Executive Summary
The migration to cloud productivity suites, such as Microsoft 365 and Google Workspace, represents a significant architectural shift for modern organisations.
However, this shift has introduced a critical and often dangerous assumption: that the cloud provider is wholly responsible for protecting and backing up your data.
This is a fundamental misinterpretation of the service agreement. The reality is governed by the Shared Responsibility Model, a framework that delineates the security obligations of the cloud provider versus those of you, the customer.
Understanding this model isn’t just a matter of best practice; it’s a foundational requirement for achieving true data resilience, business continuity, and a verifiable compliance posture under frameworks like Cyber Essentials Plus.
Technical Deep Dive: The Architecture of Shared Responsibility
At its core, the Shared Responsibility Model is straightforward: the cloud provider is responsible for the security of the cloud, while the customer is responsible for securing their own data within the cloud.
Let’s break down the specific technical delineations.
The Cloud Provider’s Responsibility (Microsoft/Google):
Their obligation is to maintain the availability and security of their global infrastructure. This includes:
- Physical Security: Protecting the data centres from unauthorised physical access, fires, floods, and other physical threats.
- Infrastructure Uptime: Ensuring the underlying compute, storage, and networking hardware is operational, redundant, and meets the promised Service Level Agreement (SLA) – typically 99.9%. If a server fails in its data centre, it has failover mechanisms.
- Core Service Security: Protecting the fundamental cloud fabric from attacks aimed at its infrastructure.
Your Responsibility (The Customer):
Your responsibility begins where the provider’s ends, and it covers the most common sources of data loss:
- The Data Itself: You own and control your data. Its protection from deletion, corruption, or unauthorised access is your responsibility.
- Accounts and Access: Managing user identities, permissions, and access controls. If an account is compromised, the actions taken by that account are the customer’s responsibility.
- Endpoints: Securing the laptops, mobiles, and other devices that access your cloud data.
- Compliance and Legal Retention: Ensuring data is backed up and retained according to regulatory requirements (e.g., GDPR) and internal policy.
The critical gap lies in confusing the provider’s infrastructure resilience with data-level backup.
A native tool like the Recycle Bin in M365 is not a backup; it’s a temporary holding area with a default retention period of 14-30 days before permanent deletion.
Similarly, features like Litigation Hold and Retention Policies are designed for eDiscovery and compliance—they prevent deletion but are not architected for rapid, granular, point-in-time operational recovery. Attempting to restore a corrupted SharePoint site or a user’s entire mailbox using these tools is a slow, cumbersome, and often inadequate process.
Strategic Framework: Mapping Data Protection to Cyber Essentials Plus
Moving from the “what” to the “how,” a robust data protection strategy must be architected within a verifiable security framework. This is where a third-party backup solution becomes a non-negotiable technical control.
Let’s map this to the Cyber Essentials Plus framework, a baseline for UK cybersecurity.
Requirement A2.5 (Data Backup): The framework explicitly requires that organisations have procedures for taking regular backups of critical data and have a tested method for data restoration. Relying on the M365 Recycle Bin fails this test, as data can be permanently purged by users or after a short retention period.
In a ransomware scenario where cloud-synced files are encrypted, native versioning can be overwhelmed or deliberately wiped. A point-in-time restore from an independent, air-gapped backup is the only control that can reliably meet this requirement and prove your ability to recover.
Furthermore, under GDPR Article 32, organisations must implement “technical and organisational measures” to ensure the “ongoing confidentiality, integrity, availability and resilience of processing systems.” This includes “the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident.” A third-party backup solution is a direct and provable implementation of this requirement.
Implementation Best Practices & Common Pitfalls
At PrimaryTech, we architect and implement data protection strategies that address the limitations of the native cloud platforms. Here are the key technical considerations.
Best Practices:
- Implement the 3-2-1 Rule for SaaS: The principle remains critical. Your live M365/Workspace data is one copy. A dedicated, third-party backup solution provides the second copy on a different medium (separate cloud provider infrastructure) with the third copy being inherently off-site and, crucially, logically air-gapped from your primary tenancy’s authentication system.
- Define and Test RPO/RTO: Establish your Recovery Point Objective (how much data can you afford to lose?) and Recovery Time Objective (how quickly must you recover?). A dedicated backup solution allows for multiple, automated, intra-day backups, enabling an RPO of mere hours. It’s dedicated restore console facilitates an RTO of minutes for a single file or a few hours for an entire mailbox—a speed unachievable with native tools.
- Ensure Granular and Cross-Service Restore: Your backup architecture must be capable of restoring anything from a single email or file to a full SharePoint site, OneDrive account, or Teams channel (including its associated files, conversations, and metadata).
Common Technical Pitfalls to Avoid:
- The Ex-Employee Data Gap: When you de-provision a user’s M365 licence, their mailbox and OneDrive data are queued for permanent deletion, typically after 30 days. A third-party backup solution decouples the data from the licence, retaining it indefinitely for legal, HR, or operational continuity purposes.
- Misunderstanding Ransomware’s Cloud Impact: Modern ransomware attacks target cloud data. An attack that encrypts a user’s local OneDrive folder will sync those encrypted files to the cloud, overwriting the clean versions. A point-in-time backup from before the infection is your only reliable rollback mechanism.
- Ignoring Teams/SharePoint Complexity: Microsoft Teams is not a single entity; it’s a composite of services, including a SharePoint site, an Exchange group mailbox, and other components. A backup solution must understand this object model to perform a complete and coherent restore.
Conclusion: Moving Beyond Assumption to Architectural Resilience
The Shared Responsibility Model is not a fine-print clause; it is the foundational principle upon which your cloud data strategy must be built.
The native tools within Microsoft 365 and Google Workspace are designed for platform availability and compliance archiving, rather than the rapid, operational recovery that businesses require.
Architecting a true data resilience strategy requires moving beyond assumptions. It demands the implementation of a dedicated, third-party backup solution that provides an air-gapped, immutable, and rapidly recoverable copy of your critical data.
This is not an optional extra; it is a fundamental control for mitigating operational risk and achieving a certifiable security posture under frameworks like Cyber Essentials Plus.
Architecting a resilient and compliant data protection strategy for your M365 or Google Workspace environment requires a deep understanding of both the platform’s limitations and the requirements of frameworks like Cyber Essentials Plus if your team needs a technical partner to design, implement, and manage a verifiable backup solution, contact the experts at PrimaryTech today.
Published: October 4