Who’s Responsible For Protecting Data In Office 365?

By Michael Osterman

When was the last time you thought about data protection for your Office 365 environment?

Office 365 is a solid offering that includes a wide range of communication, collaboration and other capabilities. Microsoft has done a good job at building out a worldwide infrastructure that is generally quite solid and reliable.

That said, it’s important to understand that Microsoft is primarily in the business of enabling its customers to do things with their data. Data protection, however, is your responsibility.

Consider the following:

  • Office 365 employs the “shared responsibility model,” which dictates that Microsoft is responsible for its own global infrastructure and ensuring that Office 365 remains up and running, and its customers are responsible for the access and control of their data that resides within the Office 365 infrastructure.
  • Microsoft has done a good job at building a reliable system. For example, during the first quarter of 2019, Office 365 achieved 99.97 percent reliability (although this is slightly less reliable than the average of the previous eight quarters.) However, Office 365 suffers from occasional outages on a more localized, regional basis. For example, it suffered from three such outages in June 2019 and four in May 2019[1], for a total outage time of five hours 10 minutes. These outages not only impact user productivity, they can also result in data loss.
  • Microsoft notes that “point-in-time restoration of mailbox items is out of scope for the Exchange Online service.[2]” What that really means is that if an organization suffers a ransomware attack, an account takeover, or data deletion caused by a malicious insider, there is no guarantee of being able to restore any of the lost data.

These issues have some important implications for organizations that have migrated to Office 365 or are considering doing so:

  • Moving to the cloud doesn’t mean that someone else now has responsibility for your data. Office 365 customers are still responsible for their own data, just as if they were managing their own on-premises email and collaboration solutions.
  • The “3-2-1 Rule” has the basic premise that data should be stored and backed up on-premises and in the cloud and in remote locations, so that a corruption of one data store will leave two separate data stores available for restoration. While the traditional interpretation of the “3-2-1 Rule” says that there should be two local and one remote copy of data, in a cloud-centric world multiple copies in multiple clouds can suffice to provide appropriate data protection.
  • You will need your own data protection solutions in addition to any that are provided by Microsoft. Again, it’s not that Microsoft doesn’t provide some level of data protection, but your data is extremely valuable and you need to ensure that it’s protected from any and all potential deletions or undesirable modifications. Data protection can be on-premises and/or in the cloud, but it needs to be managed separately from the Office 365 infrastructure to ensure the highest level of protection.

The bottom line is that Office 365 is a solid platform – Osterman Research recommends that organizations use it where it makes sense to do so. However, protecting data continues to be the responsibility of Office 365 customers.

Learn more in a new Osterman Research whitepaper, “Enhancing Data Protection in Office 365,” available now. And learn more about Commvault’s relationship.

Michael Osterman is the principal analyst at Osterman Research, an industry analyst firm focused on the communications and collaboration market. Michael’s areas of focus include security, information governance and content archiving.


[1]     https://istheservicedown.com/problems/office-365/history

[2]     https://docs.microsoft.com/en-us/exchange/back-up-email