Backups and Office 365 guidance

The National Cyber Security Centre (NCSC) have provided some excellent advice around backups in an online world to protect against threats like ransomware.

These 4 rules should be kept in mind when using the cloud to store any of your backups.

1. Offline rule - at any given time, are one or more backups offline?
2. Recovery rule - is the data in cloud backups restorable and recoverable?
3. 3-2-1 rule - is critical data saved in multiple backup locations?
4. Regular rule - is critical data backed up regularly?

When considering this guidance and how it applies to Office 365, 2 elements need to be considered:

1. Does the Office 365 platform meet the intention of the requirements: protecting backups from ransomware and ensuring it is recoverable?

When using Office 365, the E3 licence (or the ‘E3R’ licence provided to all NHSmail users on the central/shared tenant) natively provides a capability that meets the intended outcomes of the NCSC recommendations as long as organisations take the following actions:

- Not instructing Microsoft to delete all records (backups) of data. Retention can be set to require copies to be maintained.

- Ensuring global administrator roles are extensively protected. Compromise of a privileged administrator account has the potential to overrule/ disable settings and delete all copies. The central tenant (NHSmail) is configured with robust protections in place.  

Organisations running their own Office 365 tenant in addition to best practice should consider using:

• robust account management
• very strong passwords
• properly configured role-based access control
• multi factor authentication on all administration accounts and as many users accounts as possible, especially key users
• privileged identity management (leveraging the O365 Enterprise Mobility and Security (EMS) / Azure Active Directory Premium 2 (AADP2) investments)
• conditional access policies accessed to only allow access from managed/authorised devices (leveraging the O365 EMS/AADP2 investments)
• devices that do not have additional software installed on them that could be used to leverage an attack. Client management: de-authorising old devices, "log me out everywhere" functionality to terminate old sessions

Microsoft also provide the following information on resilience and ransomware protection built into Office 365.

Microsoft have stated:

“Data replication and data backup data for customer content, applications and support services is replicated for redundancy and disaster recovery purposes.

O365 applications and supporting services are replicated from the primary content database to a secondary content database within the same primary datacenter. The primary and secondary databases are then replicated across geographically dispersed datacenters.

Generally, the data maintained in the primary content database is replicated and accessible in real time via: (1) the primary database; (2) a secondary replication database located in the same primary datacenter with real time data; (3) a secondary disaster recovery server with real time replicated data in a geographically segregated datacenter; or (4) a server with a few minutes lag replication in a geographically dispersed datacenter.”

2. Does the Office 365 platform meet the data retention and recovery requirements of the organisation?

NHS organisations need to bear in mind that the default retention period for data is 180 days with focus on restore and recovery of previous versions of data.

NHS organisations need to risk assess the data that they are putting into the Office 365 environment and ensure that these services meet their needs. If additional retention is required it is possible to set longer retention periods.