The Microsoft 365 Shared Responsibility Model

Understanding of the need for SaaS backup has improved, but we still frequently hear: “Why do I need to back up my Microsoft 365 Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams data? Doesn’t Microsoft take care of it?”

It’s natural to assume that since it’s in the cloud, it’s covered. But is it really?

To add some clarity to this discussion, we’ve created a Microsoft 365 Shared Responsibility Model. This model utilizes the core principles of Microsoft’s own Shared Responsibility Model, but with a deeper emphasis on Microsoft 365 data specifically. It’s designed to help you — and anyone close to this technology — draw a line in the sand and understand exactly what Microsoft handles and what responsibility falls on the business itself. After all — it is your data, and it’s your responsibility to protect it. To further drive this point home, Microsoft agrees you need to protect your Microsoft 365 data and recommends that you store with using a third-party solution The Microsoft Service Agreement states: “We recommend that you regularly back up your content and data that you store on the services or store using third-party apps and services.” By taking proactive measures to safeguard your data, you empower your organization to prevent potential data loss and ensure business continuity.

Ready to protect Microsoft 365? Learn more about the market leader in Microsoft 365 backup.

What Is the Shared Responsibility Model?

Before we begin, let’s define this model. The Shared Responsibility Model is a framework that can help you understand what components and tasks you’re responsible for in an IT environment. Therefore, this model is there to help you establish where your duties end and where a service provider’s duties begin.

Microsoft’s Role in the Model

As we begin to explore the Microsoft 365 Shared Responsibility Model, it’ll become very clear that Microsoft’s main responsibilities in Microsoft 365 hinge on all tasks related to the backend infrastructure and providing service delivery resiliency so there’s little to no service interruption. Think of Microsoft as the data processor.

Customer’s Role in the Model

The customer owns their data when it resides in Microsoft 365. It’s the customer’s IT department that’s responsible for ensuring that they remain in control of and have access to. their business-critical data. This encompasses all data that’s created, stored, and shared across Microsoft 365 apps and services.

So, how can an IT environment protect all of this? Data protection best practices state that you must have a backup, stored independently from the source, that can easily be recovered within an agreeable recovery time objective (RTO). In this case, it would be a backup of Microsoft 365 data that the customer’s IT department has full control over and access to, stored separately through a third party, in a way where it can be recovered during any type of data loss incident.

Over the course of this blog we’ll populate out this Shared Responsibility Model in a visual format. On the top half of the model, you will see Microsoft’s responsibility for their core Microsoft 365 cloud service. On the bottom half, we’ll populate out the responsibility that falls on the business – or most likely, you – as you read.

Key Components of the Shared Responsibility Model

Primary Responsibility

Let’s kick this off by talking specifically about each group’s primary responsibility. Microsoft’s primary responsibility is focused on their global infrastructure and commitment to millions of customers to keep this infrastructure up and running. This means they have to consistently deliver uptime reliability for their cloud services and enable the productivity of users across the globe.

An IT organization’s responsibility is to have complete access and control over their business-critical data — regardless of where it resides – whether that’sin the data center or Microsoft 365. This responsibility doesn’t magically disappear simply because the organization made a business decision to utilize a SaaS application.

Supporting Technology

Here you can see the supporting technology that’s designed to help each group meet their primary responsibilities. Microsoft 365 includes built-in data replication capabilities, which provides datacenter to datacenter geo-redundancy to minimize (and almost eliminate) Microsoft app and service downtime. This functionality is a necessity. For example, if something goes wrong at one of Microsoft’s global datacenters, they can failover to their replication target, and, in most cases, users are completely oblivious to any change.

However, replication isn’t a backup, and in Microsoft 365, this replica isn’t even YOUR replica; it’s Microsoft’s. To further explain this point, take a minute and think about this hypothetical question about backup and replication:

In general, which has you better protected: A backup or a replica?

I love to pose this question to live audiences and watch the discussion and ideas that unfold. Some of you might argue the correct answer is a replica — because an application that is continuously or near-continuously replicated to a second site provides redundancy in case of failure and can eliminate application downtime. However, others might argue there are issues with a replication-only data protection strategy. For example, deleted data or corrupt data is also replicated along with good data, which means your replica now includes that same deletion or corruption. Those in this camp might believe that a backup has you better protected since there are specific data loss vulnerabilities that only a backup can protect you from.

The correct answer to this trick question, is you need both! This fundamental principle has been the bedrock of Veeam’s data protection strategy for over 15 years. Look no further than our flagship product, aptly named Veeam Backup & Replication.

So why don’t Veeam’s Microsoft 365 backup solutions include replication capabilities? Well, Microsoft already has that part covered. The only piece that’s missing is a backup.

You may be asking: “But what about the Microsoft 365 recycle bin? That’s kind of a backup.” Yes, Microsoft has many different recycle bin options, and they can help admins or users with limited, short-term data loss recovery. These recycle bins are a small part of Microsoft’s broader retention policies, which are a deep, complicated rabbit hole that determines what type of data is held, and for how long, depending on each Microsoft 365 service. To add further compilation, those settings can be further customized by the dmin and don’t follow standard protocol. When talking with Microsoft 365 admins they often struggle to manage and monitor these policies. Commonly, admins believe they are covered, only to find out otherwise when it’s too late.

A great example of this is when an employee leaves the company. After a month, that data is often permanently deleted. Remember that complicated revenue projection model that Sally Smith was working on at the beginning of the year? She left the company a few weeks ago and it was stored in her OneDrive. So, it’s gone. We’ll have to start from scratch.  

At Veeam we strongly believe that to truly have complete access and control over your business-critical data, relying on a recycle bin doesn’t cut it; you need full data retention. This includes short-term retention, long-term retention, and the ability to fill any and all retention policy gaps with easy recovery for any data loss scenario. You also need both granular recovery, bulk restore, and point-in-time recovery options at your fingertips.

It is also important to note that Microsoft recently released their own separate backup solution for Microsoft 365 data in 2024, further validating that the Microsoft 365 service itself is not inherently protected within the cloud service. It includes some great new technology that can back up and restore large volumes of Exchange, SharePoint and OneDrive data at lightning-fast speed. Veeam and Microsoft have a close partnership and Veeam was one of the first backup vendors to integrate this new backup technology into their products for customers to use.

Security

As we unpack the next layer of the Microsoft 365 Shared Responsibility Model, let’s talk about security, which is always a hot topic. You’ll see that this is strategically designed as a blended box, not separate boxes — because both Microsoft and your IT organization are responsible for aspects of this and need to work together.

Microsoft protects Microsoft 365 at the infrastructure level. This includes the physical security of their datacenters and the authentication and identification within their cloud services, as well as the user and admin protections built into Microsoft 365’s UI.

Beyond the infrastructure-level, there are many built-in security features that can help bolster cyber resilience. This includes security features like multi-factor authentication (MFA) which verifies users with an extra step that’s not easily duplicated by attackers. There are also various encryption types leveraged in Microsoft 365 to ensure that only authorized parties can access original information like files on a device or in transit between users, such as emails in Exchange Online and messages on Teams. There are proactive threat detection capabilities too, which can help prevent, detect, and respond to suspicious activity in your environment. Microsoft also uses a centralized logging system to analyze activities that might indicate a security incident has occurred. While all these security mechanisms have their benefits, your data is still not Microsoft’s responsibility.    

The IT organization is still responsible for Microsoft 365 security at the data level. There’s a long list of internal and external data security risks, including accidental deletion, rogue admins abusing access, and ransomware to name a few. Watch this five-minute video on how ransomware can take over Microsoft 365. This alone will give you nightmares.

Many backup solutions have the ability to stretch many of Microsoft’s inherent infrastructure capabilities by extending their backup environment support for IT organizations to use. For example, MFA and in-flight and at-rest encryption are covered to offer additional protection for Microsoft 365 backup data.

Regulatory

The final component of the Microsoft 365 Shared Responsibility Model is needing to think about legal and compliance requirements. Microsoft makes it very clear in the Microsoft 365 Trust Center that you own your data, and their role is to be the data processor. This drives their focus on data privacy, and you can see on their site that they have a great list of capabilities and industry certifications to keep Microsoft 365 cloud services compliant. Even though your data resides within Microsoft 365, an IT organization’s role is still to be the data owner. This responsibility comes with all types of external pressures from your industry, as well as compliance demands from your legal, compliance, or HR peers.

Examples and Scenarios

What happens if you rely on Microsoft to execute a responsibility that’s yours instead? In the case of data loss incidents like accidental deletion or ransomware attacks, Microsoft does provide some safety nets. However, these are for short-term data loss needs or for compliance tools like Legal Hold, which make it very difficult to recover exactly what you need. If you choose to rely on Microsoft to return your lost data, there is no real guarantee if and when you might get that data returned. This is why it’s so important to take your role as the data owner seriously. When you have complete access and control over your own Microsoft 365 data stored through a third party, you have the power to restore it at will.

Benefits and Challenges

The Shared Responsibility Model provides organizations with the advantage of knowing with absolute certainty what they are responsible for. It helps keep organizations and IT departments accountable for duties and tasks they need to perform too. The risk is in not taking your responsibilities seriously. There are still many organizations that are aware of their responsibilities in this model, but would much rather convince themselves that they have less responsibility for their Microsoft 365 data than they actually do.

Best Practices for Implementing the Model

The first step to effectively implementing the Shared Responsibility Model as the data owner in Microsoft 365 is to make sure that your data is protected through a third party that can ensure your backup is separated from its source. This takes more than just any backup solution, though. You need to ensure you have backup customization, recovery flexibility, and the powerful search capabilities your business requires.

How Veeam Can Help

Now you should have a better understanding of exactly what Microsoft covers within Microsoft 365 and why they do what they do. Without a backup of Microsoft 365, you have limited access and control of your own data, and you can fall victim to retention policy gaps and data loss dangers. You also open yourself up to some serious internal and external security risks, as well as regulatory exposure. While third-party Microsoft 365 backup adoption is on the rise, a survey found that, surprisingly, 71% of businesses were still unprotected. 

Looking to find a simple, easy-to-use Microsoft 365 backup solution?

Look no further than the industry leader. At Veeam, you have two main options to protect Microsoft 365:

Veeam is not only a leader in the Gartner Magic Quadrant but has been rated as Highest in Ability to Execute for the fifth time too. Give Veeam a try and see for yourself!

Related Content

Free
Microsoft 365 Backup for Dummies

Exit mobile version