security parameters in place – including backup.
Sure, you could still stuff things up with your backup process. Like the time when Toy Story 2 lost 90% of the film in a matter of seconds. Cool, just recover from backup? Well that backup had failed too. It would have taken a team of 30 months to build the film again however they had a get out of jail free card – one of the staff had been working from home, so they’d been taking full copies of the film home each day. Yep – that was how that movie was saved!
Anyhow – you get the picture. Backing up stuff you can see is relatively straight-forward. But what about when data goes off to the Cloud?
When the Cloud came out (which it really didn’t “come out”, it was always there. Remember Hotmail? Yep, that’s a cloud service. Think of it as anything delivered from another computer via the Internet) people left their on-premise equipment in droves.
The Cloud was meant to do a few things:
- Reduce the on-premise server footprint which was in turn meant to reduce the costs of your IT. Less equipment is less capital expenditure and less human resources to manage the remaining equipment
- Move your expenditure to an Operational Expense which could be smoothed out over the course of a year with convenient monthly payments
- Make things more secure because a Cloud provider had bigger scale than you ever could and could therefore invest more heavily in security services
- Give you greater flexibility because as you grow, you can leverage the Cloud provider’s infrastructure and only pay for what you use
Microsoft Office 365 is one of the most popular Software as a Service (SaaS) platforms in the world. It includes the all important email system – Microsoft Exchange – and the brilliant office suite: Word, Excel, Outlook and PowerPoint – and reduces the need for on-premise email systems.
But it doesn’t come with any of security features turn on.
- No spam filter
- No link protection
- No multi-factor authentication
- No backup
Yep, you read that last one right. The email service is NOT backed up!
As you can see from the above chart, the vast majority of data loss from cloud applications is associated with human error. Users deleting data (both in error and intentionally) makes up almost half of all data loss. Are you protecting against this?
Why is Office 365 backup not turned on?
Cloud SaaS providers never claimed to better protect your environment. SaaS providers only talk to you in terms of Service Availability – never Service Resilience.
Service Availability means they will keep the lights on for you to the best of their abilities. They will keep the server infrastructure and networks in working order (something you used to have to do with on-premise equipment) but what about Your Content and Data?
That’s your emails, word documents, excel spreadsheets and PowerPoint files. Who is responsible for that?
Well check out the Microsoft Services Agreement – the relevant section is extracted for you below.
Microsoft recommends you backup Office 365
Section 6. b.
- We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.
How many people out there don’t currently have Office 365 backed up? Would your business recover if you lost some or all of your emails? Emails are vital to business communication and many businesses would be lost without them.
And if you have Email backed up, what about SharePoint/OneDrive?
Base Office 365 Security Measures to turn on
The following is a non-exhaustive list of security measures that you can turn on. Some of them are free services from Microsoft; Some are paid-for services either from Microsoft or supplied from a third party.
- Multi-factor authentication (one-time code – Free option is available from Microsoft)
- Office 365 backup (O365 isn’t backed up by default! – many paid for options available)
- Email/Spam filtering (filter out all the obvious stuff first – free option available from Microsoft and many third party options available)
- Anti-phishing banner (a visible banner identifying external email – free however you need a professional to set it up)
- Link protection (links emailed to you are checked before you can access them – paid for option available from Microsoft)
Conclusion
Never assume that a cloud provider is fulfilling the same services that you used to fulfill yourself. Security is viewed differently depending on the appetite risk of the individual or company. What you might deem as “secure” will vary greatly from a Service Provider who is more intent on growing their user numbers than loading up on security features.
Outsourcing any of your IT services is not something that should be entered into lightly. You need to ask the right questions and be aware of the answers you’re looking for. Don’t take someone’s word on security either – have it tested. Backup and Disaster Recover are not the same things, so don’t assume that if a service is “Highly Available” that it means you aren’t susceptible to data loss.
The best approach to backup is, of course, to ask a professional.