I recently covered the top things you should be thinking about when moving to a shiny new Microsoft Office 365 subscription—now it’s time to dig a bit deeper. As Office 365 becomes more common, it shouldn’t be a surprise that traditional backups are not a service you can purchase from Microsoft. At first glance you may cringe, because we all have experience with how important backups are with our on-premises deployment, but do realize there is a lot more to consider.
Let’s uncover the truths about document recovery within Office 365 Content Management, so that you can have the best processes for your content management strategy.
Evaluate organizational risk
First, let’s look at some recovery scenarios. Think about past situations you have faced that you never would have recovered from without a backup. If you couldn’t restore the information needed in these cases, what is the potential business impact?
Malicious viruses or malware
We implement layers of security to protect us from viruses and malware, but there is always some level of risk, no matter what your strategy is. While I personally have not come face to face with viruses or malware in my Office 365 content, I have seen the impacts of malicious attacks from CryptoLocker to on-premises file shares and backups. This is one very interruptive ransomware Trojan that I don’t wish on anyone.
So, what would happen if ransomware were to infiltrate your content in Office 365, despite the advanced security protection that Microsoft has implemented? Can anything be done to ensure that if something of this caliber were to impact your files, your business could get back to functioning quickly?
Be sure to develop a plan around this. (In the next section, we will discuss how you can be ready for this situation when using version control.)
I have seen many different approaches to account retention when someone leaves an organization. One approach is for an organization to disable the account initially, and then delete the account after some period of time. In Office 365, a deleted account will be retained for an additional 30 days. After that, it will automatically be removed. If there is still data tied to that account at the time of removal, then it will not be recoverable.
Define your processes in advance (using some of the options below) and don’t wait for the mishap.
With any well-planned strategy, you need to define the level of risk you are willing to assume. The following list will provide guidance around the Office 365 settings that must be configured to minimize data risk.
Confirm that version control is configured for all forms of content management. In newer Office 365 tenants, version control is already set up, but if you have been using Office 365 for some time then you may need to go into your Admin settings and do this.
Why? Having version control could serve as a point-in-time recovery of a document if needed. Even in the event of a virus or malware attack you could always go back to a previous version of a file. So, I strongly suggest that you confirm this is in place.
Notice I mentioned recycle bins (plural). This is because there are two layers of document recovery available—one that the user can access if they inadvertently delete a document, and a second stage recycle bin that the administrator can use to recover files that are past the initial period allowed in the primary recycle bin.
You can expect a user to be able to recover a file that was deleted up to 30 days back unless their primary recycle bin is full. If it’s full, every three days items will be moved to the second-stage recycle bin to keep the primary recycle bin size in check. If it’s not full, then nothing more happens until the file has been in the recycle bin for 30 days.
At the point that items are no longer stored in the primary recycle bin, an admin can use the second stage recycle bin to recover data. Admins can set the length of time in which they can restore files; typically, this is around 90 days.
Using these recycle bin features is a must in lieu of backups!
With deleted account retention, any content that is directly tied to a deleted account will be permanently removed after 30 days. As long as you understand that this is the default setting, you can plan to move data from the account to another content management location before the end of the 30 days.
These policies are very important to your Office 365 configuration, and also to your organization. Organizational responsibility for all legal and compliance responses revolves around whether documentation can be produced when needed. There have been cases over the years where hefty penalties were incurred for not being able to produce documentation. This often hinges on the fact that we do not have these expensive, robust systems in place.
When you are choosing your Office 365 subscription be sure that your plan allows you to retain your corporate information. Some of the options become available in the E1 subscription, but E3 and up offer more robust options.
Once you have a subscription with the Office 365 retention policy option, you will need to configure it in your tenant by logging in to https://protection.office.com/#/homepage Go to Data Governance > Retention to create the policy your business requires. These policies can include any content in Office 365, and aren’t just limited to content management.
Just because our data is in the cloud doesn’t mean we aren’t accountable for the data we put there. We cannot just blame Microsoft for our problem, and the last thing we would want to do is assume that everything isn’t our responsibility. I can assure you that if there is a problem, leadership will be coming to you for answers.
Take a close look at the options, and consider how they align with your policies for recovery. If there are any options that do not meet your criteria, then you may very well be investigating 3rd party backup options for your Office 365 Tenant. They can improve the accuracy of organizational data recovered, and improve the amount of time it will take to get back to business per usual.
What should you do?
At a minimum, leverage all the built-in Office 365 options you can that will align with your current organizational requirements. Also, keep in mind that holding on too much or too little data can create unnecessary legal risk.
Your ability to recover information also has a business impact that you need to have a complete understanding of. Taking the time up front to ensure that you have the right technical settings in place will provide you the best plan for long term success. I have personally learned over the years that it’s important to always prepare for the unexpected. Even if the risk is low, be ready!