This is the 6th installment in a series addressing the challenges facing the DOD as they move into Microsoft 365. The others are here:
- The DOD’s Cross-Command Telework Platform (CVR) Expires Soon: What’s Next?
- Considerations for Governance in DOD365
- Is Zero Trust Enough to Secure Your Data?
- How Teleworking and the CVR Affect Records Management for the DoD/IC
- How to Prepare for Unified Labeling in Microsoft 365 DoD
- Smart Data Governance Lessons Worth Learning From the CMMC
- What to Use When for Secure Microsoft 365 Collaboration
Microsoft has developed M365 to be a flexible, powerful platform for collaboration and business processes. From ticket tracking to finance, workflows, and the modern collaborative workplace, the M365 COTS (Commercial Off The Shelf) platform will enable the DOD to accomplish the mission without the overhead of reinventing the wheel.
One area, where Microsoft will rely on the DOD to provide its own solution, however, is data protection and recovery. This may shock you as you begin reading this article, but let me make something crystal clear from the start: there is no built-in “backup” for Microsoft 365.
It can be daunting trying to understand exactly what the DOD will be responsible for and what Microsoft provides.
In its most simple form: Microsoft provides disaster recovery for catastrophic events—like a natural disaster—and very small, short-term mistakes. They provide a multi-stage “recycle bin” so a user can manually recover items deleted by mistake for short periods of time (as much as 93 days). And, through Microsoft’s enterprise support and help desk, they provide a process for requesting short-term data recovery and roll-backs at the mercy of potentially long wait times.
Conversely, the DOD is responsible for protecting Microsoft 365-hosted content over long periods of time (months and even years) and maintaining compliance with all their data retention regulations. The DOD is responsible for user mistakes. The DOD is responsible for recovery from dormant malware and ransomware attacks that often take months to identify. The DOD is responsible for creating a process where end-users can request data recovery efforts. And lastly, the DOD is responsible for meeting its own long-term data recovery requirements.
Backup (and the all-important recovery) is still an administrative function that Microsoft customers must provide on their own.
Common Microsoft 365 Data Protection Concerns
The most common Microsoft 365 Data Protection concern can be broken up into three areas: Licensing changes, Error (human or programmatic), and Malicious Intent (both inside and outside actors).
The Impact of TDY, PCS, and Retirement on Data (Licensing Changes)
DOD personnel move around a lot! Temporary Duty Yonder (TDY), Permanent Change of Station (PCS), and retirement mean that Microsoft 365 administrators need to be working with recruiting and HR offices to know who is coming, going, and what data must be retained. This coordination is vital because if a US Army soldier in CONUS changes station to EUCOM and their Microsoft 365 license is applied to a new soldier, their data is lost after 30 days UNLESS manual actions are taken. These manual steps could bog down the system and overwhelm Microsoft 365 administrators with the volume of tasks and maintenance of individual user retention policies.
The most common data-loss scenarios involve users accidentally deleting documents, emails, and even entire workspaces (Group, Team, or SharePoint sites) as Microsoft 365 allows Owners and Members to delete content containers and workspaces by default. While both version control and the recycle bin exist to address these mistakes allowing simple restoration (as much as 93 days for documents and 14 days for email), beyond these limits there is no recovery point.
Workspace permissions can be overwritten, and configurations and page elements can be deleted. For example, see the KPMG story where an admin error caused irrecoverable data loss.
A disgruntled user or administrator may attempt to delete, corrupt, or otherwise remove access. The native response is a “rollback” to restore from a previous point in time; with the rollback capability, all changes since that point in time are lost in the restoration.
Ransomware attacks typically involve an outside threat compromising a system to block access to its data until they are provided with a ransom. The City of Atlanta spent $2.6 million in 2018 to respond to a ransomware attack that had impacted their municipal operations. For attacks that started prior to the recycle bin timelines above, there is no recovery point.
Can Retention Policies Replace the Need for Backups?
Someone in every IT organization always suggests to “turn on data retention for all data with indefinite preservation. If no one can delete data backup and retention become moot points!”
This is true, and yet …
Retention and backup mean different things to different people within your organization depending on their sphere of responsibility. In IT, a backup ensures content can be recovered and made available to users in case the need arises. To that same person, retention just means how long before content can be deleted’.
But to a Lawyer, Records Manager, or Compliance Auditor, retention means something different: the content must be available for discovery and legal document production, while being able to defend its provenance, chain of custody, and its deletion or destruction. A backup is merely a simplistic source of data recovery for when data is deleted by mistake.
Retention Policies are not meant to support collaboration, they are meant to support protecting regulated data to ensure discoverability during legal actions. Retention policies manage content “in place.” Retention policies restrict the deletion of a Microsoft Team or SharePoint Site Collection if there is a retention policy protecting that data from deletion. However, when the policy is removed the content can be deleted and without perfect coordination between IT, the mission workers, and Records Managers, there is no recovery when a regulated record is deleted along with the workspace.
Even worse: retention policies don’t protect against all threats to document integrity. Errors, malicious software, and outdated encryption settings can all render the retained copy corrupted, unreadable, and unrecoverable.
Finally, as the DOD works to improve the security posture of the Defense Industrial Base (DIB), its own mandate in the Cybersecurity Maturity Model Certification (“CMMC”) process states that level 2 compliance explicitly adds the requirement of off-line backup. To meet this mandate, the DIB will be required to engage with a third-party backup solution.
Considerations for Backup Solutions
Backing up your Microsoft 365 tenant isn’t unrelated to meeting your data retention regulatory requirements, however it’s not the solution for doing so. The job of a good cloud backup solution is making certain a copy of data is (preferably) easily accessible for recovery. A comprehensive cloud backup solution collecting all content generated regardless of source workload or container means all content is easily and quickly available, with flexibility for recovery.
A good cloud backup solution will include many features that make retention (and legal document production) quick and easy such as:
- Automatic detection of new content containers to include in backups
- Granular in-place and out-of-place restore to the individual data unit level (document, list item, e-mail, etc.)
- Encryption of data in storage
- Automatic purge of backups after longest default retention period ends
- Ability to find and remove item-level backed up data as needed such as “Right to be Forgotten” rules
- Delegation to allow document production without admin credentials
- End-user self-service restore based on date and text search
- Comprehensive backup of the entire tenant – All Microsoft 365 workloads and all information types
Microsoft 365 + AvePoint Cloud Backup
We’ve discussed the different aspects of retention and backup and it’s vital that the DOD develop plans for BOTH aspects of data preservation.
Microsoft 365 Retention Policies and Labels are for Record Managers and Legal departments. They are there to preserve regulatory data and produce it for eDiscovery in a timely manner. The people in these roles should be self-sufficient in this endeavor and Microsoft has made that available to them through the Compliance and eDiscovery consoles.
Backup & Recovery is an IT function, impacted by regulatory requirements (e.g. CMMC), and must be in place as protection against user errors, process changes, licensing assignments, or malicious actor threats.
To that end, over 6M users and over 70 petabytes of Microsoft 365 data is protected every day by AvePoint’s Cloud Backup SaaS solution. That same service can support the DOD in an IL5 tenant to help meet all the data protection requirements for Microsoft 365. The service is automated to take the burden of backup off IT (backups run 1-4x/daily), is an evergreen service (meaning it never needs upgrading), and provides a secure offline copy stored in a customer-controlled location.
Ready to make the jump to Microsoft 365? Remember to back up that SaaS!