Microsoft 365: Why you need to know about its ‘shared responsibility’ model

Microsoft 365: Why you need to know about its ‘shared responsibility’ model

If we had a catchphrase it might be ‘you need to backup your Microsoft 365 data’ on account of how many times we say it.

You’d be forgiven for thinking data generated and held in Exchange Online, SharePoint, OneDrive for Business and Teams is Microsoft’s responsibility. It’s a common misconception that all cloud data is securely backed up and will be recoverable if something goes wrong. But the truth is that much of that responsibility lies with you, the business user. And getting that distinction wrong can have perilous consequences.

In this blog, we’re going to lean on Veeam’s brilliant Microsoft 365 Shared Responsibility Model. Neos-IT partners with Veeam for its industry-leading data security solutions – they know what they’re talking about when it comes to backups and recovery. Their model is designed to help anyone close to Microsoft 365 technology understand exactly what’s with Microsoft and what responsibility falls on your business itself, drawn directly from Microsoft documentation.

Primary responsibilities

Microsoft’s main responsibility is focused on their global infrastructure, meeting their commitments to maintain infrastructure, minimise service disruption and maximise uptime, reinforcing reliability and enabling productivity for millions (or possibly billions) of users across the world.

Your business – and more specifically, the IT organisation – has to first and foremost ensure complete access and control of your data, wherever it is. That responsibility remains no matter what SaaS applications or cloud systems you choose to use. Your data is YOUR data.

Microsoft creates replicas – but that’s not the same as backups

To help each side meet their primary responsibilities, there’s a range of supporting technology. Microsoft 365 has built-in data replication, providing datacenter to datacenter georedundancy. What that means is that, if something goes wrong at one of Microsoft’s datacenters, they can failover to another replication – so in most cases, users are completely unaware of any change.

Here’s the crucial part: replication isn’t the same as a backup. And, even more importantly, these replicas aren’t owned by you – they’re not your replicas, they’re Microsoft’s.

Yes, Microsoft’s replicas continuously (or near-continuously) replicate data to a second site to provide an alternative and avoid application downtime. But there are clear issues with relying on replication for your data security. For instance, deleted and corrupted data is replicated alongside ‘good’ data, which may render the replica also deleted or corrupted.

But what about Microsoft 365’s recycling bin?

It’s a valid question. Microsoft 365 comes with a few different ways to quickly recover deleted data – great for limited, short-term data recovery. But it’s just that: limited. To truly meet your data security responsibilities, you need full data retention, providing short- and long-term retention and the ability to recover in a granular way as well as bulk restore and point-in-time recovery options.

Responsibility for security is truly shared

The next part of Veeam’s helpful Microsoft 365 Shared Responsibility Model is security. That’s something both parties are equally responsible for. Microsoft protects the Microsoft 365 environment at the infrastructure level, including the physical security of datacenters and authentication / identification in cloud services, as well as maintaining user and admin controls.

The IT organisation is responsible for security at the data level. That includes internal and external data security risks such as accidental deletion, rogue admins abusing their access rights and ransomware, among countless others.

Then there are legal and compliance requirements

Microsoft documentation makes it very clear that its role is as data processor. As a business using Microsoft 365, your role is still the data owner – which comes with legal and regulator-imposed responsibilities. As IT specialists in working with regulated and City firms, we’re well-versed in helping organisations meet their compliance requirements and demonstrating data security to various industry standards. Ask us any questions and we’ll be happy to help, or consider our Virtual CIO service for board-level governance and strategic oversight.

Third-party Microsoft 365 backups are on the rise, but a Veeam survey found that a staggering 71% of businesses were still unprotected. Without dedicated backups, you run the risk of data loss without adequate recovery. That creates reputational risk, as well as financial and regulatory problems in the event of a major incident. Take control of your Microsoft 365 data. Veeam’s backup solutions are protecting more than 13 million Microsoft 365 users across the world – we’re proud to use their technology with our clients.

Get in touch to find out more about Microsoft 365 backups.