Whose Job Is It Anyway? Microsoft, You & the Shared Responsibility Model

Many organizations have moved onto Office 365 and assumed that “Microsoft has got this.” No matter what SaaS-based platform you’re talking about, there will almost always be an expected shared responsibility to take care of and protect your data.

Microsoft Office 365, Exchange Online, SharePoint, and OneDrive are all fantastic solutions but end users universally don’t understand where Microsoft’s responsibility ends and where the organization’s responsibilities pick up. No one wants to lose their data or access to it so wouldn’t you want to add additional layers of protection when your data is at stake? This is where the Shared Responsibility Model comes into play. This is not something unique to Microsoft and O356, it’s a new reality of SaaS and cloud services today.

As more and more businesses are putting their services on SaaS platforms, it will fall upon IT departments to protect their data in new and different ways. For people who are waking up to the reality of shared responsibility, Veeam is a great option to help bridge that gap quickly and easily and provide you with the level of protection that you were used to receiving on-premises.

In fact, we just recently hosted a webinar in partnership with our friends at Veeam specifically on this topic that you can download: Veeam Backup for Microsoft Office 365 v4: Shared Responsibility…No Problem! If you have a more immediate need, schedule an appointment with one of our data protection architects and we can help get you started!

– Tim Ferris, Solutions Architect, GreenPages

The Office 365 Shared Responsibility Model

by Russ Kerscher, courtesy of Veeam’s blog.

The No. 1 question we get all the time: “Why do I need to back up my Office 365 Exchange Online, SharePoint Online and OneDrive for Business data?”

And it’s normally instantaneously followed up with a statement similar to this: “Microsoft takes care of it.”

Do they? Are you sure?

To add some clarity to this discussion, we’ve created an Office 365 Shared Responsibility Model. It’s designed to help you — and anyone close to this technology — understand exactly what Microsoft is responsible for and what responsibility falls on the business itself. After all — it is YOUR data!

Over the course of this post, you’ll see we’re going to populate out this Shared Responsibility Model. On the top half of the model, you will see Microsoft’s responsibility. This information was compiled based on information from the Microsoft Office 365 Trust Center, in case you would like to look for yourself.

On the bottom half, we will populate out the responsibility that falls on the business, or more specifically, the IT organization.

Now, let’s kick this off by talking specifically about each group’s primary responsibility. Microsoft’s primary responsibility is focused on THEIR global infrastructure and their commitment to millions of customers to keep this infrastructure up and running, consistently delivering uptime reliability of their cloud service and enabling the productivity of users across the globe.

An IT organization’s responsibility is to have complete access and control of their data — regardless of where it resides. This responsibility doesn’t magically disappear simply because the organization made a business decision to utilize a SaaS application.

Here, you can see the supporting technology designed to help each group meet that primary responsibility. Office 365 includes built-in data replication, which provides data center to-data center redundancy. This functionality is a necessity. If something goes wrong at one of Microsoft’s global data centers, they can fail over to their replication target, and, in most cases, the users are completely oblivious to any change.

But replication isn’t a backup. And furthermore, this replica isn’t even YOUR replica; it’s Microsoft’s. To further explain this point, take a minute and think about this hypothetical question:

What has you fully protected, a backup or a replica?

Some of you might be thinking a replica — because data that is continuously or near-continuously replicated to a second site can eliminate application downtime. But some of you also know there are issues with a replication-only data protection strategy. For example, deleted data or corrupt data is also replicated along with good data, which means your replicated data is now also deleted or corrupt.

To be fully protected, you need both a backup and a replica! This fundamental principle has been the bedrock of Veeam’s data protection strategy for over 10 years. Look no further than our flagship product, aptly named Veeam Backup & Replication.

Some of you are probably already thinking: “But what about the Office 365 recycle bin?” Yes, Microsoft has a few different recycle bin options, and they can help you with limited, short-term data loss recovery. But if you are truly in complete control of your data, then “limited” can’t check the box. To truly have complete access and control of your business-critical data, you need full data retention. This is short-term retention, long-term retention and the ability to fill any / all retention policy gaps. In addition, you need both granular recovery, bulk restore and point-in-time recovery options at your fingertips.

The next part of the Office 365 Shared Responsibility Model is security. You’ll see that this is strategically designed as a blended box, not separate boxes — because both Microsoft AND the IT organization are each responsible for security.

Microsoft protects Office 365 at the infrastructure level. This includes the physical security of their data centers and the authentication and identification within their cloud services, as well as the user and admin controls built into the Office 365 UI.

The IT organization is responsible for security at a data-level.  There’s a long list of internal and external data security risks, including accidental deletion, rogue admins abusing access and ransomware to name a few. Watch this five-minute video on how ransomware can take over Office 365. This alone will give you nightmares.

The final components are legal and compliance requirements. Microsoft makes it very clear in the Office 365 Trust Center that their role is of the data processor. This drives their focus on data privacy, and you can see on their site that they have a great list of industry certifications. Even though your data resides within Office 365, an IT organization’s role is still that of the data owner. And this responsibility comes with all types of external pressures from your industry, as well as compliance demands from your legal, compliance or HR peers.

In summary, now you should have a better understanding of exactly what Microsoft protects within Office 365 and WHY they protect what they do. Without a backup of Office 365, you have limited access and control of your own data. You can fall victim to retention policy gaps and data loss dangers. You also open yourself up to some serious internal and external security risks, as well as regulatory exposure. How often do these things happen? Of over 1,000 IT Pros surveyed, 80% experienced data loss in Office 365 – from simple user error to major data security threats. Did you know that 60% of sensitive cloud data is stored in Office documents, and 75% is NOT backed up?

All of this can be easily solved with a backup of your own data, stored in a place of your choosing, so that you can easily access and recover exactly what you want, when you want.