Microsoft 365: Ransomware vulnerabilities & shared responsibility model
In recent years, cloud services and SaaS offerings have revolutionized the speed at which a company can operate, and Microsoft 365’s suite of Exchange, Onedrive, Sharepoint, and Office 365 solutions has been at the forefront of this shift. Though as technology is making the upgrade from on-premise to cloud, bad actors and cyber threats are also redirecting their focus – especially when it comes to ransomware.
Almost a decade ago, when I was working as a software engineer in the on-prem backup and recovery space, protecting against ransomware was the highest priority. Of course because being unable to recover from a ransomware attack can be a death blow for a business and 93% of companies that lost servers for 10+ days filed for bankruptcy within a year, it makes sense that ransomware protection was highly prioritized. Now with the Cybersecurity and Infrastructure Security Agency (CISA) advising that the threat of ransomware is only increasing this year at a global level, it’s no surprise that reducing vulnerabilities for critical infrastructure is even more important than it was 10 years ago.
So what has changed?
The answer is simple – the biggest change is where the attacks are occurring. For the first time, the Verizon 2021 Data Breach Investigations Report observed that external cloud assets were more common than on premises assets in both incidents and breaches. And once again, that makes sense. More and more critical data is being stored in the cloud, so of course, bad actors are increasingly targeting cloud infrastructure. However, the part that isn’t as clear is who is responsible for ensuring that public cloud assets (like M365) are protected from ransomware attacks.
Why Backup Microsoft 365
Recently, I was speaking with the manager of cybersecurity at a Global 100 company who is directly responsible for the ransomware protection of their company’s cloud assets. When I asked how they were protecting M365, the manager responded that Microsoft was handling it for them as part of their Office E5 licenses. You can imagine the surprise on their face, when we had to tell them that Microsoft does not offer any native ransomware protection. In fact, if you google “M365 ransomware recovery” the first result is an article titled Recover from a ransomware attack in Microsoft 365, where the first step is to verify your 3rd party air-gapped backups.
It is fairly common for cyber security teams to not initially realize that their M365 environments (or other public cloud infrastructures – like AWS S3, RDS, EC2, etc) aren’t natively protected from ransomware attacks. The most common follow-up question I hear is that likely to happen? Do we even need ransomware protection for these assets?” The short answer is “it absolutely is and you absolutely do”. The longer answer involves explaining the shifting focus of cyber attacks towards cloud assets and the prevalence of cyber threats to M365.
Furthermore, they reported that ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020. Then after the explosive growth of remote productivity tools in 2020, it was estimated that 40% of organizations with Office 365 were aware of breaches and that 71% of M365 environments exhibited suspicious behavior that is indicative of a successful attack. Just last month, new vulnerabilities were discovered that can allow for files stored on SharePoint and OneDrive to be ransomed.
Microsoft’s Shared Responsibility Model
Now that we have established that M365 is vulnerable to ransomware attacks and requires 3rd party air-gapped backup protection, let’s explore why it is your responsibility, and what else you need to be aware of. When learning the M365-specific shared responsibility model, I find it helpful to view it through the lens of the 5 W’s and 1 H (Who, What, When, Where, Why, and How):
Microsoft’s shared responsibility model divides ownership responsibilities between YOU and MICROSOFT.
It’s worth considering who in your organization is responsible for what. Microsoft has tools and features for individual users and administrators. However, it is still up to your organization to put account-level policies and plans in place for: how to recover from an incident, handling users that are no longer at your company, organization-wide compromises, long-term retention, and many more scenarios.
Microsoft is responsible for the data resiliency of its infrastructure. If you are unfamiliar with the term “data resiliency”, it is a metric for how well data can remain intact in the face of unexpected compromising events. Microsoft 365 accomplishes data resiliency through these policies:
- “Copies of customer data must be separated into different fault zones or as many fault domains as possible to provide failure isolation.
- Critical customer data must be monitored for failing any part of Atomicity, Consistency, Isolation, Durability (ACID).
- Customer data must be protected from corruption. It must be actively scanned or monitored, repairable, and recoverable.”
While Microsoft is responsible for the resiliency of your data, you are still responsible for the creation and maintenance of the data itself. In the case of M365, if you have permissions to create data, you also have the ability to delete it. Consequently, that means you are responsible for both protecting your data from being incorrectly modified (human error, accidental deletions, ransomware, bad actors, etc) as well as establishing strategies to get back up and running quickly if/when an incident occurs.
When it comes to data protection timing, Microsoft in general focuses more on short term and convenience, leaving the longer term compliance and strategic initiatives up to you (often handled by 3rd party tools). With features like the “undo button” and the “recycle bin”, Microsoft gives individual users the controls to quickly fix the most straightforward incidents (if they are caught in time). At an administrative level, M365 natively comes with roughly 90 days of data recovery capabilities, and the E3/E5 enterprise licenses can extend that out longer to fit your organization’s needs. However, it is very important to note that these data recovery features are limited in their scope, can be expensive, and are not meant to protect against bad actors and ransomware.
When it comes to the security and governance of your M365 environments, the responsibilities fall on both you and Microsoft, with Microsoft primarily focusing global infrastructure and you focusing on data.
With privacy laws constantly updating, Microsoft has lots of published information on what they track and control.
The central and most important tenet of these policies is that YOU are always in control of what happens to your data. This level of control necessitates that you retain certain access and responsibilities for your data.
Specific to privacy laws, Microsoft’s role is as a “data processor” and your role is as the “data owner”. As the data owner, it is your responsibility to ensure compliance with various standards (SOX, SOC 1, SOC 2, PCI, HIPAA, etc) that govern your business. Often these responsibilities include requirements and responsibilities that are outside of Microsoft’s scope. For instance, many organizations are required to keep 7 years of email and communication history. However, when a user is deleted from M365, their data is also deleted. So in order to remain compliant with 7 years of history, you must keep a separate backup of all communications to ensure that data isn’t deleted when employees leave your organization.
Microsoft uses a multitude of strategies and features to ensure the data resiliency and uptime of your M365 environments, but the most important to understand is data replication. Replication is the process of creating a “live” copy of your data in a second (or multiple) location(s). They use these “[c]opies of customer data… separated into different fault zones” to ensure that your data is always as available and accurate as possible. Having said that, it is important to note that these copies are Microsoft’s copies, not yours. Also, they are exact copies of the changes you make – intentionally or unintentionally. Thus, any human error, accidental deletions, bad actor activity, or ransomware that impacts your environment will be copied to the replicated environments as well. That’s why you need backups.
“But wait, if there is a copy of my data, isn’t that a backup?” Actually, backups and replication are two totally separate concepts. Backups are point-in-time copies that are stored in an accessible location from which it can be restored (it’s not a real backup if it is not restorable). If you are interested in learning more, this blog goes into detail around the differences between backups, replication, and snapshots, but the most important thing to know is that backups are used to ensure consistent restore points (especially in the long term). These consistent restore points are then used to meet data retention and history requirements (often for compliance reasons). And while replication (for Microsoft’s purposes) is handled by Microsoft, backup is your responsibility. Fortunately though, having a robust backup and recovery strategy handles many of YOUR responsibilities in this shared model.
How Clumio helps
Microsoft 365’s suite of Exchange, Onedrive, Sharepoint, and Office 365 solutions are powerful tools for enabling your company’s digital strategy, but as always, “with great power, comes great responsibility.” And in this case, the “great responsibility” of owning a M365 environment is split between you and Microsoft. While M365 does a great job of protecting your data from the incidents and vulnerabilities that Microsoft is responsible for, there are other vulnerabilities and threats that YOU are responsible for protecting against, most notably ransomware attacks.
With the threat of a ransomware attack on M365 already high and still growing higher, it is more important than ever that you understand your role in protecting your data. In the case of a ransomware attack, it is your responsibility to have air-gapped, immutable backups that are stored in a secure location. That’s where Clumio comes in to help.
Clumio’s SaaS backup and recovery application provides an air-gapped, immutable backup of your Microsoft 365 (and AWS) data for protection against ransomware. Backups are stored in Clumio’s SecureVault — an air-gapped environment that protects against ransomware and accidental deletions, so you always have a gold copy to restore from. You can be protecting your data within 15 minutes, with one license covering unlimited storage and retention for Exchange Online, SharePoint, OneDrive, Contact + Calendars, etc. Plus it allows you for granular backup and recovery, so you can search for and quickly recover a single email, a full mailbox, an entire SharePoint site, specific site contents, or any point in time version of your OneDrive files. Additionally, depending on your architecture and licenses, Clumio is often cheaper than your existing approach (or building it yourself),so adding in ransomware protection for your M365 environment could even be a self-funded project that provides cost savings.
If you have any questions or want to dive into more detail around ransomware protection and the M365 shared responsibility model, feel free to schedule a conversation with one of our experts today.