Eran Farajun is the Executive Vice President for Asigra.
For many organizations, Microsoft Office 365 has become the essential cloud-based productivity platform. According to Microsoft public filings, it’s used by four out of five Fortune 500 companies, and at the other end of the scale, more than 50,000 small and medium sized companies sign up for the service every month. Its subscriber base grew nearly 80 percent in a 12-month period ending Q3 2016.
However, for many corporate subscribers, Office 365’s popularity and convenience may obscure a critical data retention and compliance requirement: the need for users to take responsibility for protecting their own data in cloud-based platforms such as Microsoft Office 365. While it is a highly secure platform, there is a lot more to comprehensive data protection than encryption and hard passwords.
To learn more about the importance of protecting data in cloud-based platforms, I asked three data protection professionals to join me for a discussion exploring why protection of Office 365 data is mission critical. Accompanying me on the panel were Chad Whaley, CEO of Echopath, an IT services and data backup company based in Indiana; James Chillman, managing director of UK Backup, a provider of cloud backup and disaster recovery services in England; and Jesse Maldonado, director of project services at Centre Technologies, an IT solutions provider out of Texas.
I began by asking the panel to identify the top myths about data protection they encounter when talking to customers about Microsoft Office 365.
Chillman: The top misunderstanding we encounter is that people assume that, by signing up for Office 365, Microsoft has now taken charge of their data. However, that’s not true. Microsoft is responsible for running the service and keeping it secure. They do a great job and aren’t going to destroy your data. However, users are still responsible for managing their data and protecting it from threats such as accidents, malicious behavior and ransomware attacks.
Maldonado: We often run into the perception that Office 365 data is not mission critical, and that only data from enterprise resource planning (ERP) solutions or other line-of-business applications need to be protected. That’s simply not the case. Office 365 is at the heart of business communication, and particularly for organizations with compliance requirements, the data created and stored in Office 365 is vital and must be protected.
Whaley: Many customers are drawn to Office 365 by the potential cost savings, but are surprised to find that there are still costs associated with storing data in the cloud. It’s still your data, whether it’s in your data center or Microsoft’s cloud, and if you want to ensure it’s protected, you will need to have a data protection plan. The fact that you have to manage your data doesn’t change.
Farajun: What consequences have your customers experienced due to insufficient protection of Office 365 data?
Chillman: We’re seeing a huge increase in the number of restores due to ransomware attacks—it’s our main area of focus when it comes to retrieving client data. The consequences of ransomware are very serious, including the cost of downtime, loss of earnings and potential fines from breaking data protection laws. We’ve had customers who believe moving data to Office 365 protects their data from ransomware. But that’s not true. If ransomware has infected your data center and you sync to Office 365, then the ransomware can spread to your cloud-based data too. Microsoft does its best to protect against malware but ransomware is becoming much more advanced and it changes every day. It’s a huge problem.
Whaley: I was looking at a study of unscheduled downtime, and found that two factors – human error and software malfunction—accounted for 40 percent of all downtime. Moving your data to Office 365 doesn’t do anything to change these threats. Human error is still very prevalent, like the proverbial Bob in Accounting who deletes all of his data and doesn’t notice for 45 days, at which point it’s gone. The largest restore we’ve ever done was due to an admin who didn’t use Office 365 properly and ended up purging a massive amount of data. Human error is still very much at the forefront of downtime risks and you have to protect against it. As for software, whether it’s on premises or in the cloud, it’s still Microsoft Office and it’s susceptible to the same glitches in either location.
Maldonado: Without comprehensive data protection, data can be lost or destroyed just as easily in the cloud as in the data center. If a Word document disappears and has to be recreated from the ground up, a company will lose productivity. We’ve seen instances where data loss events have led to organizations going out of business—they were never able to recover from the data loss.
Farajun: What considerations and best practices do you recommend to your customers when discussing Office 365 data protection?
Chillman: We make sure that our customers understand the core data protection capabilities built into Office 365. Then we look at how to address the gaps. We work with customers to define service-level agreements to determine what data retention policies they need for their particular business requirements. We also make sure customers understand that they are still ultimately responsible for their data in the cloud. You need to make sure your data protection solution gives you the power and flexibility to manage it effectively.
Maldonado: We find that a lot of customers haven’t defined the Recovery Time Objective (RTO) or Recovery Point Objective (RPO) for their business, so we help them determine their tolerance for data loss. We also help them understand what data retention requirements they must comply with due to regulation. For instance, healthcare and financial organizations have strict guidelines about what data must be stored and for how long.
Whaley: For Office 365 data protection, the best practice we recommend is to plan your solution before you move your data there. For many businesses, data protection is an afterthought. We recommend that our customers get to know their data, understand what’s critical and what’s not, and make sure they realize, whether it’s in the cloud or on premises, that they are ultimately responsible for it.
Farajun: In conclusion, I would add that Microsoft Office 365 offers great simplicity and cost savings for businesses seeking to place their productivity tools in the cloud. However, email and document retention requirements still apply and must be followed regardless of where your data is stored. Microsoft Office 365 provides basic data recovery and archiving capabilities, but this elemental level of protection may not satisfy your compliance obligations. To mitigate your risk and meet compliance mandates, protect your Office 365 data the same way you would protect your on-premise data to avoid data loss as a result of intentional or accidental user error, ransomware attacks, unplanned data overwrites or other breaches. This requires a comprehensive approach to data protection that protects all enterprise data from any source, including Office 365, with a single, easily managed solution.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.