Businesses frequently turn to SaaS platforms like Microsoft 365 because they are convenient. They eliminate the need to deploy and manage software on your own servers. That doesn’t mean that SaaS solutions free you from having to manage security. Although SaaS providers manage some facets of security, they delegate many security-related matters -- especially related to data protection and security - to their customers through a shared responsibility model.
Here’s a look at how Microsoft 365’s shared responsibility model works and what you should know if you deploy Microsoft 365 in your business or incorporate it into a managed service offering.
What Microsoft Is Responsible For
As part of the Microsoft 365 SaaS platform, Microsoft manages and guarantees the following:
- Uptime: Microsoft guarantees maximum uptime for the infrastructure and software that hosts Microsoft 365.
- Data replication: To ensure high availability and reliability for data stored in Microsoft 365, Microsoft replicates it across multiple locations. Microsoft data replication doesn’t protect against user deletion; deleting a file removes all copies across its infrastructure.
- Access control: Available access controls for Microsoft 365 include multi-factor authentication in addition to basic password-based authentication.
- Setup and management: Microsoft configures and manages the infrastructure that hosts Microsoft 365. Management includes protecting against electrical failures, natural disasters and other problems that could disrupt service availability.
- Physical access: Microsoft provides protection against unauthorized access to the physical infrastructure that hosts Microsoft 365, which ensures that attackers cannot gain access to data stored in the system by physically accessing the servers hosting it.
In these ways, Microsoft manages parts of Microsoft 365 security and related issues like data and service availability.
What the User Is Responsible For
The primary responsibility of Microsoft 365 users lies in securing any data that they store and manage on the Microsoft 365 platform. Although Microsoft manages the infrastructure and services that host that data, users need to guard against risks such as the following:
- Accidental data deletion: Microsoft provides tools like the Microsoft 365 recycling bin to mitigate the risk of accidental data loss, but they only store deleted data temporarily.
- Internal and external attacks: A malicious employee could deliberately delete data, for instance, or a third party that gains access to your Microsoft 365 resources could encrypt it and hold it for ransom as part of a ransomware attack.
- Regulatory compliance: Users must ensure that any sensitive data that they store in Microsoft 365 is managed in ways that comply with regulatory policies that govern that data. Microsoft’s Litigation Hold feature can be helpful in managing data subject to litigation holds, but that is only one regulatory issue at stake.
- Data retention: Responsibility lies with users to ensure that they retain data in Microsoft 365 for the periods specified by any applicable laws or internal company policies. They may also need to delete certain data after a specified period. "Microsoft automatically deletes data from inactive accounts after 90 days, which may conflict with retention policy requirements.
In short, Microsoft secures your infrastructure, but you must protect your data and ensure compliance
Microsoft 365 Shared Responsibility Model
| Microsoft’s Security Responsibilities Infrastructure stability |
Microsoft 365 User Responsibilities Data safety and compliance |
|---|---|
| M365 Infrastructure uptime Maximum uptime for the infrastructure and software hosting Microsoft 365 |
M365 Data Availability The data availability and access to it is the M365 user’s responsibility |
| Data replication Data is replicated across multiple locations which doesn’t save from manual file deletion |
Data retention Data should be retained for the periods specified by the business need, applicable laws or internal company policies |
| Access control Available access controls include basic password-based authentication and multi-factor authentication |
Internal attacks A malicious employee could deliberately delete data |
| Physical access Protection against unauthorized access to the physical infrastructure |
Virtual/Digital access Protection against a third party that gains access to your Microsoft 365 resources could encrypt it and hold it for ransom as part of a ransomware attack |
| Setup and management Microsoft configures and manages the infrastructure that hosts Microsoft 365 |
Regulatory compliance The M365 user should store sensitive data in ways that comply with regulatory policies governing that data |
How to Protect Microsoft 365 Data
As noted above, Microsoft 365 offers limited features to manage compliance and reduce the risk of accidental data loss. However, these features fall far short of a complete data protection solution.
That’s why you must implement external protection and regularly back up all your Microsoft 365 data. Ensuring that any files you accidentally delete from the platform, or which malicious users delete (or hold for ransom) deliberately, can be recovered.
In addition, regular backups make it easy to meet data retention and regulatory compliance. Advanced Microsoft 365 backup solutions let you build data lifecycles and automatically delete data you no longer need.
Without a comprehensive backup solution for Microsoft 365, you have very limited control over your and/or your customers’ data. You also face a higher risk of data retention policy gaps and regulatory non-compliance.
Discover more about our backup software and Microsoft 365
Find more about our dedicated managed backup service like Microsoft 365 and Google Workspace. For MSPs looking to expand their offerings, selling Microsoft 365 provides a robust framework for delivering value to clients.
To safeguard data, adopting Microsoft 365 best practices for data protection is essential, particularly for cloud-based environments. When evaluating cloud storage, a comparison of Dropbox, OneDrive for Business, and Google G Suite highlights key differences in functionality and integration.
When choosing email solutions, comparing Exchange Online vs. Exchange On-Premises can guide decisions based on scalability and maintenance needs. For organizations transitioning to Microsoft 365, resources on migrating from Gmail to Office 365 offer step-by-step guidance. For comprehensive backup solutions, tools like MSP360 Backup for M365 and Google Workspace provide robust options, including PST export capabilities.
Additionally, securing Google Workspace requires adherence to a Google G Suite security guide, while Office 365 SharePoint backup and Office 365 mailbox backup strategies ensure data resilience across critical workloads.
MSP360 Managed Backup for Microsoft 365
MSP360 Managed Backup provides full support for backing up Microsoft 365 data, while also giving you complete control over data backups.
With MSP360, you can easily back up your Microsoft 365 accounts, including Outlook mailboxes, calendars and contacts, as well as Microsoft Exchange server, OneDrive, SharePoint and Teams data. You can set custom data retention policies to meet your company’s needs, and you can store backup data on-premises or in any major public cloud.
In the event that you need to recover Microsoft 365 data, MSP360 Managed Backup lets you select and recover individual files, folders or emails. Or, you can choose to back up all of your data. You get maximum flexibility, depending on your or your customers’ business requirements.
To see for yourself, request a MSP360 Managed Backup demo or sign up for a free trial.
[hubspot type=cta portal=5442029 id=a03f1309-f6ae-439a-9be0-d11b29410547]
[hubspot type=cta portal=5442029 id=bef34dbf-8bf6-41ed-b383-0c80c13f1fd8]
