Disaster recovery plans are vital, not just important. Data becomes lost, deleted, purged, corrupted, all the time. Without that measure in place, data is truly lost.
There does seem to be confusion on what constitutes a Disaster Recovery plan, however.
While many systems have some form of data retention, they lack the necessary measures to be considered “disaster recovery”. This leaves security, compliance, and continuity all in question. Office365 is one of those systems.
What Office365 Does
Office365 is a subscription-based service for Microsoft’s popular applications like Word, Excel, PowerPoint, and Outlook.
While Office365 uses language like “file-sharing and online storage” and “Microsoft-backed 24/7 Security”, at the end of the day, it is a singular system designed for Microsoft’s product line.
To present an example, as long as e-mails from Outlook are in an uncorrupted state, not deleted or purged beyond the unrecoverable period, and not beyond 3 years, you have your content. That is a standard retention policy for an active email system. But that sounds like a lot of conditions, am I right?
Likewise, collaborative platforms like OneDrive and SharePoint allow multiple users to access necessary documents. However, even those systems require a back up for catastrophic events.
Microsoft only provides any form of recovery under the following events:
- Loss of service due to their hardware or infrastructure failure
- Loss of service due to natural disaster or data center outage
- Short-term (30-day) user-error with recycle bin/version history
- Short-term (14-day) administrative error with soft-delete for Groups, Mailboxes or services-lead rollback
What Office365 Doesn’t Do
Under that same example mentioned above, if your email were to become encrypted via ransomware, that is not a situation in which Microsoft will support or recover.
Even in more common events, like an employee leaving, data that is lost in that user’s account is unrecoverable.
Microsoft does not support any of the following events:
- Loss of data due to departing employees and deactivated accounts (outside retention period / delete and recovery periods)
- Loss of data due to malicious insiders/hacktivists deleting content
- Loss of data due to malware/ransomware
- Recovery from prolonged outages
- Long-term accidental deletion coverage with selective rollback
Where a Disaster Recovery Plan Kicks In
A true data backup functions in one of three ways; an image backup, file and folder backup, or infrastructure redundancy.
Backups succeed by offering a replicate of your data, separated in a geographically different, unconnected storage so if you needed to recover any email or even rebuild the entire email system, you could from the last back-up.
You can’t have a disaster recovery and continuity of business policy without a back-up solution.
And Office365 is not a back-up solution or disaster recovery plan.