Are you prepared with a data backup strategy for Office 365? The February 2021 version of the Microsoft HIPAA Business Associate agreement states that it will “comply with applicable requirements of the [HIPAA] Security Rule”. One of the HIPAA requirements is data backup. So backup is taken care of by Microsoft, right? The answer is “only partially”.
Microsoft’s responsibility is to ensure uptime of their Office 365 infrastructure. They replicate O365 data to a geographically distant data center. They also maintain a recovery capability so that if there is a failure of their hardware or software, or some disaster at their data center, that they can quickly restore your data. This is sufficient for their HIPAA responsibility.
Microsoft even goes one step further, their software includes a Recycle Bin that provides end-users a limited, short term recovery capability.
For some organizations, for example a small physician practice that uses Office 365 for email only and does not maintain any important information in their email, this might be sufficient.
However, Office 365 includes these 4 services:
Organizations should perform a data criticality analysis and document the importance of their data kept in each of these 4 these Microsoft services. One simple scheme for classification is “unimportant”, “important”, or “mission critical”. Increasingly, organizations are using Office 365 for vital business functions. For organizations who use Office 365 for data that is “important” or “mission critical”, consider these scenarios:
- Accidental deletion by an employee
- Malicious actions, for example, deletion by a departing employee or hacker
- Hackers perpetrating a ransomware attack
- Preserving information on the accounts of terminated employees
- Legal compliance obligations
Microsoft recycle bins provide some limited protection for 1 to 3 months. The recycle bins do not provide “point in time” restoration capability which could be essential for scenarios such as a ransomware attack.
At some point in the future, Microsoft might offer a comprehensive backup capability for their Office 365 service, but as of now they do not. Backup is a primary component in your security strategy for Office 365. Fortunately, there are many 3rd party vendors who do offer comprehensive, flexible, and robust backup and recovery capabilities. A scan of the first 10 pages of results from the google search for “Office 365 backup” uncovers dozens of 3rd party vendors with products to fill this gap in Microsoft’s Office 365 product.
As an example, one leading backup vendor, Veeam, offers comprehensive Office 365 Backup. Their product offers the type of capability that is typical of a robust backup product, that allows creation of a backup regimen that specifies what is to be backed up, at what frequency, how long it is retained, and where it is backed up. Data can be backed up to any of a variety of locations, for example, to Amazon Web Services S3 buckets, to Azure using Blob storage, or to an in-house device. It provides a flexible restoration capability to restore an item, an entire user, or a user’s folder either to its original location or to a different location. A very important capability is the ability to perform a point-in-time restoration for an entire user or the entire service.
The bottom line: organizations should conduct a data criticality analysis to assess the importance of the data that they maintain on Office 365, and whenever “important” or “mission critical” information is maintained on Office 365, a 3rd party backup solution should be deployed.
Eagle has no commercial relationship with vendors mentioned in this article.