Microsoft Office 365 reached 180 million monthly active users last year and more than 5 million paying businesses are currently using Google G Suite. The volume of SaaS application data has been on the rise for several years. However, only 29 percent of small and midsize enterprises back up their SaaS data via a third party application.
When it comes to SaaS applications, most organizations operate under a common misconception. They believe that they have backup and recovery with their SaaS provider, but there are significant limitations on what is typically provided.
SaaS providers practice a “shared responsibility” model when it comes to data protection. They will protect their customers from failures of their network, storage, servers, and application, but the customer is responsible for protecting their data from user and admin failures as well as from cybersecurity attacks.
For example, here’s the breakdown of responsibilities for Microsoft Office 365:
Common causes of SaaS data loss
Admin mistakes:
Admins may inadvertently delete data that should have been kept. Once it’s gone, it’s gone in these cases, unless there’s a third-party backup solution in place.
Malicious insiders:
In Ponemon’s “Cost of Cybercrime Study,” malware and malicious-insider cyberattacks accounted for one-third of the cybercrime costs in 2018 amounting to $13 million. Disgruntled employees can delete data to spite their employers or for personal gain.
Malware and cyberattacks:
According to the 2019 Ponemon Institute’s Cost of Data Breach Report, 51% of breaches were caused by malicious attacks. Of course, a data breach may be different from a data loss involving your SaaS application data. But the statistic illustrates the relative frequency of malicious attacks that could impact you SaaS data.
Let’s take a closer look at Office 365 data retention
When a retention policy is assigned to an Office 365 mailbox or public folder, content can follow one of two paths (per this document on Microsoft’s website):
As stated in the Microsoft article:
- If the item is modified or permanently deleted by the user (either SHIFT+DELETE or deleted from Deleted Items) during the retention period, the item is moved (or copied, in the case of edit) to the Recoverable Items folder. There, a process runs periodically and identifies items whose retention period has expired, and these items are permanently deleted within 14 days of the end of the retention period. Note that 14 days is the default setting, but it can be configured up to 30 days.
- If the item is not modified or deleted during the retention period, the same process runs periodically on all folders in the mailbox and identifies items whose retention period has expired, and these items are permanently deleted within 14 days of the end of the retention period. Note that 14 days is the default setting, but it can be configured up to 30 days.
However, Microsoft’s policies are not designed so that customers have direct access to backed up data with the ability to easily restore it. In fact, the Office 365 service-level agreement addresses availability, not recoverability of your data.
For these reasons, it’s important for businesses to take the responsibility for their SaaS data backups and recovery to prevent data loss.
Enhanced protection for SaaS data
Data loss by human error, malicious insider action, or cyberattack can be extremely detrimental to an organization’s business continuity.
Having a cost-effective backup and recovery solution that enables you to back up all your SaaS data is an important consideration for your business.
Kaseya Office 365 Backup allows users to back up and restore Office 365 and SharePoint data directly and easily from the Kaseya VSA endpoint management solution.
It uses the OAuth 2.0 protocol rather than less secure service accounts and passwords to access Office 365 and ensures protection of data in transit with 128-bit SSL and at rest with 256-bit AES encryption, one of the strongest block ciphers available.
To learn more about Kaseya Office 365 Backup, download the product brief here.
