Securing your investment in Microsoft 365
There’s a lot of sensitive data contained in Office documents - so it makes sense to take care of it
With the sudden requirement to support mass homeworking, the past year has seen an accelerated uptake of cloud services, including Microsoft 365 (formerly Office 365), SharePoint and Teams.
Organisations have been largely satisfied with the move, which was often simply a case of bringing forward existing plans, said Michele Domanico (pictured), systems engineer at cloud data specialists Veeam Software. But the need to act with urgency meant that many companies lacked time to plan the migration thoroughly or to put proper disaster recovery and business continuity processes in place, increasing the risk of losing data through operator error (accidental deletions are surprisingly common) or misconfigured migrations.
"Microsoft do everything they can to make it as easy as possible," he said. "But there's always the risk of human error or external factors. There are multiple cases where projects go wrong when rushed or actioned without proper planning."
It's important to pay close attention to these risks both during and after moving to cloud services, because Microsoft does not provide a comprehensive backup service for Office data. Veeam estimates that 60 per cent of sensitive cloud data is stored in Office documents and that 75 per cent of this sensitive data is not backed up - which is where the company steps in.
"Veeam customers choose us because they know that all of their workloads cannot only be backed up before the migration but our ability to backup on premise and restore to cloud is an asset to both backup and some migrations," said Domanico.
Cloud services are generally considered more secure than on-premises hosting these days, but there's still a risk of downtime - all the major cloud firms have hit the headlines with outages over the last few months.
Reducing the impact of downtime
Ideally, organisations will have factored the risk of outages into their detailed business continuity plans, including calculations of recovery point objectives (RPO) - a metric the amount of data the organisation can tolerate losing - and recovery time objectives (RTO) - a measure of the acceptable recovery period. Again, though, planning in this area is sometimes less rigorous than it should be, said Domanico, and most organisations will benefit from assistance in working out these objectives and reducing the effect of any downtime as far as possible.
"We often talk about RPO and RTO with our customers, and what that means for them. We work alongside all our supporting customers partners in cloud vendors to provide a safety net for outages, whether that be in the cloud or on-premises."
The impact of outages can reach beyond cloud services, particularly in the case of hybrid cloud setups; data centres can vulnerable too, as the ongoing attacks on Exchange Server have demonstrated.
"As we have seen with recent events, data centres are at risk as much as on premise so Veeam's ability to be agnostic enables our customers to remain protected whatever the case," Domanico said.
Understanding the regulatory landscape
Recent research by Computing found that a quarter of organisations are using a Microsoft 365 backup and recovery service with a further 19 per cent trialling such solutions. Chief among the benefits reported by adopters were data recovery, compliance and granularity of recovery services.
On a scale of 1 (not at all) to 10 (extremely), how beneficial has the use of a third-party Microsoft 365 backup and recovery service been to the following?
Source: Computing Research
First on the list - data recovery - speaks for itself. But the second - compliance with data protection and other regulations - is an extremely important consideration when migrating to the cloud with the fine details often poorly understood.
For example, the EU GDPR may have been on the books for two years now, but confusion abounds about who is liable for a personal data breach or loss, particularly in the context of supply chains and partnerships. Getting this right is important if the organisation is to mitigate the risk of fines and reputational damage, and assuring compliance is another area where outside assistance can help, said Domanico.
"We operate a shared responsibility model. This outlines the areas of coverage, but I think there will always be points of clarification needed no matter what the technology."
Understanding responsibilities as data controllers and/or processors is key, but selecting the right tools can also be invaluable when it comes to compliance, he continued.
"A core example is Veeam's ability to remove obsolete and non-compliant data from a backup when restored. It's better to have the tool to hand that to not have it when needed or when in doubt."
The latest version of Veeam's guide for backing up Microsoft Office 365 by Michele Domanico has just been released. Download it here.
This article was created in partnership with Veeam.