We all know about the reports issued by companies that seek to create the need for their product. Various deficiencies are identified that just happen to be filled by the product in question and all is well in the world for those fortunate and erudite customers who seize the opportunity to purchase and deploy the product. This happens all the time with software as marketeers appear to be particularly taken with reports.
Which brings me to the conversation I had with the folks at Spanning about their backup product for Office 365 last February. When I wrote about the discussion, I expressed some reservations about their plans to use Exchange Web Services (EWS) to extract data from Exchange Online and transfer it to Spanning’s datacenters. EWS is a client protocol that was never designed to extract large amounts of information from Exchange. And as has been discovered with PST ingestion into Office 365, EWS is much slower than other methods to move data into Exchange Online too.
But EWS is the protocol that’s available so it’s the only game in town for ISVs unless they decide to build their own protocols to communicate with Exchange. To make the case for online backups, Spanning has released a report called “Don’t play games with your data: Why you need to backup Office 365”. According to the PR pitch for the report, “But, it [Office 365] doesn't offer complete protection against data loss. Find out where you are at risk for data loss, from both internal and external data invaders.”
Sounds like the report might make some good points, so let’s dive in to have a look. The document uses a rather cute template based on the classic Space Invaders video game and begins by laying out why Office 365 is an attractive solution and then moves to focus on some issues. This is where I start to have issues as great weight in placed on a 2011 Microsoft post to back up (no pun intended) the logic behind why Office 365 tenants should use external backups, specifically for Exchange.
A lot of water has flowed under the Office 365/Exchange Online bridge since 2011. One big change is that Exchange 2013 (and soon Exchange 2016) rather than Exchange 2010 currently provides the fundamental underpinnings for Exchange Online. The high availability features have been considerably enhanced since Exchange 2010 introduced the Database Availability Group (DAG) to enable Microsoft to avoid using backups by exploiting "Native Data Protection". All Exchange Online mailboxes are protected by four database copies deployed across at least two physical datacenters. One of the databases is a lagged copy so as to be able to deal with logical corruption.
The report says that a disgruntled employee can empty and purge their Deleted Items folder to remove information, making “data recovery and restoration difficult, if not impossible to perform.” Hmmm… First, the mailbox of a disgruntled employee might be on hold (if it contains anything important), in which case any action by the mailbox owner cannot destroy data. But even still, Exchange Online mailboxes have Single Item Recovery enabled by default, meaning that all deleted items are retained in the Recoverable Items structure until the standard 14-day retention period expires. So the statement isn’t quite as powerful as you might assume on first reading.
The next assertion says that “Deleted files, emails, and entire mailboxes are retained temporarily for a period… but are not recoverable after this period has expired.” Quite correct. As noted above, the retention period has a default of 14 days (it can be extended to 30). But if you have important mailboxes that you want to retain for longer after deletion, you can simply transform them into inactive mailboxes by putting them on hold and then deleting the mailboxes. Exchange Online keeps inactive mailboxes for as long as the hold exists and their contents remain discoverable during this time, assuming of course that the mailbox was assigned an appropriate license to support the hold (E3 or above or Exchange Online Plan 2) before it was deleted. Just saying…
And then “Deleted [Office 365] accounts are recoverable after 30 days, after which time they and all their associated data are permanently gone.” Absolutely accurate. But again, you can make mailboxes inactive and keep them for as long as necessary and you can even restore an inactive mailbox to make it come alive again, long after the original user’s account was removed from Office 365.
I agree with Spanning that user error is the reason for 75% of incidents when sensitive data is lost. This is probably one of the prime reasons why Microsoft decided that the Deleted Items folder for Exchange Online mailboxes is no longer automatically purged by the Managed Folder Assistant. This change was implemented in March 2015 to make it easier for end users to recover items that they delete accidently. I don’t particularly like the new approach, but I understand why Microsoft went along this route.
And then there’s the compulsory warnings that malicious users and hackers can compromise data, which indeed they can. All of which means that a possibility exists that you need a backup solution for Office 365 so that you can restore data should the need arise. Or so you might think.
Don’t get me wrong. I believe that situations exist when backups of data would be very useful, but I don’t think that the need should be over-hyped and built on infirm technical arguments that ignore the basic functionality built into a product. Single Item Recovery didn’t exist in Exchange 2010, Inactive Mailboxes only exist in Exchange Online, and the ability to restore inactive mailboxes is pretty recent, as is the change to stop emptying the Deleted Items folder. However, you’d expect that those who attempt to argue the case for backups should at least do so on the basis of what Office 365 tenants use today rather than what was available four years ago when Microsoft replaced the fallible and oh-so-backup-required BPOS with Office 365.
By all means investigate the case for backups for both Exchange Online and SharePoint Online data. It’s good to understand what is available and the value that these products deliver, including automating recovery operations. But before you invest in anything, do yourself a favor and make sure that whatever business and technical requirements lie behind the purported need for cloud backups cannot be met by the software for which you are already paying, especially if you have enterprise-class licenses for Office 365 and all the features described above are available to you.
And if you really want to, you can attend a webinar on the topic hosted by the genial Gina Rosenthal from Spanning on September 15. I won’t be there as I will be at the Aria in Las Vegas enjoying the sessions at IT/DEV Connections. Somehow I think those sessions will be a little more practical and up to date than the advice contained in Spanning’s report.
Follow Tony @12Knocksinna