Skip to main content

Protecting Your O365 Data: Your Responsibility Vs. Microsoft's

If you’re an Office 365 customer and haven’t yet adopted a backup solution for your O365 files and data, you may be under the assumption that it is automatically protected by Microsoft. Microsoft does have some built in retention policies, however the solution was not designed to provide the data protection services you need. So, when it comes to protecting your Office 365 data, just what are you responsible for and where is Microsoft accountable? We’ll examine the differences so you can better understand your vulnerabilities in Office 365.

Primary Responsibilities

Software as a Service (SaaS) providers like Microsoft focus on protecting their underlying infrastructure because they are responsible for ensuring the uptime and delivery of their service holds up to their contractual Service Level Agreements (SLAs.) However, that protection does not extend to any customer data. In Office 365, you are the data holder and you’re responsible for protecting the data you create and store within the platform.

Shared Responsibility Model

There are supporting technologies that help deliver for Microsoft’s responsibility and your responsibility. Microsoft replicates data across data centers for geo-redundancy. Microsoft also has the Recycle Bin, which supplies limited protection against short-term data loss. You’re responsible for an Office 365 backup solution that stores the backup copies in a different location than where Microsoft is replicating the data. This is because through Microsoft’s replications, data loss or ransomware that is introduced can be replicated across data centers instead of being mitigated. You are also responsible for both short-term and long-term data retention to fill all of Microsoft’s retention gaps, which is why you can’t rely on the Recycle Bin. 

Security-wise, Microsoft is responsible for making sure that their service can be delivered. They handle security at the infrastructure-level, which includes physical, logical and app-level security as well as user and admin controls. As an Office 365 customer, your responsibility exists at the data level. The internal vulnerabilities you need to protect your data against include accidental deletion, malicious insiders, employee retaliation and evidence tampering. And more rampant than ever before are external threats like ransomware, malware and hackers.

In regard to regulatory responsibilities, Microsoft‘s role is the data processor, while your role is the data owner. This means that Microsoft ensures data privacy, regulatory controls and industry certifications are covered in the solution, but you are responsible for meeting your organization’s own corporate and industry regulations. You must also meet legal and compliance demands for data retention.

Office 365 backup and retention policies can only protect you from data loss in a limited way
and are not intended to be a complete backup solution. With a solution like Veeam Backup for Office 365, you’ll have access and control of all Office 365 data regardless of Microsoft’s retention policies, plus you’ll protect against data loss from things like accidental deletion and security threats. Learn more about how you can protect your Office 365 data through our partnership with Veeam, or talk to an expert about customizing a backup solution for your organization.

« Back to Blog