CloudsChief Information Officers must change their line of questioning from is the cloud secure? to am I using the cloud securely? – Gartner 1

The functioning, intellectual property and reputation of your organization – and so its survival – depend on your ability to bounce back from an incident with the help of backed-up data. This is why you need a comprehensive business continuity and disaster recovery solution that does not neglect backing-up your cloud-based data.

Best Practices for Software as a Service (SaaS) Backup

Like Facebook is just a website, we often don’t think of Microsoft 365 or the G-Suite as SaaS, but that’s what they are. The 3-2-1 backup rule remains useful even if your main, working copy is remotely hosted (3-2-1 means three copies of your data – with two copies stored on different media [e.g: local storage appliance, SAN, NAS] and store one of those copies at a different location). Using this backup model, where a SaaS provider has your working copy, you’d need to have an additional storage site besides the same SaaS’s servers.

Whatchu Talkin’ ’bout, Willis?

G-Suite Shared Responsibility

Excerpt from Google’s SLA showing the user’s responsibility and Google’s. Google’s got the platform. You got the content.

Your G-Suite and Microsoft 365 data is secure. However there’s a misconception that these don’t need to be backed up. The shared responsibility model — in the Service Level Agreements (SLAs) — dictates what Google or Microsoft is responsible for when it comes to data protection, and what you’re responsible for.

Although Google and Microsoft are responsible for providing the backup infrastructure, they do not guarantee the safety of your data or take accountability for any financial losses resulting from it.

M365 Shared Responsibility

Excerpt from Microsoft’s SLA showing the user’s responsibility and Microsoft’s. Same deal.

Logistically, operationally and contractually there are few places in the world more secure than Microsoft and Google data centers. And they are designed with disaster recovery capabilities to protect your data from any conceivable infrastructure threat. But Microsoft and Google cannot protect you from the most common causes of data loss: phishing, ransomware, malware attacks, human error, malicious behavior and configuration errors. And per their SLAs you, the customer, and not Microsoft/Google, are responsible for M365/G-Suite data protection.

Human Error is Unpatchable

Human activity – from both internal and external actors – is the primary threat to data in the Cloud.2 And data loss has continued to grow as SaaS usage has changed during the pandemic this past year

Microsoft and Google are fully responsible for application availability and their data centers. Their advanced disaster recovery capabilities are going to protect you from just about any infrastructure threat, but it’s also their responsibility to add, delete or modify data upon request. And upon request means every time a credentialed user hits the delete key on their keyboard or right-clicks on their mouse and hits delete – according to the SLA, it must be honored. That’s whether the deletion was intended, accidental or malicious, the responsibility in all cases is on you, the customer.

In this Corner: Replication for High Availability

The key is to understand the difference between data replication for high availability which Microsoft and Google provide, and backup for data restore and business continuity which is your responsibility.

Microsoft and Google are among the very best in their ability to provide high availability of your data. For example when you are connected to Exchange Online you might be connected to any one of four different servers during the day. In fact your phone and desktop may be connected to different servers at any given time. It’s because Microsoft is maintaining resilient data in multiple locations, so that you get from them a highly available network.

And in this Corner: Backup for Data Restore

One of the problems that arises from relying only on your SaaS’ replication is when you have a data deletion. For example in Microsoft Sharepoint collaboration tool, the recycle bin retains data ninety-three days. And when that data is gone because it’s either beyond the ninety-three days or through an administrator emptying the recycle bin, you have just ten days to submit a support ticket to Microsoft. The real issue is that during that time your end users are still adding content to those Sharepoint sites, so when Microsoft restores the site collection they restore the entire site collection – not just the file that has been inadvertently deleted. This means all the data that was created and added to that site in all that intervening time will be overwritten.

You Got This

Bryley Systems provides true cloud backup for data restore – getting granular, like any good backup – down to restoring single lost files – to help protect your organization’s data in the Cloud. Established in 1987 Bryley is a strong partner to keep your organization running in this time when so much of our livelihoods depends on electronics. For more information about executing a backup plan that includes your M365 or G-Suite data please contact Bryley at 978.562.6077 or email ITExperts@Bryley.com.

1 https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/

2 Kaseya