Office365 backup and compliance

For most businesses, their email system holds some of the most important data in the organisation. In the traditional SME environment where you manage your own servers either on premises or in a datacentre, the three main backups will be databases, file server content and email. With that data secure, the company will probably survive a disaster although it’s important to state that just having backups does not constitute a disaster recovery policy.

There are also compliance and retention considerations around email. On the one hand, a regulatory body such as the UK Financial Conduct Authority might specify that business emails have to be retained for six years. On the other hand, data protection regulations are usually interpreted to mean that some emails should be deleted after a set amount of time. For example emails related to job applications which contain candidate personal data such as a CV are often purged after six months, unless the candidate has explicitly allowed the data to be kept on file.

A sensible business has by now worked out how to negotiate the compliance and retention tightrope, and has a backup system for email which can not only recover that single important mail which was deleted and purged last week but can also restore the entire mail server to bare metal and get it working again in less than 24 hours.

And then the decision is made to move email to the cloud and use Office 365.

Exchange Online resilience

There are obviously great benefits to using Office 365 and its email server component, Exchange Online.

Firstly, it brings enterprise-level server resilience and availability to even the smallest business. Exchange Online makes use of the Database Availability Group feature in Exchange Server. This means that any given mailbox will actually be stored in four Exchange databases in two different datacentres. One of those databases will have the updates delayed so that in the event of a logical corruption of some kind, there will still be an uncorrupted version to recover to. This largely addresses the ‘loss of server’ restore scenario by building sufficient resilience into the system.

Secondly, Exchange Online implements the Single Item Recovery feature. This means that any items which are hard deleted (deleted from the Deleted Items folder or deleted using Shift-Delete) are put in a Recoverable Items folder in a hidden part of the user mailbox. By default they are stored there for 14 days although this can be increased to 30 days via retention policies. Items in the Recoverable Items folder can be restored by the user directly from Outlook and are also visible to an administrator with sufficient privileges. This largely addresses the ‘single important email’ restore scenario by having a ‘backup’ of items deleted in the last two weeks to a month, depending on configuration.

So the likelihood is that a small business will be in a better backup and recovery situation compared to a self-hosted solution just by the act of switching to Office 365 for email.

Compliance and retention in Office 365

(The assumption from here on is that you have an Enterprise Office 365 subscription – if not, you’ll need to check which features are included in your chosen plan.)

Compliance and retention is addressed through a number of standard features. This is a large topic which I’ll only briefly cover here.

The first building block for compliance and retention is enabling the Archive for a mailbox (Office365 Admin -> Admin Centers -> Security and Compliance -> Data Governance -> Archive), which allows items to be retained outside the main mailbox folder (and outside its storage allowance too).

The second building block is retention policies, which control how and when items are moved to and removed from the archive.

The third building block is the Hold feature, which prevents items from being deleted at all and, under some circumstances, retains old versions if items are modified. There are two types of Hold – In Place Hold and Litigation Hold. Both allow a retention time to be specified, for example 6 years to match FCA requirements. Note that new In Place Holds can’t be set on Exchange Online mailboxes from July 2017.

So you now have a resilient system which is configured to meet your business and regulatory requirements. But as a system administrator at heart, you won’t sleep well until you have a copy of the email data independent of the primary system. That was really the point of your tape and disk based backup systems, wasn’t it?

Native backup in Office 365

If you do feel that way, Microsoft is not going to help much with backups. That’s partly because they’ll feel the primary system has sufficient resilience. But it has long been the Microsoft strategy to leave some functionality to third party suppliers in order to encourage an ecosystem of innovation and competition around their products.

With Exchange Online, “There’s no automated way to periodically backup everything”. And that includes by using PowerShell as well, apart from a convoluted method that exploits a feature of eDiscovery. The only sensible way of getting an export file of a mailbox is by manually using desktop Outlook, and that’s not a sustainable or scalable solution.

So an ecosystem of third party suppliers of Exchange Online backup solutions has developed. In this case, Microsoft has not been particularly technologically encouraging. Backup solutions usually use the Exchange Web Services (EWS) API, which is not really designed for bulk operations. But that is what’s available so that’s what has been used.

Third party backup solutions

Your main choice is between solutions which back up to managed cloud and solutions which back up to your own storage, either on premise or hosted. Any self hosted solution will require internal resources – administrator time, server capacity, bandwidth, and storage – so remember to factor that into the costs. The following are examples of popular solutions of both types – it is not intended to be an exhaustive list.

Veeam for Office365
If you already use Veeam to backup your virtual infrastructure, this solution leverages known technology. It is however a standalone solution and doesn’t rely on you already having Veeam. You can back up specific mailboxes or all, and recover back to a specified Office 365 mailbox or recover to your own premise Exchange installation, if you have one. You can run eDiscovery searches on the local copy of mailboxes, which will probably be much faster than doing the same operation against Exchange Online. You can also save items to a file or save whole mailboxes to PST.
It’s free for one year to existing Veeam customers. After that, or if you’re not a Veeam customer, it’s currently offered at just under £24 per user per year, giving an annual cost of £712 for a 30 user environment.

CodeTwo Backup for Office 365
This is another on premises backup solution from a company which specialises in addons for Exchange, Outlook and Office 365. It offers brick level backup and restore, one time or incremental backups, and can export to PST. Pricing is very attractive at around $12.50 per user per year for SME, giving an annual cost of £290 for a 30 user environment. Licensing is purchased annually and, like Office 365 itself, licences can be reassigned to cater for staff turnover.

Cloudally Office 365 backup
Cloudally specialise in cloud backups of cloud solutions such as Office 365, Google, Salesforce, Sharepoint and Box. This is probably the most popular Office 365 backup solution. It uses Amazon S3 for storage and is completely managed online. You can still export mailboxes to local files though. The cost is $30 per user per year, giving an annual cost of £700 for a 30 user environment. A 15 day trial is available.

Spanning Office 365 backup
Spanning is another cloud to cloud backup solution, also covering Office 365, Google G Suite and Salesforce. The big difference with Spanning is that the backups can include Onedrive for Business data as well as mailboxes. Pricing is a maximum of $48 per user per year, giving an annual cost of £1100 for a 30 user environment. A 14 day trial is available.