As organizations increasingly rely on Microsoft 365 (M365) for storing critical data in OneDrive, SharePoint, and Exchange 365, many people are still unsure what the best practice is when it comes to backing up their M365 data. In particular, whether they should back it up in the cloud or in a local and offline storage device.
The answer lies in the best practices outlined by Microsoft, the National Institute of Standards and Technology (NIST), and the Australian Cyber Security Centre (ACSC). While third-party solutions that offer cloud-to-cloud backups are convenient, offline backups are crucial for a robust backup and recovery strategy.
The Importance of Offline Backup for M365 Data
Microsoft’s own service agreement emphasizes the need for regular backups, especially when you consider that access to your data could be lost if your account is closed or if there’s an outage. The agreement clearly states that in the event of service cancellation or disruption, data may be deleted or become inaccessible, urging users to maintain a regular backup plan. While Microsoft’s infrastructure is reliable, offline backups are still necessary for business continuity.
What Microsoft Recommends
Microsoft has published a Backup and restore plan to protect against ransomware, which gives recommendations on steps a business should take before, during, and after a ransomware attack. This plan highlights the importance of backing up data to a specific point in time and storing multiple copies in isolated, offline locations. This strategy ensures that, in the event of ransomware or other data loss incidents, organizations can quickly restore their data to a production environment.
NIST Guidelines on Backup and Recovery
NIST’s guidelines for data protection reinforce the need for offline backups as part of a comprehensive cybersecurity strategy. They recommend:
- Securely storing backups offline: This ensures that in the event of a disaster or cyber incident, backups remain intact and accessible.
- Testing backups regularly: Regular testing of backups ensures that they can be restored when needed, minimizing downtime and data loss.
- Implementing geographic separation: By storing backups in different locations, organizations can further protect their data from localized disasters.
ACSC Recommendations for M365 Backup
The ACSC advises organizations to use third-party backup solutions that support secure authentication methods and store data on local and offline storage devices – i.e. not in another cloud location. This approach is particularly important in protecting against ransomware, which often targets cloud-based backups. The ACSC also emphasizes the importance of ensuring that the chosen backup solution can back up all critical data, including Exchange, SharePoint, OneDrive, and Teams.
The 3-2-1 Backup Strategy: An Industry Best Practice
The 3-2-1 backup strategy is widely regarded as a best practice for data protection. This strategy involves:
- Creating three copies of your data: One primary copy and two backups.
- Storing the backups on two different types of media: For example, one on a local server and another on an external drive.
- Keeping one backup copy offsite and offline: This is crucial for protection against disasters and cyber threats.
Applying this strategy to M365 data means that at least one copy of your critical data should be stored offline and offsite. This ensures that even if your online backups are compromised, you have a secure fallback.
Avoiding Vendor Lock-In with Offline Backups
Offline backups provide an additional advantage: they help avoid vendor lock-in. If you decide to stop subscribing to a cloud-to-cloud backup of your Microsoft 365 tenancy or want to switch to a different provider, having a local, offline backup ensures that you retain access to your data. This independence can be crucial for businesses that need flexibility in their IT strategies.
BackupAssist 365: A Solution for M365 Offline Backup
BackupAssist 365 is specifically designed to meet the requirements for local and offline backups of M365 data that can also be taken offsite. It supports best practices recommended by Microsoft, NIST, and the ACSC, providing a reliable solution for organizations that need to protect their data against a wide range of threats.
BackupAssist 365 protects your M365 data with:
- Option to encrypt backups
- Preventing backup of mail attachments that fail virus scan
- Versioning capabilities
- Automated backup scheduling
- Modern authentication and access control
- Without the risk of vendor lock-in
With BackupAssist 365, you can ensure that your M365 data is securely backed up and readily accessible when needed.
Conclusion
While other third-party solutions offer convenience with cloud-to-cloud backups, they should not be your only line of defense. Offline backups are essential for ensuring the security and availability of your M365 data, especially in the face of cyber threats and potential service disruptions. By following the recommendations from Microsoft, NIST, and the ACSC, and implementing the 3-2-1 backup strategy, you can safeguard your organization’s data and maintain business continuity under almost any circumstance.
New to BackupAssist 365? Download now to start your free 30-day trial.
