RTO vs. RPO: How to Build a Strong Office 365 Data Backup Plan

Post Date: 03/27/2019
feature image

Editor’s note: This post was updated on July 13, 2022.

“Once I’m in the cloud I’m safe. Microsoft guarantees the fidelity of my data and ensures that I always have a backup should I need to restore content or if there is a catastrophic failure in their system. Because of this, I don’t need to worry about backing up my content.”

While there is some truth to the above statement, it also highlights several of the biggest concerns and gaps in the native Office 365 data protection solutions available to subscribers. Although the data that is stored in the cloud is protected, this does not mean that Microsoft will be able to restore content in a way that meets your needs or internal service-level agreements.

If you are deploying a hybrid environment, you will need to ensure that content across your entire SharePoint deployment is protected whether it lives in the cloud or your own data center. While the specifics discussed here are focused on your cloud deployment, utilizing these best practices throughout your environment can help to ensure a winning backup strategy anywhere. This article will cover four key facets of protecting your data to help you ensure business continuity in the cloud.


1. Set Your Goals for Office 365 Data Protection

Anytime you discuss Office 365 data protection, you need to approach the problem with two primary goals in mind: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). This allows you to approach the problem with a clear understanding of your responsibilities to the organization.

Once those are established, you can look at the native solution provided by Microsoft as well as the gaps within it that you need to fill.

What is a Recovery Point Objective (RPO)?

Understanding how your RPO–the maximum targeted timeframe in which data can be restored from a backup–will affect backup plans is the first place to start. It includes the plan for the frequency of backups as well as your ability to recover individual components. Having this information available gives you a clear way to plan for backups. It defines your commitment to the organization and protects you from unreasonable requests. Some good questions to ask when first defining your organization’s RPO (or, more likely, building new backup plans for your organization):

  1. How recent does your backup need to be? Having multiple tiers of data is a best practice, as not all of your content is created equal. Classifying data according to its importance to the business allows you to create RPOs that ensure all of your content is protected while allowing business-critical information to be restored at a more recent point in time.
  2. How granular does your backup need to be? While you are determining how frequently you need your content to be backed up, you should also consider the granularity with which you need to restore that content. Ensuring that business-critical documents can be restored individually without affecting the rest of your system can save you a lot of headaches.
Confused about when to use RTO vs. RPO? Check out this post: Click To Tweet

What is a Recovery Time Objective (RTO)?

Just like planning your RPO, ensuring that you have an RTO–or the amount of time in which content must be restored defined by a service level agreement–in place will protect not only your business but you as well. Creating predefined timeframes for restoration of content helps you refine your recovery points as well as classify the data you are backing up.

Having a tiered system in place helps ensure your end users that their business-critical information will always be recoverable to a specific point in time. Using your RTO in conjunction with your RPOs can help you drive specific service-level agreements (SLAs) for content in your environment. Keep the following questions in mind when setting up your RTOs:

  1. How critical is the information that I need to back up?
  2. How quickly will business users need their content restored?
  3. How much content can I restore inside of a specific time frame?

2. Understand Native Office 365 Data Protection Solutions

Before you can address any gaps in native data protection capabilities, you must first understand what Microsoft offers to you (in terms of retention) as an Office 365 subscriber. If you’re unfamiliar, feel free to visit this link in order to review a few key points of data retention.

However, the long and short of it is that your options are limited. You either have 93 days in the recycle bin or 14 days of Microsoft-owned backups. If we’re talking about Azure (which is the platform where your Microsoft 365 data is hosted and stored), then only a 30-day window is provided—and without granular restores or protection coverage for your accounts, access management, and endpoints.

Perhaps more importantly, if you need to recover content that has been permanently deleted, there is no way to recover just the item that you need. Microsoft restores your data at the site collection level as an in-place restoration. This means any changes, updates, or additions to that site collection that occurred since the site collection was backed up will be lost. This timeframe may not align with your RPO due to the limited scope of availability.

Now as you consider the RTO–Microsoft’s timeframe to restore content is 48 hours. This is problematic if you have tighter internal SLAs. Even if your SLAs align with Microsoft’s promise, you’re still dealing with a restoration of content that will wipe out changes in your environment made since the last 14-hour RPO. In most cases, this won’t be acceptable to your users or organization.


3. Address the Gaps in Native Office 365 Data Protection

Once you’ve defined your organization’s RPOs and RTOs, as well as examined how those requirements fit into the native Microsoft capabilities, you can begin to fill in the gaps.

  1. Recovery Timeframe: The first is the timeframe in which data can be restored. If you are not able to restore user content quickly enough, your business can grind to a halt and all eyes will be on you as the administrator. Ensuring that you can restore content on demand as quickly as possible is the first step in protecting not only your business’s content but also yourself.
  2. Content Fidelity: The next issue is restoring content with full fidelity. It may not be enough to restore the data to its original location without version history and metadata. If you are using a data classification system, it is also vital that this information is restored along with the content to ensure you can meet SLAs.

Granularity is arguably the most important piece of any Office 365 data protection plan. Restoring content down to the item level ensures minimal disruption to business processes. Combining this with data classification ensures that the most business-critical content gets the level of protection it requires. Including these tiers in your SLAs can help you ease the burden on IT teams in the event of a restoration.

Of course, in ensuring that your Microsoft 365 data protection is updated, you also need to look out for cybersecurity trends so you’re aware of what data needs better protection and how to facilitate that.

For example, Gartner sees misuse of credentials as today’s primary attack vector—which means a proper identity and access management must be organized for your organization. How does Microsoft address this and what extra measures do you need to implement?

To address this gap, looking into an Azure backup service and disaster recovery is crucial to making sure you have a defense against today’s cybersecurity threats.

Blog Post: On-Premises vs. Cloud Office 365 Backup: The True Cost of Ownership

4. Ensure Your Plan Covers All the Bases

Understanding the limitations of Microsoft’s native backup solution as well as your specific business needs helps determine an Office 365 and Azure data protection plan that is both sensible and executable. Make sure that you have the following as part of your plan to ensure your own sanity and keep the business running smoothly.

1. Define your data tiers:

  • How sensitive is your content?
  • How business critical is your content?
  • How business critical do your end users think the content

2. Define your Service Level Agreements:

  • How quickly can you feasibly restore the content?
  • How much content needs to be restored?
  • Is there an easier way to recover the data?

3. Define your Recovery Point Objective and Recovery Time Objective:

  • How long is the data available to be restored?
  • Do you have different recovery points for different levels of content?

4. Fill the native gaps:

  • Do you have a plan to address the gaps in the native backup?
  • How do we restore individual items?
  • How do we restore to a new location?
  • How do we keep long term backups?

What’s Next?

Whether you’re fully in the cloud or utilizing a hybrid environment, AvePoint is well prepared to help you fill all of these gaps with fast, flexible, and intelligent Office 365 and Azure data protection solutions.

Beyond Office 365, AvePoint is now offering Microsoft Azure Backup to help you protect your critical business applications, Azure AD, Azure VMs, and Azure storage. This provides you with deeper security to help you not only back up and restore your data, but also ensure business continuity against disasters and unforeseen risks.

As users, groups, permissions, and accounts become more vulnerable, you need to build a wall of defense—and a backup and disaster recovery plan—to ensure your security and business continuity in today’s evolving cloud. AvePoint Azure Backup can help.

Looking for more Office 365 backup content? Be sure to subscribe to our blog

Antoine Snow is a senior solutions manager at AvePoint, leading the Public Sector business unit. He has held various positions in IT over the past several years ranging from front-end web developer to Microsoft 365 Service Owner. In his current role, Antoine focuses on governance and adoption challenges plaguing the modern workplace and helping government organizations understand the components of a governance strategy and its implementation. Antoine's views on these topics can be found in various blog posts and has been the focus of one-to-one workshops.

View all posts by Antoine Snow

Subscribe to our blog