By thinkon

“Without an enterprise-grade backup strategy for [Office] 365, enterprises are exposing themselves to risks such as ransomware, accidental loss of data, lack of data control, compliance exposures, and threats to business continuity.”

Archana Venkatraman, Research Manager, IDC European Datacenter

Monday morning comes and you wake refreshed and smiling. The lyrics to Feeling Good make perfect sense to you and you find yourself whistling the tune as you head into the office.

Your digital transformation is well underway. The migration over the weekend to Office 365 and Azure was successful. You’ve done right by your business – stored all of your organization’s critical data in the cloud. You relish the fact that there will be no more updates for those applications fully hosted in the cloud and no more time spent ensuring security patches are up-to-date. And, best of all, no more fitful nights spent worrying about losing data and waking in a cold sweat from legal compliance nightmares. The cloud is infallible, after all. Right?


Relying on a single public cloud provider doesn’t necessarily diminish risk – it’s just a sense of simplicity. Multi-cloud seems more complex, but it is far more secure to have multiple copies of data.  

The risk to data escalates as demand for cloud storage continues to expand. Predictions are that by 2025, there will be 175 zettabytes of data worldwide, and 49% of that data will be stored in public cloud environments.

No One Cloud is Perfect

The top three public cloud providers have each experienced a headline-worthy crash.

In 2011, long before the cloud stored the copious amounts of data it does today, Amazon’s huge EC2 cloud services crashed, permanently destroying many customers’ data. In 2014, Microsoft Azure faults knocked websites, as well as its own applications and services, offline, which was “hugely disruptive” to many enterprise customers including Tesco, Boeing and Toyota. In 2019, Google Cloud experienced a four-hour outage, bringing businesses that rely solely on its cloud services to a standstill.

Almost half (49%) of enterprises rely on their cloud vendor for backup and recovery of Software as a Service (SaaS) applications. But what happens when that vendor’s cloud fails?

Should You Back Up Office 365?

With applications like Office 365, SaaS providers offer enough protection assurances for the underlying infrastructure to meet their contractual SLAs. The problem lies in the fact that those guaranteed protections do not extend to customer data created on SaaS platforms. It’s vital to employ solutions to protect your data from risk, based on your terms rather than on the potential limitations of the SaaS platform’s offerings.

Additionally, application sprawl makes ensuring company-wide data protection a challenge. IT may not be aware of all the cloud apps that other departments within the organization are purchasing. The ease of purchasing SaaS applications means that departments such as marketing, HR and operational groups can buy cloud applications on a credit card and be using them for business-critical work, under the impression that the cloud has them covered – which it does not.

Globally, 200-million monthly users depend on the Office 365 suite and its cloud storage for critical business operations. According to a recent report, Office 365 email and documents shared and stored in SharePoint, OneDrive and Teams are the new business-critical data.

To illustrate, a company calendar with multiple-year advanced planning is imperative to an event company’s operations. A shared calendar is stored in Microsoft’s public folders—a location purpose-built for storing shared content. Businesses wrongly assume that the public folders are backed up by Microsoft. In fact, this public folder is retained in what Microsoft calls a backup, but it is not permanent. For example, when you delete a file, it goes into the recycle bin and is retained for a certain period – however, if the retention period is over, it gets permanently deleted with no recovery possible. That’s where having 3rd-party backup in cloud is crucial.

Even though your company may be utilizing a cloud solution, if the public folders’ data disappears, you can’t retrieve it. One data deletion incident or ransomware attack and your multi-year planning calendar is lost.

Microsoft has a long and complex retention policy that many companies do not fully review. However, one big takeaway from it is that once a file gets sent to the desktop recycling bin it is only retained for a certain period of time. Once that retention period ends, the file is permanently deleted (or becomes unrecoverable). That’s when having third-party cloud backup becomes critical.

A False Sense of Data Security

“With Office 365, it’s your data. You own it. You control it.”

— The Microsoft Technology Office 365 Trust Center

Office 365 is a perfect example of where businesses can be lulled into a false sense of data safety. Even though sensitive cloud data is stored in Microsoft documents, an estimated 76% is not being backed up. In fact, IDC states that 6 out of every 10 organizations still don’t have any form of Office 365 data protection. The Microsoft cloud is highly secure; however, the possibility of your sensitive data being exposed or lost does exist.

Your data could be up against:

  • internal and external threat actors who find a way to compromise cloud systems
  • data centre failures due to hardware malfunction or physical catastrophe (like a natural disaster)
  • employee error, leading to deletion
  • limited data retention times
  • cloud policy changes and legacy software being declared redundant, which means your data backup may be discontinued

Microsoft’s principal focus is on managing the Office 365 infrastructure and maintaining uptime for users. But they’ve stipulated that you are responsible for your data. The mistaken belief that Microsoft backs up your data on your behalf is quite common.

“While [Office] 365 is fast becoming the [centre] of business productivity, a backup and recovery strategy is an afterthought. Relying on Microsoft’s native backup capabilities and infrastructure-level uptime features is a risky strategy because, regardless of where the data is, it is the company’s responsibility,” says Venkatraman

The hard truth is that cloud storage data loss is a real possibility – one that needs to be prepared for. It is your responsibility to secure, protect and establish retention policies for this cloud-based data.

Multi-cloud Backup

Just like the adage of not putting all your eggs in one basket, don’t put all your backup in one cloud. Just as you wouldn’t put your server and your tape backup in the same location, don’t use the same cloud for your applications and your backup. If you use Azure to back up Office 365 and Azure goes down, then you are losing both your primary and backup sites. In other words, if all your backup is in the same cloud then you risk losing everything.

Although Microsoft provides infrastructure resiliency and application accessibility within Office 365, you are ultimately the data owner. You are charged with the protection of your enterprise’s data, and you must define data protection based on your business’s specific needs. Acquiring a third-party data backup solution that is a completely different footprint than Azure Cloud is the best way to protect your organization from data loss vulnerabilities related to Office 365.