In a traditional on-premises data center, the organization that owns it is responsible for managing security incidents, including the mitigation and remediation of any dangerous incident. On the other hand, if the company uses Infrastructure-as-a-Service offerings (Azure, AWS), security for infrastructure is the cloud provider’s responsibility. In the Software-as-a-Service model, specifically in the Microsoft 365 suite, Microsoft is responsible for maintaining the infrastructure and making sure data is available and accessible while users are responsible for protecting their Microsoft 365 data. It means the user is responsible for restoring lost, stolen, deleted, or compromised data and it should be quite logical and obvious. In the end, it’s the user’s data, right?
Regardless of the cloud deployment types, the customer retains ownership of their data and identities and is responsible for their security, while the cloud service providers manage other operational aspects. This framework helps clarify the shared responsibilities involved in using cloud services. Understanding the Microsoft 365 Shared Responsibility Model is particularly important as it outlines the division of responsibilities between Microsoft and businesses regarding data protection and security.
It is particularly important to know what aspects of the security of a cloud service belong to the provider and what should be a matter of the user. Additionally, it is good to know how to ensure data protection, backup, and point-in-time recovery using Xopero’s services so you can share responsibility as Microsoft does it. Understanding the specific cloud components users manage and their responsibilities in protecting these components is crucial for maintaining a secure cloud environment.
| Microsoft’s responsibilities | User’s responsibilities | Xopero’s responsibilities |
| Cloud infrastructure | Business data | Automatic backup and data protection, the backup 3-2-1 rule |
| Infrastructure-level security | Data-level security | Backup & restore data-level |
| Microsoft cloud storage | Keeping multiple copies | On-premise, public/private cloud, Microsoft cloud, Xopero cloud – store your data anywhere you want. |
| Basic compliance (data processor) | Meeting legal requirements, local compliance, and industry regulations (data owner) | Encryption, integrity, data restore, disaster recovery – we help you meet all your compliance requirements (data guard) |
| Basic retention (up to 30-days in business license) | Long-term retention | Unlimited, enterprise-grade data retention (on-premise/in the cloud backup, advanced retention schemes (FIFO, GFS, Forever incremental) as well as granular & point-in-time recovery options |
Microsoft’s data protection limitations
If we take a closer look at the table above we will notice the main limitation of Microsoft Office 365 protection, including:
As a cloud service provider, Microsoft focuses on global infrastructure security. However, cloud security follows the Microsoft Shared Responsibility Model where the cloud service provider secures the underlying infrastructure, and the customer is responsible for securing their data and applications within the cloud. This division of responsibilities helps protect against potential failures and breaches.
Limitation to infrastructure-level security
Microsoft focuses on global infrastructure and securing physical data centers to ensure that the Office 365 suite remains up and running. While Microsoft 365 is an undeniably reliable system (with a reliability guarantee of 99,9% uptime) it suffers from frequent outages on a local/regional basis that can result in data loss. Thus, customers are responsible for access, control, and security of their data that resides in the Microsoft 365 infrastructure. The azure shared responsibility model outlines the division of security responsibilities between Azure and its customers, where Azure secures the cloud infrastructure, and customers manage security within their own deployments.
Only cloud storage
Microsoft 365 relies on Azure Cloud and guarantees built-in data replication and data center-to-data center geo-redundancy. It’s a must to ensure uptime and reliability. However, a replica is not a backup and it’s out of your control as it’s not even yours. It does not protect you from data deletions or corruptions – in such a situation deleted and corrupted data is also replicated along with correct files so your replication has also deleted or corrupted data. Keeping multiple copies it’s your duty. Please remember about the 3-2-1 backup rule and having three copies of your data in two different locations including one outside of the company. Xopero helps you implement this rule by offering on-premise or in-the-cloud backup and multiple storage options.
Basic compliance
Microsoft makes it very clear – its role is data processing. Choosing the right operating system is crucial for managing security and compliance in various deployment models, including IaaS, PaaS, and SaaS. They focus on data privacy, have a wide range of certificates, and guarantee two-factor authentication but adjusting to all compliance demands and industry/legal requirements remains a data owner (user) responsibility. Additionally, managing and securing identity and directory infrastructure is crucial for compliance, as it ensures overall application security and user access management.
Basic retention
In most apps, Microsoft by default offers 30-days data retention for business users with the use of the Recycle Bin. Please bear in mind that Recycle Bin can be accidentally or intentionally cleared and there is no other way to restore your data. Using Retention Policies results in an extra payment for storage ( $0,20/gigabyte/month – assuming an extra 50GB per user in a 500-employee company it could cost $5000 monthly). Once again it’s the user’s concern to ensure a solution that offers unlimited and advanced data retention as well as granular & point-in-time recovery options.
User’s responsibility share
Office 365 users can rely on Microsoft to provide a reliable productivity suite, but they must count on themselves for data protection to make sure their data (both all as well as defined types of data) is accessible, available, protected, and recoverable in every moment, from any point-in-time to make sure no disaster can cause data loss, downtime, and financial losses.
It is essential to protect sensitive data by implementing measures such as encryption and data loss prevention to safeguard against breaches and ensure compliance with security standards.
According to “the shared responsibility model” data protection is the user’s concern and duty. To protect data effectively, companies should employ processes of data backup and data recovery. Microsoft does not offer these processes under the shared responsibility model but they are crucial and necessary to cover all users’ share in this model. Additionally, while migrating to the cloud, customers retain ownership and security responsibility for their on-premises resources, alongside their cloud data and identities, thus highlighting the cohesive security approach needed across different deployment types.
Data backup and protection
Are the core of the Microsoft 365 user’s responsibility. Cloud service providers play a crucial role in data backup and protection by offering tools and guidance to ensure that in case of any event of failure, critical business data are accessible and recoverable in a maximally short time. An efficient backup solution should ensure multiple enterprise-class features – automation, on-premise, and in-the-cloud storage, encryption, optimization, unlimited retention, and more advanced settings. Additionally, users must manage specific security tasks such as configuring access controls, monitoring for unauthorized access, and ensuring data encryption to protect their applications and data deployed in the cloud.
Long-term retention
As mentioned above, Microsoft’s default retention policies, such as the 30-day data retention for business users with the use of the Recycle Bin, have limitations, especially when it comes to protecting against deleted data. Efficient backup solutions offer even unlimited yet cost-efficient retention so you can recover your data from any point in time.
Data recovery
Is the process of restoring data from backup to prevent downtime, maintain low RTO, provide quick access to data, and get back to the business at any time. It is important to have granular recovery options so the recoveries can range from single file immediate restoration to an entire M365 data library. Understanding the Microsoft 365 Shared Responsibility Model is crucial, as it outlines that while Microsoft secures the infrastructure, businesses are responsible for managing data-level security risks and ensuring effective data recovery.
Third-party backup solution – missing part in the shared responsibility model
The third-party backup solution is your weapon against all Microsoft 365 suite cyber threats. But it also fulfills your part of the Microsoft Shared Responsibility Model, ensuring efficient data protection. Xopero Backup of Microsoft 365 suite enables:
- data protection
- long-term (even unlimited) retention
- data-level security
- keeping multiple copies on-premise or in the cloud,
- meeting industry, legal, and compliance requirements,
- countering cyber threats…
The Microsoft Shared Responsibility Model outlines the division of responsibilities between Microsoft and its customers across different service models like IaaS, PaaS, and SaaS. Microsoft secures the cloud infrastructure, while customers are responsible for securing their data and configurations within the cloud.
…so all your responsibilities are related to the shared responsibility model. And much more!