As any product or service grows in popularity an ecosystem of third party solutions tends to sprout around it. Such is the case with Office 365 and backup products, as software companies both new and old position themselves to fill the gaps they see in the Office 365 data protection story.
It’s a topic that Tony Redmond unpacked in his Windows IT Pro article, “Basic features in Exchange Online undermine case for third-party backups”, and also wrote about it in great detail in Office 365 for Exchange Professionals.
The topic of cloud mailbox backups comes up in most customer engagements when Office 365 is on a company’s roadmap. The idea of going “backup-less” causes some IT managers to squirm in their seats, usually due to:
- unclear data retention requirements for the organization
- lack of operational maturity required to utilise data protection features
- lack of trust in Microsoft or the cloud in general
After all, Microsoft only takes part of the responsibility away from you when you move email to the cloud, looking after the infrastructure for you and making sure that your data is secure and replicated in their datacenters. You are still responsible for pushing the buttons and turning the dials to protect your corporate data in the cloud with the tools Microsoft provides to you.
The first challenge is an overall information management question. Start by asking some questions – what data does your company need to keep, and for how long? You may come up with a few different answers such as:
- All customer correspondence for 5 years
- All financial information for 7 years
- All project documents for 3 years
Expecting your users to properly classify data is, unfortunately, expecting too much. Given the mix of different data classifications that could all co-exist within mailboxes, the safest option is usually to choose the longest retention period, and set that as the overall requirement. In the example above that would be 7 years.
Next, examine your operational processes and your Exchange configuration. Do you currently meet those retention requirements? Frankly, a lot of on-premises deployments don’t. Apart from nightly backups and some long term backup tape storage there’s often no specific measures in place to ensure the retention of data for the required duration. However, on-premises Exchange can be configured with archiving and retention policies to preserve data to meet your requirements. So if you can work out a satisfactory archiving and retention policy on-premises, then you can transplant those configurations to Exchange Online as well.
Finally, the trust issues. This one may be more difficult to gauge. If your trust issues are based on not knowing whether Office 365 meets your technical and business requirements, then you can address that with a thorough evaluation against your set of acceptance criteria. On the other hand, if your trust issues are more of a “gut feel”, then I can’t help you there. Office 365 has a solid track record so far, but I know some people want to see that track record last a little longer first before they’re willing to consider it. Feel free to put any cloud adoption on hold until next year, if that’s what you need to do.
Or, do what some vendors would like you to do, and plug that trust gap with a third party solution. Consider that many on-premises deployments make use of third party systems to meet their data retention requirements already, whether that is with a tightly managed traditional backup solution, a journaling solution, an archiving solution, or some combination of all three. Why not take the same approach to data retention for your Office 365 mailboxes?
It may be as a straight-forward as that, if the vendor you’re already using has a cloud-based solution you can start using, although even the simplest implementation is riddled with complexity. Otherwise you’ll need to go through the usual evaluation and implementation process that any new system implementation entails, which is challenging but not impossible.
The simplest solution may be to use journaling for Office 365 email. This can be configured with journal rules in Exchange Online, sending a copy of every email sent and received in your tenant to a cloud archiving system, with the only caveat being that you can’t send the journal messages to an Office 365 mailbox. You can however send the journal messages to an SMTP address hosted by the vendor that has sold you the cloud archiving service.
While it may be relatively easy to turn journaling on for new email, you’ve still got to solve the problem of what to do with all your existing email in mailboxes, or in on-premises archiving systems. Ingesting all of that current data into a cloud archive over a network connection will be very costly and time consuming. Naturally, the cloud archive provider is also going to charge you a fee for the storage you will consume in the process.
Office 365 backup providers would be happy to help you solve that problem as well. These products (or services, if you prefer) usually leverage Exchange Web Services (EWS) to access mailbox contents and extract it for backup purposes. EWS is normally used as a client and application access protocol, not necessarily a bulk data extract protocol, although it is being used with great success by Office 365 migration products today.
With both journaling and backup cloud providers there are still roadblocks. Is the data retained in a way that meets your organizations security or regulatory requirements? Is it stored in an appropriate jurisdiction? Will it meet your long term retention requirements? Is it protected from accidental deletion, or data loss from hardware failure? These are questions that you’ve probably already answered for your on-premises solutions, and will need to answer again as you transition to the cloud.