🚨 Use our FREE data vulnerability scanner. Identify and fix DNS issues. Start Your Scan

Microsoft 365 Backup and the Shared Responsibility Model

January 26, 2023

The Shared Responsibility Model (SRM) is a model used by Software-as-a-Service (SaaS) and cloud applications such as Microsoft 365 to outline the obligations of both providers and users when it comes to data. In simple terms, the SRM dictates that a SaaS provider is responsible for their infrastructure and platform uptime, while users are responsible for the data they upload and manage via the platform.

shared responsibility model

In their services agreement, Microsoft is explicit about users’ responsibility for protecting their data:

“We don’t claim ownership of Your Content. Your Content remains Your Content and you are responsible for it… We strongly advise you to make regular back-up copies of Your Content. Microsoft can’t be held responsible for Your Content or the material others upload, store or share using our Services.

As of February 2022, Microsoft 365 was found to control approximately 48% of the market share for major office suites – yet the issue of shared responsibility remains something of a dirty little secret. A 2020 report by Oracle and KPMG, ‘Demystifying the Cloud Shared Responsibility Security Model’, found that only 8% of respondents fully understood how the Shared Responsibility Model works when applied to SaaS services. Given the widespread usage of Microsoft 365 in businesses and workplaces, it’s worrying that understanding of the SRM is so low.


Risks to your Microsoft 365 data

As many organisations depend on Microsoft 365 to complete their day-to-day operations (SharePoint for document libraries, Teams for messaging and virtual meetings, Outlook for email and diary management), the confusion surrounding what users are responsible for indicates there’s a lot of data on these services going unprotected. When organisations neglect their data security responsibilities, or aren’t fully aware of what those responsibilities are, they put their business-critical data at risk from human error and accidental deletion, nefarious action by former or even current staff, malicious actors such as hackers, ransomware attacks, viruses, and other cyber threats.

What’s more, if you’re not backing up your Microsoft 365 data, you’re likely to be breaking laws and industry regulations, and being in breach of SOC2 or ISO27001 compliance – all of which could result in hefty fines and reputational damage.

Cyber-insurance providers also require their customers to have secure immutable backup in place – so if you don’t have backup, your insurance policy may be rendered invalid and you won’t be protected if you experience a data loss incident.


Microsoft 365 data: replication and retention

It’s easy to think that because you can access your Microsoft 365 data from almost anywhere with an internet connection, your data will always be available and therefore doesn’t need backing up. But the reason you can access your data from anywhere is because it’s being replicated from one datacentre to another, to ensure continuity of service. Replication means that if any files are accidentally deleted or corrupted, that data will be replicated along with all your ‘good’ data. With external immutable backup in place for Microsoft 365, this won’t be too damaging – you can restore deleted files and uncorrupted data from your backup. But if you don’t have backup in place, you run the risk of data being lost forever.

It’s also easy to assume that the Recycle Bin offers a small safety net, as it provides a data retention function of sorts. Deleted emails in Outlook are retained for up to 30 days, while documents in SharePoint and OneDrive can be retained for up to 180 days. But there’s no ‘bulk restore’ option, and no granular or incremental recovery – implementing third-party backup for your Microsoft 365 data is the only reliable way to ensure you can recover and restore anything that gets deleted, corrupted or lost.

In 2021, a survey by Enterprise Strategy Group (ESG) found that 81% of respondents said they’d had cause to recover Microsoft 365 data, and only 15% were able to recover all of the data they needed. Findings like this demonstrate the harsh reality of the Shared Responsibility Model: if you don’t take your side of it seriously, you may well lose critical data for good – and the consequences of data loss can be catastrophic for businesses.

In a follow-up Q&A regarding the ESG survey results, two analysts pointed out that “SaaS applications were not developed with backup in mind” and explained that the confusion surrounding the issue of shared responsibility stems from the move from on-premises software to cloud services:

“Older organisations are less trusting and better understand that they are solely responsible because they’d been doing backups onsite for so many years.”

Previously, businesses were in the habit of doing everything on-site – installing the software they needed and backing up their data. But as cloud-based services have become more popular, due to their affordability and ease of set-up and access, it’s become easy to confuse ‘availability’ with ‘security’ – users have fallen into the trap of assuming that because they can always access their data, that data is safe and secure.


So, how do you protect your Microsoft 365 data?

What SaaS and cloud services make extremely clear is that you, the user, need to arrange separate backup for the data you store and manage on their platforms. Whether you use Microsoft 365Google Workspace, or any other SaaS apps, you should implement third-party backup for those services as a matter of urgency.

Choose a backup provider that offers automated immutable backup (to safeguard your data against threats like ransomware attacks), quick, granular recovery, and that protects your data both during transfer and at rest with enterprise-grade encryption.

Safeguard your Microsoft 365 files today – contact us and have your data backed up in minutes.

BackupVault: what have you got to lose?


Editor’s note: This post was originally published in March 2021 and has been updated for accuracy and comprehensiveness.