If It’s Your Data, It’s Your Responsibility to Protect It
My focus today is on some of the threats companies need to be aware of as they migrate to the public cloud. There is a common misconception that once you migrate to the cloud, your data is somehow protected from theft and mishaps. In the same vein, companies that have opted for a Microsoft 365 environment automatically assume Microsoft fully backs up their data on their behalf. That’s not exactly the case and I will cast light on what you can expect from Microsoft and what you need to do to ensure the integrity of your data within your cloud infrastructure.
Cloud Vulnerabilities and Data Breaches
Just because it’s hosted by Microsoft doesn’t mean your data is as secure as you may assume. Like any SaaS environment, there are risks associated with it. Criminal cyberattacks, ransomware hacks, and personal information leaks are just a few of the security breaches reported in the news on a regular basis.
In some cases, the malicious actions are much less sophisticated. Back in 2018, a disgruntled employee deleted 1200 M365 accounts as an act of revenge because he was fired from the job. He was able to carry out the premeditated act because the company didn’t remove his admin privileges after he was let go. He was finally arrested in 2021, sentenced to two years in prison, and required to pay more than $567,000 to the company to cover costs associated with the hack. Even though there was punishment for the crime, the consequences for the affected organization were dramatic. It took them three whole months to fully restore the accounts. What’s even more worrisome is how much harm was caused at the click of a button.
While instances like the one above are not rampant, when they do occur, they can cause a lot of damage to an organization’s brand, reputation, and ultimately, bottom-line. In fact, after such a breach and massive loss of data, some companies may never recover.
Much more common is the loss of data due to honest mistakes by end users. Accidental deletions can be costly as more and more mission critical data resides in the cloud.
Honest mistakes can lead to grave problems. For instance, falling for a phishing scam, clicking on a link, and inadvertently downloading malware is all it takes to compromise your cloud infrastructure. In a best-case scenario, it will affect only your M365 email. But in a business context it is likely that your account is hooked up to Azure Active Directory. If it happens to have additional privileges, or other applications such as SharePoint, where many shared files and data reside, it may be exposed to vulnerabilities. If a virus gets propagated, it can spread and infect the entire organization.
Another consequence following a malicious attack is exposing and leaking sensitive data or private information, such as customers’ credit cards, SSNs, addresses, phone numbers, etc. Again, the impact can go a lot further beyond that single infected account. If ransomware compromises your account, your email account will end up encrypted and you will be asked to pay money to regain access to your data.
While many of these vulnerabilities cannot be fully avoided, they can be significantly mitigated if your company has a proper cloud backup solution put in place to safeguard the integrity of your data. According to IDC 6 out of 10 organizations don’t have a data protection plan in place! One of the reasons for this sobering statistic is that most companies using M365 for mission-critical work are only relying on Microsoft’s geo-distributed backup capabilities to protect them against data loss from user error, ransomware, and other threats. This is a really bad idea.
Microsoft’s and Your Shared Responsibility in the Cloud
If you want to follow best practices for data protection in the cloud, the first thing you need to know is that you shouldn’t rely on the Microsoft 365 native retention tools for backup because they weren’t designed as a solution to protect your data.
By definition, backup is the process of creating a copy of the data on your system at a different location which you will access in case of loss or corruption to recover your original data. If you decide to rely on M365’s archive capability for backup the data remains in your production environment and will likely be compromised in case of a malware or ransomware attack.
Microsoft does backup user data to a point. The Deleted Items Folder is subject to Microsoft’s default 30-day retention policy. Under certain conditions and within 90 days, M365 users can restore deleted messages and mailboxes. If a Microsoft 365 subscription expires or is terminated, Microsoft disables the account and deletes all customer data from the account after 180 days. Once the maximum retention period for any data has elapsed, the data is rendered commercially unrecoverable. At that point you are out of luck.
Without a proper backup solution, all the data in a terminated account will disappear with adverse results: communication gaps, loss of intellectual property, violation of company retention policies or regulatory compliance mandates, etc.
In other words, deploying a robust backup solution in your cloud environment is not only a nice-to-have layer of data protection, it is also a central component of your modern IT infrastructure. Accidental deletion, internal and external security threats, and meeting legal and compliance requirements are just a few reasons why backing up Microsoft 365 is critical for your organization.
iShift Backup and Restore – a Core Component of the iShift Platform
While SaaS applications like M365 are hosted with a provider, the provider does not always give you the consistent security and backup, recoverability, and data preservation as part of their standard service offering. The iShift Backup and Restore offering is available to all iShift clients, either as part of iShift Cloud or as a standalone service.
Here are the capabilities you get with the iShift Backup and Restore Solution:
- A backup of all data at a different location from the production environment that can be restored at any time.
- Granularity and point in time restore.
- Flexibility to set the retention policy and keep data as long as needed; snapshot and item-level retention.
- Data is preserved, regardless of whether a user is an active employee or has left the company. When an employee leaves the company, their data in M365 is deleted, but the iShift backup preserves it.
- Advanced search capabilities – significant time savings when undergoing eDiscovery.
- Simplicity and peace of mind with a holistic approach to backup and restore: address different use cases with a predictable retention policy and predictable costs using the same solution in all scenarios.
I hope I have helped you understand why deploying a backup solution is an essential component of your M365 infrastructure and have reminded you of the dangers it exposes you to if you don’t have a backup solution. If you have an M365 environment and need a partner to recommend and deploy a data protection solution to safeguard your mission-critical data beyond the Microsoft native retention tools, the iShift team is ready with the right answer for you.
As Vice President of Services, Pete is at the helm of the iShift team of consultants responsible for delivering projects that make companies become more efficient, more competitive, and more innovative in a rapidly evolving environment. Following uncompromisingly his guiding principle of “Getting it right the first time” Pete often plays the role of an agent of change for his clients by directing them in their transformational undertakings. Follow Pete on LinkedIn.
iShift is a multi-cloud technology solutions company that provides cloud engineering, cloud migration, cloud management and specialized IT staffing services. Our mission is to help businesses to simplify and accelerate growth while enabling digital transformation and IT modernization. No matter where organizations are in their cloud journey, iShift can design, build, optimize and manage a future-ready multi-cloud environment, resulting in significant cost savings, increased workforce productivity, operational resilience, continuity of services, and business agility. For more information on how our offerings empower businesses through their adoption of cloud and modern technology, visit www.ishift.net.