Microsoft Shared Responsibility Model – understanding your role

In a traditional on-premises data center, the organization that owns it is responsible for managing security incidents, including the mitigation and remediation of any dangerous incident. On the other hand, if the company uses Infrastructure-as-a-Service offerings (Azure, AWS) security for infrastructure is the provider’s responsibility. In the Software-as-a-Service model, specifically in Microsoft 365 suite, Microsoft is responsible for maintaining the infrastructure and making sure data is available and accessible while users are responsible for protecting their Microsoft 365 data. It means the user is responsible for restoring lost, stolen, deleted, or compromised data and it should be quite logical and obvious. In the end, it’s the user’s data, right?

It is particularly important to know what aspects of the security of a cloud service belong to the provider and what should be a matter of the user. Additionally, it is good to know how to ensure data protection, backup, and point-in-time recovery using Xopero’s services so you can share responsibility as Microsoft does it.

Microsoft’s responsibilitiesUser’s responsibilitiesXopero’s responsibilities
Cloud infrastructure Business data Automatic backup and data protection, the backup 3-2-1 rule
Infrastructure-level securityData-level security Backup & restore data-level
Microsoft cloud storageKeeping multiple copiesOn-premise, public/private cloud, Microsoft cloud, Xopero cloud – store your data anywhere you want. 
Basic compliance (data processor)Meeting legal requirements, local compliance, and industry regulations (data owner)Encryption, integrity, data restore, disaster recovery – we help you meet all your compliance requirements (data guard) 
Basic retention (up to 30-days in business license)Long-term retentionUnlimited, enterprise-grade data retention (on-premise/in the cloud backup, advanced retention schemes (FIFO, GFS, Forever incremental) as well as granular & point-in-time recovery options

Microsoft’s data protection limitations 

If we take a closer look at the table above we will notice the main limitation of Microsoft Office 365 protection, including: 

Limitation to infrastructure-level security

Microsoft focuses on global infrastructure and ensuring that the Office 365 suite remains up and running. While Microsoft 365 is an undeniably reliable system (with a reliability guarantee of 99,9% uptime) it suffers from frequent outages on a local/regional basis that can result in data loss. Thus, customers are responsible for access, control, and security of their data that resides in the Microsoft 365 infrastructure. 

Only cloud storage

Microsoft 365 relies on Azure Cloud and guarantees built-in data replication and data center-to-data center geo-redundancy. It’s a must to ensure uptime and reliability. However, a replica is not a backup and it’s out of your control as it’s not even yours. It does not protect you from data deletions or corruptions – in such a situation deleted and corrupted data is also replicated along with correct files so your replication has also deleted or corrupted data. Keeping multiple copies it’s your duty. Please remember about the 3-2-1 backup rule and having three copies of your data in two different locations including one outside of the company. Xopero helps you implement this rule by offering on-premise or in-the-cloud backup and multiple storage options. 

Basic compliance

Microsoft makes it very clear – its role is data processing. They focus on data privacy, have a wide range of certificates, and guarantee two-factor authentication but adjusting to all compliance demands and industry/legal requirements remains a data owner (user) responsibility. 

Basic retention

In most apps, Microsoft by default offers 30-days data retention for business users with the use of the Recycle Bin. Please bear in mind that Recycle Bin can be accidentally or intentionally cleared and there is no other way to restore your data. Using Retention Policies results in an extra payment for storage ( $0,20/gigabyte/month – assuming an extra 50GB per user in a 500-employee company it could cost $5000 monthly). Once again it’s the user’s concern to ensure a solution that offers unlimited and advanced data retention as well as granular & point-in-time recovery options.

User’s responsibility share

Office 365 users can rely on Microsoft to provide a reliable productivity suite, but they must count on themselves for data protection to make sure their data (both all as well as defined types of data) is accessible, available, protected, and recoverable in every moment, from any point-in-time to make sure no disaster can cause data loss, downtime, and financial losses.

According to “the shared responsibility model” data protection is the user’s concern and duty. To protect data effectively, companies should employ processes of data backup and data recovery. Microsoft does not offer these processes under the shared responsibility model but they are crucial and necessary to cover all users’ share in this model.

Data backup and protection

are the core of the Microsoft 365 user’s responsibility. The main objective of data backup is to ensure that in case of any event of failure, critical business data are accessible and recoverable in a maximally short time. An efficient backup solution should ensure multiple enterprise-class features – automation, on-premise, and in-the-cloud storage, encryption, optimization, unlimited retention, and more advanced settings. 

Long-term retention

As mentioned above Microsoft offers 30-days data retention for business users with the use of the Recycle Bin. Efficient backup solutions offer even unlimited yet cost-efficient retention so you can recover your data from any point in time.

Data recovery

Is the process of restoring data from backup to prevent downtime, maintain low RTO, provide quick access to data, and get back to the business at any time. It is important to have granular recovery options so the recoveries can range from single file immediate restoration to an entire M365 data library. 

Third-party backup solution – missing part in the shared responsibility model

The third-party backup solution is your weapon against all Microsoft 365 suite cyber threats. But it also fulfills your part of the shared responsibility model ensuring efficient data protection. Xopero Backup of Microsoft 365 suite enables: 

  • data protection
  • long-term (even unlimited) retention 
  • data-level security
  • keeping multiple copies on-premise or in the cloud,
  • meeting industry, legal, and compliance requirements, 
  • countering cyber threats…

…so all your responsibilities are related to the shared responsibility model. And much more!