Data is a vital asset during any feasibility study. As you transition through the stages, the information you generate helps you and your team make the crucial decisions that move your project into production. Protecting the data you generate should therefore form part of your core operational objectives.
During a project's inception phase, many mining operations leverage Microsoft 365 to create and share data. Using capabilities such as Outlook emails, OneDrive files, and Teams chat enables you to collaborate in real-time, from anywhere, using any device. In addition, utilising Microsoft's global cloud platform allows you to manage your cash flow during this critical project phase. As you only pay for what you use, you do not need to invest any capital in procuring expensive IT hardware and software.
However, using a cloud-based service also means storing all your crucial project information on a third-party's infrastructure. While Microsoft 365 offers several data protection capabilities, how safe is the information you create and store on this platform? Should an unplanned incident destroy or corrupt your project data, will you be able to recover it?
The Shared Responsibility Model
Microsoft 365 operates on a shared responsibility model where they are responsible for the platform, and you are responsible for your data. This approach allows each party to manage and maintain the assets under their control and is typical of any cloud-based service.
Microsoft focuses on ensuring its platform is up and running, delivering the uptime reliability needed for its millions of users. They meet this obligation by implementing technologies that replicate your data across their regional network of data centres in Australia. Using this approach allows them to meet their uptime Service Level Agreement as it mitigates the risk of a site or location going offline.
For instance, if the servers hosting your OneDrive data fail for whatever reason, Microsoft uses load balancing technology that allows you to access the replicated copy of your data. However, as their systems continuously copy data across servers in the same data centre and other data centres in the same region, this replication model ensures uptime availability but does not guarantee recoverability.
What do we mean by recoverability? As mentioned, the shared responsibility model means you are responsible for protecting your data. While Microsoft's platform ensures your data is always available, it does not provide a mechanism that allows you to recover it in the event of a disaster.
To look at an all-too-common instance, if you accidentally delete a OneDrive file or Outlook email, Microsoft deletes that file or email everywhere across its platform. Even though you have the option to recover it from a recycle bin within days, the risk remains. Should you realise you need that file or email after the retention period lapses, you cannot recover it.
Microsoft 365's replication and retention policies can also not protect your information from ransomware. For instance, if an incident encrypts your OneDrive files, Microsoft will replicate that change across its platform. Since there is no offline copy of your files, you risk losing all your information. With ransomware incidents increasing exponentially over the past 12 months, organisations cannot ignore this threat and need to take the relevant preventive measures to protect their information.
Common Microsoft 365 data loss scenarios
As Microsoft 365 does not provide an independent, offline copy of your data, several scenarios pose a risk to your information. We have already mentioned accidental deletion and malware threats such as ransomware. However, there are other scenarios where you can lose vital information.
During a feasibility project, team members typically work on multiple files, often collaborating on the same one at the same time. Microsoft 365 does not protect these shared files from being overwritten. Depending on the criticality of the file, an incident where human error overwrites crucial information could be devastating. Microsoft 365 does offer some protection in that it keeps different versions of the same file as it changes. However, relying on this mechanism is not recommended. Instead, regular independent offline copies provide a proven solution for this data loss scenario.
Another scenario that could result in a loss of critical data during a feasibility study is data corruption. As mentioned, Microsoft 365 only ensures the availability of your information by replicating it across its global network. Should an incident corrupt a file, mailbox, or SharePoint database for whatever reason, the Microsoft 365 service will inadvertently copy the corrupted data. As with the overwritten data risk, you could, in theory, roll back to a previous version. However, there are no guarantees that you will not suffer any data loss. Industry best practices dictate that an independent offline backup copy is the proven defence against data loss, and unfortunately, Microsoft 365 does not provide this feature.
Insider threats pose a tangible risk to any organisation. However, during a feasibility study, when the core asset of your enterprise is the information you create, a trusted user that maliciously deletes your research data could be catastrophic. According to the 2020 Insider Threat Report, 68% of organisations confirmed that insider attacks were becoming more frequent. Furthermore, 53% of organisations also believed detecting insider attacks has become significantly to somewhat harder since migrating to the cloud. Unlike the other data loss scenarios mentioned, Microsoft 365 does not offer any protection from this type of threat. For instance, if a disgruntled team member deletes a shared folder on OneDrive or SharePoint and empties the recycle bin, that information is lost forever.
Another potential data loss scenario when using Microsoft 365 is the destructive restore process. For example, should you ever need to restore a SharePoint site using the Microsoft 365 built-in tools, Microsoft copies your data to the same location and overwrites any files that may already be there. This process could result in data loss as there may be data that is not part of the restore saved on that particular site. An independent offline copy of the data is once again the only mechanism that can mitigate this risk.
Protecting your Microsoft 365 data
As mentioned, Microsoft 365 does not backup your data. This fact is clearly stated in the official Microsoft documentation for backing up your Microsoft 365 Outlook Mailboxes. This document affirms and explicitly declares that "Point in time restoration of mailbox items is out of scope for the Exchange Online service."
Considering the risks mentioned, organisations conducting feasibility studies cannot afford to lose information during this critical phase of a project. Furthermore, as the data they create and share during subsequent phases drive critical decisions, information loss at any time could have a detrimental effect on operations. As a result, organisations need a comprehensive data backup strategy to mitigate these risks. As the Outlook Emails, Teams Chats, SharePoint data, and OneDrive files form the enterprise's core assets, backing up this Microsoft 365 data is vital.
Defining your Recovery Time Objective and Recovery Point Objective
A robust backup strategy must ensure you can recover all your data when you need it. Typically, backup solutions concentrate on two factors the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO).
The RTO refers to the amount of time your organisation can wait during a data recovery process. For instance, can your entire team wait 8 hours to access critical data, or do you need to be up and running within 30 minutes?
The RPO is like the RTO in that it also requires a business decision. In this instance, the question is, how much data are you willing to lose? The RPO sets the point or points in time when you run your backups. For example, let's say you run your backup once a day at 8 pm, an RPO of 24 hours. An incident occurs at 5 pm the following afternoon that requires you to recover lost data. In this instance, you will lose any data you created from 8 pm to 5 pm, equating to 21 hours. As it is within your RPO of 24 hours, your backup plan meets its requirements. However, from an organisational perspective, you need to decide if you are willing to lose up to 24 hours' worth of data. Perhaps an RPO of 8 hours which requires you to run backups three times per day, is a better option?
Determining your Storage Requirements
Once you have established the RTO and RPO that works for your organisation, the next step is to decide how much storage your backup solution will require. Ideally, you should backup all the data you create and store on Microsoft 365. However, there may be instances where you do not need to have an independent offline copy of everything. For example, you may want to archive some of the older information you do not access frequently. Again, the amount of data you will backup comes down to a business decision. The more data you backup, the more storage you will need. You also need to factor in growth as the amount of data you backup will increase as you create more documentation, send more emails, and have more Teams chats.
Identify, Procure, and Implement the Backup Solution
The final step in creating a backup plan for your Microsoft 365 data is to identify, procure, and implement the appropriate software. The solution must align with your RTO, RPO, and storage objectives and can backup data stored on Microsoft 365. It must have the capability to retrieve Exchange, SharePoint, OneDrive, and Teams data from a cloud-based instance of Microsoft 365. It should also allow you to perform quick searches and granular point in time restores of individual elements such as files and emails. The solution should also backup your data to any location, whether it be a server you manage or another public cloud platform such as Microsoft Azure or Amazon Web Services.
Leverage an Expert
Ensuring you can recover your Microsoft 365 data is vital. As a result, leveraging an organisation with the skills and experience in developing and implementing backup solutions can help you formulate a data protection strategy that works. Since backing up your Microsoft 365 information is their specialty, they can advise you on the best approach for your organisation, help you identify any risks, advise on the appropriate RTO, RPO, and storage strategy, and ensure nothing gets overlooked.
Your best first step is to apply for your free Data Risk Profile Analysis consultancy by visiting the Office Solutions IT website at https://www.officesolutionsit.com.au/microsoft365-backup.