Backup Responsibility in Microsoft 365
Microsoft’s Shared Responsibility Model outlines the areas of responsibilities between users and Microsoft depending on the deployment type. While it’s simple with on-premise applications, which are solely the user’s responsibility, things get more complicated as you move to the cloud.
Microsoft provides several cloud service delivery models, such as platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), and software-as-a-service (SaaS). Depending on the model, Microsoft and users share responsibilities related to network controls, identity and directory infrastructure, applications, and operating systems differently. Some areas, like data and accounts, are always owned by a user regardless of the delivery model, while others, like physical networks and hosts, are always on Microsoft.
The Microsoft 365 shared responsibility model is based on the SaaS framework, which enables users to access and use Microsoft cloud-based apps. With SaaS, most responsibilities are handed off to Microsoft, but not all. Let’s explore this further.
Understanding the Microsoft 365 Shared Responsibility Model
Microsoft’s primary responsibility is to keep its cloud services up and running, ensuring that millions of users worldwide can access their Micorosft 365 environments. For this, Microsoft provides data center geo-redundancy and built-in replication to failover to another data center in case of a disaster. This is where the biggest misconception comes from: Microsoft replicas are managed and retained by Microsoft and, thus, don’t belong to you. You can’t control those replicas or use them to retrieve needed accounts or files.
The Shared Responsibility Model also gives a better understanding of the security aspect, a shared responsibility between Micorosft and a user. So, what is shared responsibility in this case? While Microsoft is responsible for infrastructure security, including the physical security of its data centers and authentication within cloud services, a user is responsible for data-level security. Surprisingly, this includes not only user mistakes like accidental deletion or retention policy gaps but also cyber attacks and even data loss during outages caused by Micorosft. Here’s what Microsoft states in their Service Agreement:
We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.
Another factor is compliance pressure on data owners. Regulations like GDPR and HIPAA set strict requirements for data security and access. Besides, the GDPR data sovereignty mandates data owners to store data copies in specified locations, which can be challenging if you don’t fully control where your data resides.
Microsoft clearly states that users are data owners who are accountable for their data, accounts and access regardless of the deployment type. Even though you can find a variety of compliance tools inside Microsoft 365, they alone don’t guarantee compliance with regulations.
Now, let’s summarize how Microsoft and user roles differ in terms of infrastructure, security and compliance.
Microsoft’s Role
Infrastructure Availability and Uptime:
- Data centers
- Network
- Applications
- Operating system
Security:
- Data center security against software failures, outages, and disasters
- Security against unauthorized access to physical infrastructure that hosts Microsoft 365
- Data center redundancy (replication) across multiple locations
Compliance as a Data Processor:
- Transparent policies and audit
- Response to breaches and timely reporting
User’s Role
Infrastructure:
- User data
- Endpoint devices
- Account and access management
Security:
- Data protection against cyber threats, disasters, and human errors
- Data backup, retention, and archival
- Business continuity and disaster recovery
Compliance as a Data Owner/Controller
- Accountability for data access, privacy, security, and retention
- Compliance with standards and regulations
Microsoft Is Not Liable for Your Data
As a data owner, a user always retains the responsibility for their data and access to it, making third-party backup solutions crucial for Microsoft 365 data protection. Microsoft offers a few built-in tools for data retention and short-term recovery, but they are insufficient to ensure full control over your data.
Microsoft released Microsoft 365 Backup for Exchange Online, SharePoint Online, and OneDrive for Business in 2024 to address the lack of backup capabilities. However, even with this new solution, users still have to deal with the main drawback of all Microsoft native tools: all data copies are stored inside the Microsoft cloud, so your primary and backup data is not physically separated. This can compromise your data protection strategy and increase the risk of data loss.
Stay in control of Your Data: The Benefits of a Third-Party Backup Solution from NAKIVO
To ensure Microsoft 365 data recovery in all scenarios, you need a comprehensive third-party backup tool like NAKIVO Backup & Replication that supports local, offsite and cloud storage. Multiple backup targets help you effortlessly implement the 3-2-1 backup rule by storing data copies outside of Microsoft infrastructure for better security and control.
You can further safeguard data against ransomware and other cyber threats with a wide range of security features, including encryption and immutability. The NAKIVO solution supports AES-256 encryption, enabling you to secure backups before transferring them over the network. With the immutability feature, encrypted backups are ‘locked’ for a specified period, preventing any modifications or deletions during that time.
How to Monitor and Audit Backup Activities in Microsoft 365 with NAKIVO?
The NAKIVO backup solution provides the advantage of Microsoft 365 monitoring. There are limited native tools for Microsoft 365 security monitoring and audit, including Compliance Center and Microsoft Defender. However, they are designed mainly to monitor source data and don’t provide a detailed overview of backup activities, nor do they have automated alerts for backup status.
NAKIVO Backup & Replication, on the other hand, allows you to monitor all Microsoft 365 backup activities from a centralized web-based dashboard. There, you can check current and scheduled jobs and their statuses and monitor backup storage space, backup size, and speed. The dashboard displays errors and alarms related to the solution updates and licensing, repositories, transporters and running activities, highlighting them in red when the issue is critical.
The NAKIVO solution enables you to set email notifications on backup completion and configure pre- and post-backup actions using custom scripts. Such scripts can help you automate remediation actions for known issues, such as rebooting remote servers or running another software after backup completion.
