Expert GuideEmpalis article in IT Security Online on the topic of cyber resilience: Which backup solution for Microsoft 365?

Markus Stumpf — 03. April 2024

Empalis Fachartikel in der IT-Sicherheit Online zum Thema CYBERRESILIENZ: Welche Backup-Lösung für Microsoft 365?

Data backup plays a central role in defending against cyber attacks. In the event of an attack, companies must be able to react quickly by protecting and restoring their most important data and applications. Our author explains how companies can back up their data in Microsoft 365 products and what they should look out for when purchasing a backup solution for the service.


Since the pandemic, many companies have allowed their employees to use private PCs, laptops and smartphones for work. In the home office or for remote requirements, Microsoft services are sometimes the number one choice. Accordingly, the number of users of Microsoft Office products has skyrocketed since 2019. According to the software company, more than 270 million people use the Teams platform alone every month in March 2022.


At the same time, Microsoft 365 (M365) has become an extremely popular target. 80 percent of untargeted attacks are aimed at one of the Office products. Falling victim to a cyberattack is therefore basically unavoidable today, and it is no longer enough to practice cybersecurity with the sole aim of preventing an attack. The questions that every company should therefore ask itself are: How resilient is the respective solution or service? What does the backup mean for the company's cyber resilience? Or quite simply: What happens if an attack does occur?

Why an external backup?

It can be assumed that every company is primarily interested in controlling and backing up its data at all times and thus the value that this data represents. M365 is a Software-as-a-Service (SaaS) offering, but at the same time certain responsibilities - including data backup - lie with the customer. This removes the data from the customer's control to a certain extent. The advantage of an external backup is that you regain basic control - and can therefore continue working almost seamlessly.


Central to any data backup is the creation of redundancies and the media break, also known as an airgap. A modern data backup concept is based on the 3-2-1 rule: three independent copies of each file - on at least two different media, for example hard disk and cloud, or two hard disks at two different locations - as required. One of these copies must be stored in such a way that the data cannot be accessed electronically. This approach is considered best practice worldwide and is recognized by security-relevant institutions - and increasingly demanded by cyber insurers (see Figure 1).

Figure 1: The 3-2-1 model for data backup in Microsoft 365

While the data in M365 is already located in a cloud (SaaS approach of M365), a modern data backup concept should attach importance to using both a local storage (data center) and/or a local or S3-capable cloud as storage locations, each of which is immutable and encrypted (see Figure 2).

Figure 1: The 3-2-1 model for data backup in Microsoft 365

What to look out for when buying a solution?

This question concerns the choice of operating model and the backup solution behind it. Microsoft 365 backup can be operated in-house or as a managed service. As many companies opt for M365 in order to relieve the burden on infrastructure and administration resources, a co-managed service is a good option for the backup solution. The following services should be included:

  • Setting up the backup solution
  • Update and monitoring
  • Provision and management of the backup storage

It also makes sense to think about patches or to outsource the entire operation to the service provider. In addition, the location of the data centers and support should be decisive for companies. Service providers have different concepts here, from faceless hotlines to 24/7 support by personal, English or even directly German-speaking service employees. For the actual backup solution, it is first crucial to define which M365 services are to be backed up. The author's recommendation here is: Exchange Online, SharePoint, OneDrive and Teams as the minimum data backup.


Ongoing, audit-proof storage (data retention) should be unlimited. In addition to the location of the data centers - preferably in Germany - the backups should always be encrypted and immutable. Some solutions also offer a "Self Service Restore" portal that allows companies to monitor performance more independently - provided they have the time to carry out restore tests themselves. The cost structure of data backup in M365 is advantageous in that the service provider is based on the users of M365 or the terabytes to be stored.

SaaS or on-premises?

SaaS solution in the cloud or on-premises is a crucial question that many people ask themselves when deciding on a backup solution for M365. In view of the current technical trends and the wide variety on the market, proven solutions from the backup software already in use are a good choice. These can usually be obtained via existing license agreements and are more or less integrated into the backup solution for other systems.


Many manufacturers offer several types of backup solutions for Microsoft 365, as an extension to the existing product and usually on-premises or as a SaaS offering from one of the major hyperscalers, usually Microsoft itself. However, it is problematic if the backup service is also hosted in Azure, as any disruption to the M365 infrastructure could potentially affect the backup service.


On-premises solutions do not have this disadvantage, as a media break in the sense of the 3-2-1 rule is easier to implement here. This allows you to bring the data back to your own company and is therefore independent of the Microsoft Azure service. If an outage lasts longer, it is possible to temporarily switch back to on-premises. Another difference lies in the additional functions of the providers specializing in M365, who have developed their solutions around the Microsoft 365 services. Here you will find, for example

  • Advanced governance and analytics modules,
  • Modules to facilitate Microsoft 365 administration or finding critical data,
  • Data analysis tools.

Backup & restore for M 365: What you should consider

  • Check the responsibilities ("Shared Responsibility Model"): What does the service take over, what do we have to do?
  • Is there an exit strategy, on-premises or with a cloud approach, if Azure is disrupted/unavailable?
  • Are hybrid email applications and migration to Office 365 part of the exit strategy?
  • How is data from departing employees stored?
  • Harmonization of the data structure in Teams and compliance with retention policies: How is data loss avoided?
  • How are internal and external security threats dealt with?

A backup solution for Microsoft 365

IT decision-makers see the risk of a cyberattack as the biggest threat to business process disruption. Microsoft 365 is a core service that is widely used within the workforce, from interns to CEOs on a daily basis. Hybrid working models, the "modern workplace" and other concepts of networked working mean that Microsoft 365 services continue to gain in importance. Despite this, three out of four M365 subscriptions are still not backed up externally. This gap is an open flank in the cyber resilience strategy of many companies due to the attractiveness of Office programs as an attack target.


Even with Microsoft 365, the responsibility for the data lies with the customer and therefore with the IT decision-makers. The adage "no backup - no pity" applies here just as it does to all other IT infrastructures. It is therefore essential to develop and implement a backup concept for these services.


If you have not yet backed up data in M365, this is by no means a hindrance: companies can start with individual users or services. Thanks to the "incremental forever" approach, which is generally followed by standard backup solutions on the market, it is possible to build up the backup inventory seamlessly through to daily backups, even though initially with a certain system load.

You were interested in this, then you may also be interested in...