Backup vs data retention (and why you need both)
Backup and data retention are not new concepts, but over the years the line between their two functions has become increasingly blurred.
While you may have got away with using backups for data retention in your organisation’s on-premises past, that’s a lot harder to do in today’s highly regulated environment. Thankfully, cloud technology has made it easier (and more affordable) than ever to keep backup and retention separate – as they were always intended to be.
What’s the difference?
Backup and retention are both forms of data preservation, but the purposes for which they preserve that data are completely different. As a result, they require quite different capabilities from their solutions. Trying to use a backup solution for data retention (or vice versa) is a sure-fire recipe for frustration and the introduction of potentially serious security and compliance gaps.
Backups are regularly updated copies of current/active data that can be readily restored to their original (live) location in the event of data loss or corruption. Searchability and granular control are valuable, but ease, accuracy and speed of restoration are often of higher priority. As a last line of defence against data loss and/or corruption, secure (and preferably) redundant storage is essential.
Data retention is about storing an immutable copy of data for a finite period of time in order to meet very specific legal and/or compliance obligations. This data must be discoverable and available for legal production, with intact chain of custody and provenance records. Policy-based defensible deletion capabilities are just as important as secure storage.
For a deeper dive into these differences, check out Avepoint’s Guide to the Differences Between Microsoft 365 Backup and Retention.
What’s covered by Microsoft?
As part of their Shared Responsibility Model, Microsoft 365 includes both backup and data retention capabilities. The ultimate responsibility for data protection, however, lies with the customer.
Microsoft openly advises all organisations using Microsoft 365 to employ third-party backup solutions. (If you haven’t done so, we’d strongly suggest getting in touch.)
That said, Microsoft does offer native backup capabilities on all primary apps like SharePoint Online, OneDrive for Business and Outlook. Those capabilities are just a lot less flexible and customisable than most businesses prefer.
For example, data cannot be restored on an individual user level from official Microsoft backup files. Instead, recovery has to be done on full site level, with the entire site collection out of commission for the duration of recovery (up to four days).
In terms of data retention, Microsoft’s capabilities are a lot more nuanced and comprehensive (depending on your licence tier). Smart use of retention policies, data classification and labelling can create very effective and fully compliant in-place retention with no third-party solutions or separate storage necessary.
(Where in-place retention is not appropriate, intelligently deployed Azure archives offer an equally effective alternative.)
What about legacy data?
Between Microsoft’s in-place retention and built-in data resiliency, and a good third-party backup solution, your Microsoft data should be well-covered in terms of disaster recovery and retention-related compliance. But what about data from outside of your Microsoft ecosystem? All that legacy baggage you’ve been squirreling away in solutions like Mimecast, for example.
Consolidating your data estate is a great way to save costs, reduce admin, improve security and enhance strategic visibility. But – not all of your data is always going to be best served within Microsoft 365. It takes some tactical insight (and a sound understanding of your retention policies) to recognise when data would be better off preserved elsewhere.
Don’t let migration complexities dissuade you from deploying a robust backup solution in the meantime, however. Speak to us about a phased approach, securing your Microsoft 365 estate in readiness for future consolidation. We’ll do the groundwork you need now to achieve optimal security and compliance and support any future migrations when you’re ready.