As long as email has been around as a communication medium, it is still the de facto standard for business communication. Email serves as the primary communication channel for most companies. It is also one of the first services organizations migrate to cloud Software-as-a-Service environments like Microsoft Office 365. Many organizations are migrating to cloud SaaS environments to realize many benefits to business-critical services and data.
With this being said, backing up business-critical cloud SaaS services, including cloud email, is crucial. Microsoft Office 365 email is a popular option for organizations migrating email services to the cloud. How can it be adequately protected so that recovery of email services is possible in the event of a disaster? This post will examine Office 365 cloud email backup best practices to see how organizations can best protect their Office 365 cloud email data.
Why are cloud email backups necessary?
One of the advantages of housing infrastructure, services, and data in the cloud is the resiliency and robust nature of cloud service providers. Amazon, Google, and Microsoft have world-class data centers. Hyperscalers boast uptime, resiliency, and data persistence ratings unachievable for most private enterprise data centers. With the notion that cloud service providers have incredible resiliency and availability of data and services, organizations can develop misconceptions about cloud data protection and assume backing up cloud data isn’t necessary.
However, this can be a grave mistake that leads to tremendous business-continuity disruptions for your business and can even result in far worse consequences. These include lost customers, a tarnished brand, and even lost business. None of these are acceptable or desirable outcomes in the highly competitive business world today. Companies are required to move at a rapid pace with little or no disruptions to their customers and other business stakeholders.
Backing up your data in cloud Software-as-a-Service environments is crucial to protect against data loss and the outcomes listed above. Focusing on cloud email, how can data loss happen in cloud SaaS email services like Microsoft Office 365? It may be surprising. However, many of the same dangers to your on-premises data and email services exist in cloud SaaS environments like Microsoft Office 365. What are these?
- End-user data deletion
- Infrastructure failure
1. End-user data deletion
Arguably one of the greatest dangers to cloud-based data is end-users. One of the most common business-continuity events is accidental deletion of data by an end-user. Helpdesk technicians are very familiar with calls from end-users who have accidentally deleted a file on a file share or who accidentally deleted an email they did not intend to delete. The severity can range from one file or email to many files and emails that may impact the entire business’s workflow.
The same is true with cloud SaaS environments. When it comes to cloud email, end-users can easily delete important emails. What if many users connect to a shared cloud email inbox? Deleting essential emails from a shared inbox can affect multiple users.
Ransomware has quickly become one of the most alarming threats in cybersecurity for businesses data. It can effectively “lock-up” data in a way that can no longer be accessed. Hackers hold your data “hostage” in an attempt to extort funds. They require victims to pay in the form of untraceable cryptocurrency. You may ask – isn’t ransomware a threat only to on-premises files and not those in the cloud? No. Ransomware can and does threaten cloud email such as is found in Microsoft Office 365. How is this possible?
Cloud SaaS environments use OAuth authentication delegation to integrate third-party applications into your cloud SaaS environment easily. Most are familiar with OAuth authentication on mobile devices. Have you seen a dialog box requesting permissions to your cloud SaaS environment for a third-party application during installation? It is a classic example of authentication delegation using a token.
OAuth authentication delegation allows granting a “token” to a third-party application requesting resources. This token enables access to cloud resources with your user permissions. With OAuth authentication, your user password is not shared with the application. OAuth token-based authentication is a great way to allow sanctioned, legitimate third-party applications to access your cloud data in a secure manner, without your account details.
However, what about malicious applications? How can a malicious application gain access to a valid OAuth token? By masquerading as a legitimate application. A malicious application will never notify you that it is indeed a malicious application intended to do your business-critical data harm. Instead, malicious applications cloak themselves in the wrapper of legitimate applications performing a service of some sort.
Cloud ransomware can encrypt all emails in an entire Office 365 email inbox. Kevin Mitnick, a former hacker who now works as a security consultant, demonstrated this type of attack in what he referred to as “Ransomcloud.” With Ransomcloud, an end-user opens an email that directs them to “install a new Microsoft security update.” The email appears legitimate. However, under the covers, it is a ransomware application. After it has been granted cloud OAuth authentication delegation, the ransomware has everything it needs to begin encrypting emails. At the end of the encryption process, the end-user receives the ransom note via an email. With Ransomcloud and future variants, cloud email is undoubtedly at risk for infection with ransomware.
3. Infrastructure failure
While infrastructure failure is arguably the least likely of the threats mentioned, it is still possible in cloud environments. Cloud service providers engineer highly resilient infrastructure. Cascade failures, however, do happen. It means there have been instances noted where cloud datacenters had multiple failures that led to data loss. Amazon AWS had a failure on Labor Day 2019 that resulted in 1 TB of lost customer data. While it is an unlikely scenario, it can and has happened with cloud service providers in the past.
Office 365 cloud email backup best practices
Backups are an essential part of the overall disaster recovery strategy for cloud-housed data. Backups of cloud data need handling with backup best practices in mind. Regarding Microsoft Office 365, what Office 365 cloud email backup best practices are essential to consider when designing a disaster recovery strategy in the cloud?
Let’s take a look at the following Office 365 cloud email backup best practices:
- Do back up your cloud email
- Store backups outside of the cloud environment protected
- Use a third-party cloud-to-cloud backup solution
- Use encryption in-flight and at-rest
- Use retention policies
1. Do backup your cloud email
With the reasons listed above, backing up cloud Software-as-a-Service (SaaS) environments is crucial to ensuring your business-critical data in the cloud is protected. The first best practice is a rather obvious one – do back up your data. Backups are the cornerstone component of any backup strategy that allows recovering data when lost for various reasons.
Cloud service providers generally operate under what they refer to as a shared responsibility model. It means the CSP is not ultimately responsible for your data if it is lost. This burden falls on you as the customer. It underscores the need for backups of your cloud data.
Backing up your Microsoft Office 365 cloud email will allow recovering an entire email inbox affected by ransomware or restoring individual deleted emails. It ultimately allows protecting your business-critical email data from data deletion from various means.
2. Store backups outside of the cloud environment you are protecting
The traditional 3-2-1 backup best practice model of protecting your data hold many valuable principles that can benefit organizations designing their cloud backup strategy. One of the essential principles found in the 3-2-1 backup best practice is storing your data on “multiple forms of media” and keeping a copy of your data “offsite.” Following this same line of reasoning with your cloud SaaS email environment, such as Outlook web email found in Microsoft Office 365, means storing your Office 365 email backups outside of Microsoft’s cloud environment.
You want to make sure the solution you use for Microsoft Office 365 cloud email backups allows storing backups outside of the Microsoft cloud environment. It is crucial for consideration as many third-party backup solutions are limited to using the same cloud where the production data resides. Third-party backup solutions that allow storing cloud email backups outside of the same cloud SaaS environment help to ensure your backup data is not affected by a disaster in your production cloud environment.
3. Use a third-party cloud-to-cloud backup solution
While the Microsoft Office 365 cloud SaaS environment has many powerful features, enterprise backups are not part of that feature set. Many cloud SaaS providers are starting to offer features that flirt with “backup” type features; however, they are not backups. An example of this is the file versioning offered to Microsoft Office 365 customers in OneDrive for Business and SharePoint. This feature allows restoring a previous version of a file in OneDrive or SharePoint.
The file versioning feature does not include true enterprise backup features that organizations require and expect from a proper backup solution. Also, file versioning is not a feature found in Exchange Online email as part of Microsoft Office 365. Office 365 cloud email has a few ways to get emails back, such as restoring deleted items. What happens if ransomware encrypts your entire email inbox? The emails are not deleted but instead are encrypted. How can you recover from this? Using built-in recovery tools in Microsoft Office 365, there isn’t a way to recover. Again, there is no versioning for Office 365 cloud email, and ransomware-infected emails are not deleted. So, a good version of your emails does not exist in a deleted items folder.
Organizations who are serious about protecting their cloud email must use a third-party backup solution. Cloud-to-cloud solutions allow backing up your Office 365 cloud email using a cloud Backup-as-a-Service (BaaS). Backup-as-a-Service solutions allow effectively backing up your Microsoft Office 365 email solution and storing the backups in the cloud.
4. Use encryption in-flight and at-rest
While ransomware uses encryption for malicious purposes, encryption can also enhance security. Organizations must consider the fact that backups contain production data. It means if backups are transmitted and stored without any protection on the backups themselves, your data is potentially vulnerable. To ensure no one has unauthorized access to the data contained in your backups, use both encryption in-flight and at-rest for your backup data. Encryption in-flight means your data is encrypted as it traverses over the network. Encryption at-rest encrypts data stored on disk. It ensures information is protected from unsanctioned access, both crossing the wire and stored on disk.
5. Use retention policies
Using retention policies ensures that data pruning aligns with your organization’s data retention policies and ensures your business complies with regulatory requirements. Retention policies involving data pruning also helps to keep an efficient footprint in cloud backup storage.
Easily meet Office 365 cloud email backup best practices
SpinBackup is an extremely versatile and robust solution that allows your organization to easily meet Office 365 cloud email backup best practices. It provides the ultimate protection for your cloud-based email in Microsoft Office 365 environment. Questions such as how to recover deleted Outlook emails are answered using SpinBackup, even when emails do not exist in the deleted items folder. When you permanently delete Outlook items on the web in Microsoft Office 365, these move to Recoverable Items > Deletions folder. By default, these are kept for 14 days and can extend to a maximum of 30 days. SpinBackup can recover emails long past this configurable maximum in Office 365.
Key features of SpinBackup include:
- Automatic versioned backups 1-3x daily
- Ability to store backups in multiple cloud environments
- Perform entire mailbox or granular mailbox items
- Searchable backups
- In-flight and at-rest encryption
SpinBackup, used in SpinOne’s ransomware protection functionality, uses artificial intelligence (AI) to detect ransomware. Once found m, it stops ransomware before it causes major damage in your environment. SpinBackup allows providing data protection to your cloud email and does this in a way that aligns with industry best practices.
Learn more about SpinBackup and signup for a free, fully-featured trial version here.