The Microsoft Shared Responsibility Model: if you told us you hadn’t heard of it, we’d understand. It’s not exactly a compelling bedside read.
But we’d also be quite worried, because if you’re not familiar with this model, it’s very likely you’re missing a critical characteristic of the Microsoft 365 platform – namely, that it does not back up the data you store within it.
Yes, you read that right. Contrary to popular belief, Microsoft 365 does not take care of your data backup. It secures and provides access to your data in the cloud, but that is where its obligation stops. After that point, the responsibility for backing up office 365 data – is entirely yours.
We’ve discussed this in a past post or two, but we wanted to dig a little deeper here to show you, using an excellent graphic, just how unequivocally Microsoft’s model leaves you holding the baby when it comes to your data.
What’s yours isn’t theirs, what’s theirs isn’t yours
To get an immediate sense of this, you need only glance at The Microsoft 365 Shared Responsibility Model graphic below for a few seconds. It is split into Microsoft’s responsibilities and your responsibilities – and the term ‘backup’ only occurs in the latter.
Why? Because, as the diagram shows, in Microsoft’s world its primary 365 responsibility is to its global infrastructure and the uptime and reliability of its cloud services. On the other hand, guaranteeing complete access to and control of data – processes that inevitably include, amongst other tasks, backup – is quite clearly the preserve of the customer.
(To prove the point, just look at all the issues you are responsible for at the data level – most of them wouldn’t be issues at all if Microsoft 365 provided backup!)
Likewise, you can see that the responsibility for full data retention, data-level security, and legal / compliance matters relating to ownership of the data are all, again, down to the customer.
What it boils down to is this: Microsoft owns its cloud infrastructure and uses it to process your data – but you own your data and therefore still have ultimate responsibility for securing it, protecting it, and backing it up.
Replication? Retention? Red herrings!
This takes us neatly onto the difference between what Microsoft 365 looks like it provides, and what it actually offers.
It’s perhaps easy to see why a cloud-based platform like Microsoft 365 is often interpreted as being a backup service in itself. After all, it is able to replicate data from one place to another (i.e. between different data centres) to ensure continuity of service if one location goes down.
Likewise, it’s easy to see why the Recycle Bin is sometimes seen as data retention, given that it keeps copies of deleted files for some (varying!) length of time.
But the Shared Responsibility Model quickly lays the lie to these assumptions. It highlights the fact that the replicated data isn’t your data at all – it’s Microsoft’s – and, in any event, in a replication scenario, deleted data or corrupt data is also replicated along with good data – meaning the replicated data is then also deleted or corrupted. This does not happen with a true backup service.
Further, the Recycle Bin cannot deliver both short-term and long-term retention, and doesn’t offer essential backup options like granular recovery, bulk restore, and point-in-time recovery.
In short, whilst both replication and retention are oft-encountered buzzwords in this space, the reality is that the first serves Microsoft’s interests, not yours, and they stay well away from the second!
Shared responsibility, heightened risk
For those businesses that either don’t know about their responsibilities within the model, or don’t understand them, what, then, are the potential consequences?
Perhaps a few insights from the industry might help here. Consider this:
- On average, around 33% of folders in organisations are not protected in any way
- Around 64% of employees have access to 1000 or more sensitive files
- Some 90% of UK data breaches are due to human error
In short, the risk that business data across the board is likely to find itself subjected to both unintended and malicious deletion or loss at some point is, constantly, extremely high – and this risk applies to Microsoft 365 as much as it does to any other non-backed up form of data storage.
Microsoft has laid its cards on the table regarding Microsoft 365’s Shared Responsibility Model, and the absence within it of backup of any kind.
The next move to protect your Microsoft data must be yours.