Cloud Services are vulnerable to outage, and Data Protection is the customer’s responsibility.
On January 25, 2023, a global network outage hit Microsoft affecting users of Teams, Azure, Outlook, SharePoint and Xbox Live. Social media was overwhelmed with users venting anger at not being able to send or receive emails or connect to Teams meetings. The same day Germany’s federal cyber agency (BSI) was reported to be looking into several DDoS attacks (distributed denial-of-service) targeting websites across the country. An outage analysis conducted by Cisco-owned network intelligence company ThousandEyes traced the Microsoft outage to an external Border gateway Protocol (BGP) change by Microsoft that impacted connected service providers, leading to significant packet loss and diminished reachability of its services. It appears that the Microsoft outage and the DDoS attacks were coincidental and unrelated, however both serve as a stark reminder that no cloud-based service is immune from outages, regardless of the size or provenance of the service provider. The key issue we want to highlight is that cloud service providers typically have service level agreements (SLA) in place that cover their service provision, but not the loss of customer data. Cloud service data protection is the responsibility of the customer.
Data security and recovery misconceptions in the cloud era.
Organizations have migrated their severs and data storage to the cloud in record numbers. The coronavirus pandemic accelerated this trend as organizations scrambled to fully support remote working. This is particularly true of Microsoft Office 365, which reached over 345 million commercial users in August 2022. This move to the cloud and remote work enablement requires organizations to think differently about how they are protecting and backing up their data. Historically, organizations kept physical backup copies of their data in an on-premises data center or server rack. With this infrastructure now virtualized and provided as-a-service, organizations must examine the SLAs in place with their cloud service providers to determine if the default data protection levels are adequate. A Forrester report as far back as 2017 pointed out that every SaaS provider, including Microsoft, explicitly assert that clients are responsible for protecting their own data, yet many users are under the misconception that cloud service data is automatically protected. A 2019 IDC Perspective report revealed that 6 in 10 users of Office 365 interviewed at an event did not have a data protection plan for their Office 365 estates, or rely on Microsoft’s native capabilities. IDC also observed that many users confuse Microsoft’s availability SLAs with backup strategies, while others do not see the need to consider backup for cloud services because it is a “different” technology.
The reality is organizations are experiencing cloud service data loss.
One recent survey found 80 percent of companies using SaaS have lost business data which can be very costly.
A Verizon report in the USA found that small data loss incidents can cost businesses an average of up to $35 thousand. Large incidents of more than 100 million records can cost up to $15 million. This does not even consider the cost of an organization not being able to operate for a period. As such, most organizations that value their data should consider a third-party backup solution to ensure their data is fully protected and available across all data loss scenarios.
Data loss scenarios where cloud-to-cloud data protection can ensure the availability of information.
- Cyberattacks and ransomware.
Ransomware is the number one cybersecurity threat, and attacks are occurring at an all-time high. According to the 2023 Ransomware Report from cyber risk solutions provider Outpost24, Germany, France and the UK were in the top 5 of targeted countries in 2022 out of a total of 101 countries reporting attacks. The threat of ransomware was exasperated by remote working, as many organizations moved to the cloud to maintain operations during the pandemic, many without ramping up their security controls. Ransomware can be expensive, with attacks making headlines not only for their frequency, but the rising cost of the ransom. In these scenarios, having a backup copy of your data can enable companies to quickly restore the compromised data and resume operations. Even better is a backup solution that not only restores data, but can ensure business continuity by detecting ransomware before it takes hold.
- User Errors
The most common data loss scenarios involve user error. Users can accidentally delete documents, emails or even an entire workspace if they have owner permissions. This is why Microsoft has effective tools such as version control and the recycle bin to counter these mistakes. If a document has been deleted within 93 days or an email has been deleted within 14 days (or up to 30 days depending on your settings), or a workspace has been deleted within 30 days, you can simply restore these items from the recycle bin. Third-party backup solutions allow you to extend these protections so you can restore Office 365 data even if it has been deleted for longer than 93 days.
- Administration Errors
Office 365 administrators and IT professionals are also human, and therefore just as capable of making the occasional error. One scenario could include incorrectly setting the permissions to a workspace. A third-party backup solution will be needed to quickly restore those permissions. Another scenario could be forgetting or failing to implement the correct data retention setting, for example not properly retaining a mailbox of an employee who has departed the organization. After the 30-day window (and it is almost always after), if a user needed to access that mailbox, or that data was needed for compliance purposes, a third-party backup solution would be required.
- Malicious Insiders
Occasionally a disgruntled user or administrator may attempt to delete, corrupt, or otherwise remove access to important data within Office 365. In most scenarios, the data can be easily restored using native tools. However, if that malicious insider has owner or administrator permissions for a workspace and “rolls back” or restores a SharePoint site from a previous point in time, a third-party backup solution would be required to “move forward” and restore the data that has been created since that restore point.
- Project or Planner Data
For organizations using the Project or Planner services within Office 365, a third-party backup tool can help backup critical granular items such as Planner tasks or sites.
Why Cristie Cloud Protection cloud-to-cloud backup is right for your organization.
There are two main approaches to Office 365 backup: either leveraging self-hosted software or a Software-as-a-Service (SaaS) solution such as Cristie Cloud Protection. As concluded in the previously mentioned Forrester report, cloud-to-cloud (SaaS) backup is the only practical option. That is because self-hosted backup software does not easily scale as your data grows and it requires much more manual work to manage. With a self-hosted backup solution, the organization is responsible for all the infrastructure behind it, including:
- Installation and configuration of the platform
- Scaling and deployment of the necessary servers to support this software.
- Network bandwidth and monitoring for connections to Office 365
- Storage for all Office 365 backups, including redundant storage locations to protect against disk-failures or corruption.
In addition, the organization is responsible for the configuration of the software, including:
- Maintaining server solution service accounts and authentication for connections
- Deciding on the best backup scope / schedule between full vs. incremental backups (often monthly full backups of all Office 365 content)
- Configuring storage locations and capacity planning to match backup schedules.
And let us not forget the ongoing maintenance of the software, including:
- Constant monitoring for Office 365 throttling errors due to service account activity
- Monitoring network consumption to prevent interference with user-traffic on the organization’s network.
- Monitoring security logs for the platform to ensure no unauthorized actions are taken by the administrators.
- Support and troubleshooting are also the responsibility of the organization’s IT Team
Not only could a self-hosted software impede your IT team from providing reliable business continuity, but the time also spent on these items could be better spent on higher value tasks.
In summary, simply backing-up your data on a server does not equate to an effective data protection program.
Cristie Cloud Protection powered by AvePoint – A simple pay-per-use cloud to cloud backup solution.
Cristie Cloud Protection provides vital protection for Microsoft Office 365 and Dynamics 365 but also Google Workspace & Salesforce® with monthly pay-per-use billing and no minimum terms. Cristie Cloud Protection provides a SaaS backup solution that will empower you or your customers to keep business-critical emails, calendars, sites, groups, teams, projects, files, and conversations secure with unlimited automatic backups. With in-build multitenancy the solution is perfect for MSP deployment, and equally suitable for enterprise-wide protection for any organization using cloud services.
Cristie Cloud Protection powered by AvePoint – Key features & Benefits.
- Customers own their data: Customers maintain full access and control over their backup data, not just what’s in Recycle Bins. If backup files are needed for a longer term than the 15-30 days provided by Microsoft, they can be compressed and encrypted on the storage platform of your choice.
- Accident-proof customer SLAs: Meet stringent SLAs with automatic backups up to four times a day and get the flexibility to customize your SLAs for RPO and RTO, instead of relying on Microsoft’s default restoration and retention policy.
- Recover on their own terms: Customers can choose what to restore and where to restore it. Access a backup from weeks ago, or access files during any service disruption: perform in-place or out-of-place restores for granular objects or content, without overwriting valuable data since the last backup, or having to go through Microsoft Support.
- Integrate existing security processes: BYOK, BYOS and BYOA solutions can be integrated to keep your existing security practices operating.
- Customer-Owned Encryption Keys: Azure Key Vault ensures unique keys for each tenant, owned, and managed by each customer to prevent unauthorized access.
- Customer-Owned Data Storage: Data Residency provides hosted options through Azure or through any customer-owned cloud or server storage service.
- Customer-Owned Authentication: Single Sign-on with Office 365 Credentials and Azure AD applications ensures customers retain control of the authentication and authorization of AOS.
- Proactively Detect Ransomware: After the solution detects unusual activity, you receive detailed reports to shorten the investigation and flag the areas of questions. If necessary, you can restore all or specific OneDrive data.
- Highly secure data protection: Cristie Cloud Protection powered by AvePoint is certified by several information security management system standards including ISO 27001:2013, FedRAMP, SOC 2 Type II, CSA, and IRAP.
Simplify your cloud service data protection with Cristie Cloud Protection.
With a unified, browser-based user interface and a fully distributed architecture, Cristie Cloud Protection integrates AvePoint’s powerful data migration, management, and protection technologies into a highly scalable solution for Microsoft 365 applications including SharePoint Online, Exchange Online, Project Online, Microsoft 365 Groups, Teams, OneDrive for Business, Planner, and Public Folders. No installation is required and minimal configuration make getting your cloud service data safe and secure a breeze. Contact the Cristie Data team for more information or to schedule a live demo.