Office 365 Data Protection: Part 1 – Disaster Recovery and Retention Times

Spanning Backup for Office 365 is backup-as-a-service for Microsoft Office 365 Mail, Calendars, OneDrive and SharePoint Online Document Libraries (in Team Sites, Groups and Microsoft Teams). We automate the backups and restores that IT teams traditionally would have done on-premises for the on-premises version of these applications. But we do it securely, cloud-to-cloud — as a “born in the cloud” solution — we were purpose-built to protect Office 365 data.

What’s surprising is that when we go to a SharePoint Saturday or a conference like Microsoft Ignite, even experienced IT pros still ask, ”Wait, doesn’t Microsoft do this for us?” Since subscribers pay Microsoft a monthly per-user fee to host these critical collaboration applications, they may assume Microsoft is protecting this data — just as sysadmins and backup administrators did when the applications were hosted on-premises.

That assumption couldn’t be more wrong. Data protection in Office 365 is a shared responsibility, with Microsoft taking on the tasks that would have typically been done on-premises for disaster recovery. But your IT team is still ultimately responsible for data protection, and it’s up to the IT team to decide how to protect and recover any data that is lost by human error or even malicious attacks.

In this two-part blog series on Office 365 Data Protection, we’ll review what Microsoft has done to build in protection against data loss, and you can decide for yourself if these safeguards are really good enough.

Part 1: Disaster Recovery and Retention Times

How Microsoft protects your data
Microsoft has done excellent work in “SaaS-ifying” their applications. And just as with other SaaS providers, they do a great job with the data protection activities that typically fit within disaster recovery situations. For example, in a Microsoft article about backing up email in Exchange Online, they write:

“… Exchange Online uses the Exchange Server feature known as Database Availability Groups to replicate Exchange Online mailboxes to multiple databases in separate Microsoft datacenters. As a result, you can readily access up-to-date mailbox data in the event of a failure that affects one of the database copies. In addition to having multiple copies of each mailbox database, the different datacenters back up data for one another. If one fails, the affected data are transferred to another datacenter with limited service interruption and users experience seamless connectivity.”

Microsoft has architected a resilient environment to maintain their uptime SLA (99.9%), which also will protect your data. However, none of the snapshots created are available to administrators or end users for quickly and easily restoring lost data. If users accidentally delete data from their mailboxes (according to a recent Global SaaS Data Protection survey, user error is the leading cause of SaaS data loss), Microsoft provides manual recovery from the Deleted Items folder and Single Item Recovery from the Recoverable Items folder. But are these methods enough for your organization’s retention requirements?

Microsoft Office 365’s Default Retention periods
The retention times for those folders can be customized to fit your organization’s requirements using retention tags and policies — but you can see that there are still limitations and data can ultimately be lost from any of these folders under various circumstances.

Here’s how the folders work.

Office 365 Data Protection Table

As you can see, even though Microsoft provides tiered retention periods, a tenant can still suffer accidental data loss, through user error or malicious activity.

Stay tuned for Part 2, where we will discuss Litigation Hold.

Learn More About Spanning Backup for Office 365

*** This is a Security Bloggers Network syndicated blog from Spanning authored by Lori Witzel. Read the original post at: