In this month’s Ask CyberGuru we are asked, “I have moved onto a cloud-based service thinking that by moving onto this that it is backed up, but understand from talking to others that I need to back up. Is this the case?”
When you move onto the cloud, you may not realise that cloud-based vendors do not backup your data. The Shared Responsibility Model which most cloud vendors including Microsoft and Google utilise places the obligation on the customer to protect their own information, as well as users and accounts. Deleted information is only made available for a limited period of time. For this reason, we strongly suggest an automated backup solution, which allows organisations to keep a backup of their data in a separate cloud.
It may come as a surprise but cloud services don’t cover data protection as their responsibility and Microsoft 365 does not provide backups of its environment and third-party is required to perform this functionality.
Under the “shared responsibility model”, most cloud vendors including Microsoft, Google and AWS, advise that they manage the global infrastructure, that is, both the hardware and software provided, as well as recovery from natural disasters and power outages affecting their services to ensure it is up and available. However, information and data the responsibility of the customer, as well as accounts and identities (such as your individual user accounts and shared mailboxes).
As an example, in their Service Agreement (link opens in new window), Microsoft advises in its it does not “guarantee services will be error-free or that content loss won’t occur” and that it is not liable for any disruption or loss suffered as a result of disruptions and outages caused by the customer.
Google also make this information known as part of their Google Workspace services (link opens in new window). “You have a limited time from when the data was permanently deleted to restore files and messages. After that, the data cannot be recovered and is gone forever…Any file that is put into a Google Drive trash will be automatically deleted after 30 days. Previously, trashed items would be retained indefinitely until the trash was emptied by the user.”
Examples of this may include human error, accidental and malicious deletion, overwriting data or synchronisation errors or more malicious attacks phishing scams.
You should regularly backup all information stored on the cloud in case their services become unavailable for any reason or data loss occurs. There are products which allowing you to backup to another cloud and these can support you in ensuring you have a backup in case.
CyberGuru strongly recommends a third-party cloud backup solution and have selected some products in this space to protect your cloud-based data and provide your organisation with peace of mind your information is safely stored. Please contact us for more information and we can assist.