You may observe some other components in this context, such as security and regulatory aspects, and there's a strong parallel to be drawn with data protection.
For instance, we understand that Microsoft takes care of physical security, access to data centers, the physical servers and storage they operate on, as well as access to the exchange servers themselves. However, it remains our responsibility to oversee user security measures like enforcing robust password policies, implementing multi-factor authentication, and conducting log audits, among others.
For more detailed information about the Microsoft Shared Responsibility model, you can refer to the Veeam blog.
Retention policies are backups.
These are two distinct concepts:
- Backup refers to a duplicate copy of your data that you can use for recovery purposes if the need arises.
- Retention, on the other hand, refers to the duration for which something must be preserved before it can be deleted. Even in the realm of backups, this terminology is applicable, specifying how long a restore point should be retained before the backup solution removes it.
This distinction is crucial because relying solely on retention policies to keep your data online in the cloud for legal or compliance reasons doesn't equate to a comprehensive backup solution.
While you can set retention policies for extended durations, this may lead to other implications, such as increased data storage costs. Eventually, you might end up paying more to retain your data than employing a regular retention period plus a third-party backup solution. Moreover, adhering solely to retention policies means you never fulfill the "1" in the 3-2-1 rule, which involves having an offsite or "off cloud" copy of your data.
So, why do we need backups? What risks are we safeguarding against?
Traditionally, when we contemplate the need for backups, we think of conventional scenarios like fires or natural disasters. These are unlikely to occur in the vast "clouds" spread across multiple facilities, right?
To some extent, this holds true. Microsoft 365 is a highly resilient platform distributed across facilities worldwide. However, it's not immune to data loss. Referring back to Microsoft's own Services Agreement under the warranties section, it explicitly states:
"WE DO NOT GUARANTEE THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE OR THAT CONTENT LOSS WON'T OCCUR, NOR DO WE GUARANTEE ANY CONNECTION TO OR TRANSMISSION FROM COMPUTER NETWORKS."
Additionally, there are other security threats and complexities for which your organization is responsible, as per the shared responsibility model.
While numerous edge cases and reasons exist, these are the most common motives for implementing a third-party backup solution for your data:
Configuring these can be intricate, often requiring multiple policies to meet your needs, which carries the risk of creating gaps in data retention that you may not be aware of.
User Error/Accidental Deletion
Accidentally deleting files due to human error is an exceedingly common data loss scenario. It's also the most prevalent.
The prevalence of security threats, such as ransomware and phishing attacks, has risen significantly. Attackers with compromised credentials can manipulate and remove compliance and retention policies before deleting data from your M365 tenancy.
Now, let's explore your options and how straightforward it is to implement third-party backup solutions.
The good news is that enabling third-party backup solutions is a relatively straightforward process. Microsoft has provided external APIs that allow third parties to securely access and retrieve data, with proper consent, of course.
Numerous software applications and even other SaaS/cloud providers offer such services. The choice depends on your strategy, whether you prefer to manage your infrastructure or outsource it.
In both scenarios, I personally recommend Veeam Backup for Microsoft 365. It supports:
This product offers flexibility in configuring data protection, allowing you to include or exclude specific data, determine retention periods, and set backup job frequencies according to your preferences.
When it comes to data restoration, Veeam provides market-leading tools for searching data within your backups and facilitating eDiscovery. One particularly valuable feature is the ability to compare your backup data with the data in M365, making it easy to identify missing items. This is useful when users cannot recall precisely what they deleted but know they removed a batch of files or when an employee has "exited" the organization and conducted some data cleanup along the way.
In terms of licensing, Veeam's approach stands out. Unlike some products that require you to pay for all users in the backup set, including those who have left the company, Veeam charges only for active users. Consequently, all historical data in the tenancy can be retained at no additional cost, except for storage expenses.
For a comprehensive overview of this product, you can visit the Veeam Backup for Microsoft 365 product page.
Now, it's time to make a decision: do you want to manage the backup environment yourself or outsource it? Each approach has its merits, depending on your internal resources.
In most cases, all you need is a single server. For larger organizations, deploying additional worker nodes may be necessary to handle the high volume of data generated and distribute backup jobs accordingly.
The server can be a physical or virtual machine on-premises. However, if you've transitioned away from on-premises infrastructure, you can spin up a virtual machine on any cloud provider supporting Microsoft Windows and run the Veeam product from there.
Regarding where to store backup data, I recommend object storage. Any S3-compatible provider is supported, such as AWS, Azure, Wasabi, or a local provider to meet regulatory requirements. Object storage offers high resilience and scalability, eliminating concerns about data expansion.
However, the product also supports saving data to conventional block storage (local hard drives), but be mindful that monitoring the local drive and expanding it as your backup grows will be necessary.
This is the simplest option. Veeam has a growing number of Service Provider Partners with expertise in configuring and maintaining these environments, sparing you the responsibility.
Reputable providers incorporate automation to facilitate onboarding with your M365 credentials. Once configured, your service provider will grant you access to a dashboard displaying backup history and providing you with the tools to control what gets backed up and how long it's retained. They'll also offer tools or a portal for data restoration when needed.
Billing models for this service are typically straightforward, akin to how you consume M365: (#of users * license) + total data storage. However, it's advisable to confirm these details with your chosen provider.
As a disclaimer, I work for one such provider, Softsource vBridge, where we have integrated all the automation mentioned above to simplify monthly consumption. We offer flexible terms with no commitments, and you can request more information here if interested.