10 min Security

Is Microsoft stealing backup vendors’ lunch with Microsoft 365 Backup?

Is Microsoft stealing backup vendors’ lunch with Microsoft 365 Backup?

Microsoft unveiled a new feature at its Inspire event a few weeks ago: Microsoft 365 Backup. This solution gives a quick backup implementation to prevent organizations from having to endure a long recovery phase after unforeseen data loss. It is expected to launch in early 2024.

This announcement raised some questions on our end. After all, backups for Microsoft 365 are already offered by multiple backup vendors as well. What does this mean for them? And what does this ultimately mean for customers? Can they switch entirely to Microsoft’s own backup offerings? Or will this be placed on top of what the backup vendors already offer? We asked a few of them to find out.

Why is Microsoft doing this?

Before we get to the backup vendors’ responses, let’s briefly recall Microsoft’s announcement. What is Microsoft 365 Backup and why is Microsoft doing this now?

In unveiling Microsoft 365 Backup, Microsoft explains that restoring data can sometimes take months. The number of mailboxes and SharePoint environments can add up very quickly, especially for larger organizations. The files in them are also often relatively small. This causes them to take a relatively long time to transfer. It can be incredibly time-consuming to transfer everything back in a restore operation.

Because all Microsoft 365 Backup data resides within the Microsoft environments, it can be accessed quickly. That applies to OneDrive, Microsoft Exchange and SharePoint. Any recovery attempt should be complete within a few hours instead of taking weeks or months. The benefit of this control over the ecosystem is that Microsoft outperforms the capabilities of third-party backup vendors. The data is “closer,” so recovery should also be faster. Backup vendors will always have to integrate with the platform rather than be a core part of it.

Source: Microsoft

This all sounds positive for the end user: faster recovery capabilities and perhaps no need for external software at all. But with just a backup, you are not yet fully protected. In addition, it’s exceedingly unlikely that all your organization’s data is locked within the Microsoft suite. For external solutions that customers also use for backing up other data, it offers Backup APIs. These allow a third party to plug into the Microsoft platform and then connect it to external applications.

Microsoft has posted an article on its own Techcommunity blog about this announcement. In it, the tech giant explains why it has made this announcement. “We’re extending our APIs so partners can integrate our capabilities into their data management and protection apps. With Microsoft 365 Backup and Microsoft 365 Archive APIs, our partners can uniquely provide a single and seamless experience that protects your data estate, whether inside or outside of Microsoft 365, in combination with our speed and storage innovations.” This will allow an organization to keep 365 data elsewhere. Additionally, this API works both ways, so companies will be able to store data from Salesforce or from AWS, for example, on 365 Backup as well.

That a party like Microsoft is finally paying more attention to backup capabilities is a good thing. But what do the backup vendors, who have been focusing on Microsoft 365 backup for some time, think about it?

Shared responsibility

Our main question with this announcement is what this means for the backup solutions of the well-known players in this field. To gauge reactions, we asked Acronis, Cohesity, Commvault, Rubrik, Veeam and Veritas for their reaction to this news.

Andrew Kerr, Europe Solutions Marketing at Acronis, sees the announcement primarily as a result of the popularity of Microsoft 365 with attackers. He says it will also be reassuring for customers to see that Microsoft wants to make Microsoft 365 a more secure platform. Kerr thinks it answers the question of whether Microsoft 365 needs backup with a resounding “yes”. That’s a good thing.

He emphasizes here the concept of shared responsibility, which is apparently still not well-known enough. “For those organizations that haven’t heard of the shared responsibility model and believed that their data is safe purely because its in the cloud, this might come as a wake up call,” he states. In addition, he sees advantages for organizations that already get it: “For other organizations already using a third party backup solution, they will likely soon benefit from faster restore speeds.”

Sander Schreven, Presales Manager Benelux at Veeam, agrees. He is pleased that Microsoft finally publicly acknowledges the need to protect Microsoft 365 data. “Veeam has been creating this awareness for years with Veeam Backup for Microsoft 365,” he adds. Microsoft 365 Backup will become available in early 2024, with Schreven also indicating that this will make it easier to protect data according to the shared responsibility model.

Veritas also produced a blog about the announcement. This vendor notes that SaaS applications are increasingly in demand, where the user is responsible for the data produced on them. It posted a representation of the shared responsibility model in the blog.

Source: Veritas

Not competition, but complementary

What the Microsoft announcement means is also clear to Mark Boeijen, Alliance & Partner Business Manager at Commvault. According to him, there are still many aspects of backup that Microsoft does not yet cover. “These capabilities complement our existing Metallic offerings. Organizations still need targeted Microsoft 365 protection, including isolating data for additional cyber protection, performing granular in-place and out-of-place recoveries, and preserving data with extended retention periods. Our solutions make this possible.”

Like the other parties we put our questions to, Vasu Murthy, VP of Products at Rubrik, speaks highly of the faster recovery that will be possible. He, too, puts Microsoft’s new offering in the context of what Rubrik already offers. “The new integration with Microsoft 365 Backup joins the existing Rubrik-hosted Microsoft 365 Data Protection solution, focused on security- and compliance-driven options for Rubrik-managed backup and recovery.”

Murthy claims it’s mainly about speed of recovery for organizations, for which you don’t have to rely solely on Microsoft. “With so much valuable customer data residing in their Microsoft 365 environment, this should not be a blind spot in their cybersecurity approach. The integration with Microsoft 365 Backup supports organizations to quickly restore data in bulk, maximize recoverability, centralize management, and helps with the monitoring and management of sensitive data.” You can read more about Rubrik’s thoughts regarding Microsoft’s announcement in Rubrik’s own coverage.

Microsofts “inclusive” stance

According to several parties, Microsoft has also worked with third-party vendors that may already have existing approaches to preserving Microsoft 365 data. Andrew Kerr of Acronis talks about Microsoft’s “inclusive” stance. He gives several reasons for this: “Firstly, Microsoft’s offering will have the advantage of enabling very rapid restores, but the backup data will still be within Microsoft premises, which means relying on this service alone would leave customers with ‘all their eggs in one basket’ and wouldn’t meet the age-old rule of 3-2-1 backup.”

This 3-2-1 concept will be familiar territory to many, but for your information, this rule of thumb means that three copies of data must exist to ensure backup and recovery capabilities. Then one should use two storage formats and finally there should be one copy of the data available off-site. For a truly powerful security setup, this really is a basic requirement. Layered security needs much more, but backups are an important starting point.

Tip: Back-ups should be part of a modern layered security approach

It’s clear that there’s still room for backup vendors to prove their usefulness even when Microsoft 365 Backup launches. Kerr notes that Microsoft currently has not said anything about saving Teams data, so even within its own suite, not everything is covered. To be truly resilient at all, he argues, it takes more to have security in place.

VP of Research at Acronis Candid Wuest elaborates: “The focus of the new feature is on OneDrive, Exchange, SharePoint, which are often critical data buckets for companies, but there is more than this. Companies need to be able to restore any data or system as quickly as possible in the event of an incident.” Hence, Microsoft is offering an API to increase backup coverage.

New capabilities

Although Microsoft 365 Backup is new, the parties consulted emphasize that it will complement their existing services. Sander Schreven of Veeam says they already provide 16 million users of Microsoft 365 with backup and recovery capabilities. There, too, they are happy to hook into the Microsoft API for backups. “Veeam customers have been taking advantage of super-fast recovery with the Veeam Explorers for Microsoft 365 recovery for several years, and we expect the new backup APIs to enable even better recovery from ransomware events. Veeam will deliver an update to Veeam Backup for Microsoft 365 that will allow Veeam backups to be performed via Microsoft 365 Backup within 90 days of release. This update is expected to be generally available in early 2024.”

Joint protection

The picture we get from the backup specialists we consulted is one of cooperation with Microsoft rather than resistance. There is also a recognition among these companies that one cannot go it alone. EMEA CTO at Cohesity Mark Molyneux knows how to put it succinctly. “Today’s non-stop and increasingly sophisticated cyber threats require an all-hands-on-deck approach. It’s not the responsibility of one vendor to solve all cybersecurity challenges, it takes a village to fight the bad guys. That’s why it is absolutely necessary that vendors work closely with each other and drive integrations between solutions.”

He then cites from his own stable the Cohesity DataProtect product. This Backup-as-a-Service(BaaS) solution is already available to protect “critical SaaS, cloud-native and on-premises data” on Azure, Molyneux said. In addition to this, Cohesity expanded our partnership with Microsoft in April. Cohesity is now integrating with Microsoft’s broad platforms across security, cloud and AI – all in order to help joint customers secure and protect their data against escalating cyberattacks.”

Also read: Cohesity and Microsoft expand partnership: ChatGPT meets data security

We also hear this story of integration from Mark Boeijen of Commvault. “Microsoft will introduce the premium paid services in its Microsoft 365 admin center and through ISV partners. As one of the first vendors to offer this functionality, we will also integrate these new rapid recovery capabilities into our Metallic offerings.” He claims that this integration will only make it easier to recover from, say, a cyberattack.

In other words, Microsoft’s move can be seen primarily as an addition in the fight against data loss. This is not just because it’s necessary to have multiple backups. Microsoft now also brings with it a wealth of knowledge on its own platform that external parties can integrate with.

As an end user, 365 Backup will be able to provide an additional piece of support, even to keep data from external sources as well. However, there will still be room for other vendors to provide backup capabilities.

Tip: Diary of a ransomware attack: attack, recovery, best practices