Microsoft 365 Expert: Back Up Everything for 'Self Preservation'
20x Microsoft MVP Brien Posey explains how best practices can help save your job -- and how he was once fired for being an internal IT sabotage threat.
Lesson No. 1 for Microsoft 365 backups: "Back up absolutely everything."
That's the advice from Brien Posey, 20-time Microsoft MVP and Microsoft 365 expert, speaking in a recent half-day online tech summit held by Virtualization & Cloud Review and RedmondMag.
"Even if you don't need to," he continued. "I know, that sounds a little bit weird. I get it. But there is a method to the madness."
The method to the madness was explained in detail in Posey's "best practices" presentation as part of the recent "Microsoft 365 Security, Backup & Recovery Summit," now available for free on-demand viewing.
He provided two reasons for his No. 1 tip:
- Sometimes you may only realize a data set's value later on.
- Just because you aren't using a particular Microsoft 365 resource doesn't mean that your Office applications aren't using them.
The latter point was illustrated with a slide that reveals all the interdependencies among Microsoft 365 components, where data and files for different components are stored in different locations, with Office apps leveraging one another for storage. For just one example, Microsoft Teams stores files in SharePoint, while chat files are stored in OneDrive for Business. Other Teams data is stored all over the ecosystem. Posey is uniquely qualified for this part of the presentation, as he literally wrote the book on Conversational Microsoft Teams Backup.
For the first item, not realizing the value of specific data until later, Posey used a personal example.
"I've actually had this happen to me in real life," he said. "I've had some data that seemed relatively unimportant at the time, but I hung on to it for whatever reason. And then sometime later, I discovered, 'Oh, I could use this data for another purpose that I had never even thought of.' So that's one reason why it's important to back up everything, even if you don't really feel the need."
As far as backups in general, Posey emphasized that it's not really optional if you follow best practices -- and want to keep your job.
"Another reason why it's important to go ahead and take the initiative to backup Microsoft 365 is just something for self preservation," he said. While it may seem strange that the idea of not backing up data is even a consideration, Posey reminded the audience of hundreds that Microsoft years ago was espousing something called zero backups from Microsoft Exchange.
In fact, he authored an article on the subject titled "Zero Backups - The Way of the Future" on the TechGenix site in 2012. Despite, the title of the piece, Posey indicated in the book that he wasn't fully onboard: "Personally, I would be really nervous about the idea of giving up my backups in favor of zero backups."
In his presentation earlier this week, Posey noted that the idea behind zero backups was the fact that Exchange data becomes stale really quickly and a backup conducted with day-before data would still miss many messages. So Microsoft thought there was no point in restoring Exchange data unless restore points were available from just a few minutes prior. Rather, "it's better to simply prevent a situation that calls for data to be restored. And with enough redundancy in place, you don't even need to restore data, and they were referring to that as zero backups." That never caught on, and backups are now more important than ever.
"Just consider if you really want to ever be in a situation where you have to explain to your boss that a data loss occurred because you chose not to create a real backup."
Brien Posey, Freelance Author, 20x Microsoft MVP, Commercial Astronaut Candidate
"It was complicated and expensive to set up," Posey said. "And quite frankly, I don't think a lot of people feel comfortable with it. For the more practical standpoint, just consider if you really want to ever be in a situation where you have to explain to your boss that a data loss occurred because you chose not to create a real backup. That's what I mean by self preservation. Create backups just so that it can never come back and bite you that you don't have a backup."
Along with that sound career advice, Posey discussed numerous other subjects including native recovery mechanisms for various Microsoft 365 components:
- SharePoint Recycle Bin: Deleted items remain for 93 days, Microsoft support can recover for another 14 days, but must recover the entire site collection they can't recover individual files.
- Azure AD Recycle Bin: Restore AD objects for up to 30 days.
- Legal hold: protects data, but counts against storage limits. It's also messy to restore.
- Retention policies/versioning: Rapidly consumes space for frequently changing files, it also can be messy to restore since it requires files to be exported and manually added back to the document library.
After going into great detail on all of the above and more, Posey explained the reasoning to consider using more than the built-in protective mechanisms found in Microsoft 365:
- Recovery can sometimes be complex
- Your recovery options might not be as granular as you need
- The built-in options can leave gaps in protection
- There are some security threats that you might not be protected against
"So as you can see, there are a lot of protective mechanisms that are built into Microsoft 365," Posey said. "So why not just use those instead of relying on a backup? Well, there are any number of different reasons and things that you need to think about. For one thing, as you've seen, the recovery process can sometimes be complex. Additionally, the recovery options might not be quite as granular as what you need. And you saw that a moment ago with Teams. You have the ability to recover an entire team, but you weren't able to restore individual items within that team.
"Also, the built-in options can leave gaps in protection. I showed you various ways of getting data back for SharePoint and OneDrive and Teams and things like that, but you'll notice that there were some Microsoft 365 applications that I didn't talk about. So there can be some gaps in coverage. Also, there are some security threats that these potential mechanisms might not protect you against. So certainly, that's a major consideration as well."
Posey also detailed many other best practices for different aspects of Microsoft 365, with a bullet-point summary looking something like this:
- Ransomware CAN attack Microsoft 365!!!!
- Ransomware usually leaves you with two choices – pay the ransom or restore a backup.
- Paying a ransom is not a guarantee of having your data decrypted.
- The attacker may ignore the payment or ask for more money.
- Even if the data is decrypted, it may not stay that way for long.
- Don't be lax when it comes to backup security. Some ransomware is specifically designed to target backups.
- Write your backups to immutable storage if at all possible. It's the only way to beat a ransomware time bomb.
- Try to use a location agnostic backup solution that specifically supports Microsoft 365.
- Data is fluid. You need to be able to back up from anywhere and restore to anywhere.
- You can sometimes use the Recycle Bin to recover an accidentally deleted file.
- On occasion, you might even be able to use Outlook to get a file back.
Consider what would happen if data within a file is overwritten, as opposed to the entire file being deleted.
Retention policies MIGHT help, but ...
Legal and Compliance
- Many organizations have legal or compliance mandates requiring data to be backed up.
- Even if you can convince an auditor that your Office data is protected without a true backup, the native Microsoft 365 mechanisms probably don't meet your backup SLAs, storage requirements, or retention requirements.
Microsoft 365 Takes a Piecemeal Approach to Data Protection
- Each protective mechanism is controlled separately.
- There is no central policy that you can configure to control retention or other backup related settings.
Complexity Is the Enemy of Security
- Reduce backup complexity wherever possible.
- If you can, use a single backup application to handle on premises and cloud backups.
- This can also help to reduce administrative error since there is only one administrative interface to manage.
Be Aware of the Cost
Cloud backup and restore operations often incur:
- Storage costs (per GB per month)
- Bandwidth costs
- Data Egress Fees
External Security Threats
- Another great reason to back up your data, use least privileged access, and RBAC.
- Start working toward zero trust if you haven't already.
Internal Security Threats
- A rogue employee can delete data at any time.
- If that employee has done their homework, they might know how to permanently delete it (Use least privileged access and RBAC).
- IT Sabotage is real!
- I was once fired because my boss feared IT sabotage.
That last item made for an amusing anecdote.
"IT sabotage is real," Posey said. "I have heard numerous stories about it over the years. And as a matter of fact, I once had a boss who actually fired me for that very thing. No, I didn't sabotage anything. But I was at a company, and I had been there for quite a few years, and decided it was time to move on to a better position elsewhere. And when I put in my two weeks' notice, my boss fired me on the spot because he considered me a security risk. Because I had full-blown administrative access to the network and would have been capable of practically anything. I didn't have any ill will toward the company and certainly had no intention of doing anything like that, but my boss rightly feared IT sabotage."
But Posey made the best of things.
"Incidentally, since I didn't start my next job for a couple of weeks, I went to the Bahamas and made sure to send my former boss a postcard thanking him for the time off!"
For upcoming tech summits on AWS, remote work, cloud security and more (and on-demand viewing of others), see what's on tap here.