Content complexity Moderate This rating relates to the complexity of the advice and information provided on the page. Before you begin Review the Small Business Cloud Security Guides introduction before you use this technical example. This technical example recommends the use of third-party backup solutions. Many of these solutions require ‘Global Administrator’ privileges. Why should you implement regular backups? Implementing regular backups will assist your organisation to recover and maintain its operations in the event of a cyber incident, for example, a ransomware attack. If you lose access to your files, restoring from secure backups will enable your organisation to recover and start operating again sooner. Backups must be carefully scoped to ensure that they cover all information an organisation requires to recover from a cyber incident, this typically includes important data, software and configuration settings. Regularly testing that backups can restore systems, software and important data will give your organisation confidence that it can recover from a cyber incident. By ensuring that unprivileged accounts can only access their own backups, you will reduce the risk that a malicious actor will be able to compromise your backups. Requirements for regular backups This technical example is adapted from Essential Eight maturity level one. It is designed to meet the following requirements: Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements. Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises. Unprivileged accounts can only access their own backups. Unprivileged accounts are prevented from modifying or deleting backups. What this technical example covers This technical example provides IT staff with guidance on choosing and testing a comprehensive backup solution for Microsoft 365. Microsoft 365 backup solutions Microsoft has published guidance on deploying ransomware protection in Microsoft 365. This guidance can inform part of an organisation’s backup strategy however it does not offer a complete solution. If your organisation implements Microsoft’s guidance, the ACSC recommends supplementing it with additional controls to better manage the risks associated with ransomware attacks. The above Microsoft guidance recommends protecting files in SharePoint and OneDrive for Business through versioning, recycle bin and file restore capabilities. Retention policies for email recovery are also recommended. These capabilities are not sufficient to recover from many cyber incidents, for example, attacks that involve administrator account compromise, enabling files to be permanently deleted and retention policies to be disabled. The guidance also relies on features that can only be fully implemented on tenancies with an E3 subscription or higher. Microsoft’s service agreement recommends performing backups using third-party software, acknowledging that their own offerings are not suitable in all cases. Microsoft’s guidance on recovering from a ransomware attack also suggests using an offline backup solution. The technical example below will assist organisations to choose a secure backup solution that meets their business requirements. Technical Example Choosing third-party backup software The ACSC recommends using a third-party backup solution to create an offline backup of organisational data. When choosing a third-party backup solution, ensure that any solution you consider meets the following criteria: Authenticates to your Microsoft 365 tenancy using modern, secure authentication. For example, backup solutions should be compatible with multi-factor authentication and should not require the use of legacy authentication methods such as ‘app passwords’. Stores your data on a local storage device, not elsewhere in the cloud. Offline storage is an important strategy to protect against ransomware attacks. Backs up and restores Exchange, SharePoint, OneDrive, Teams data and any other data important to the operation of your organisation. Ensure you carefully evaluate potential backup products and vendors. Third party backup solutions must be reputable because they will have access to your organisation’s potentially sensitive data. Performing regular backups of important data Once your organisation has selected an offline backup solution it should be configured to perform regular backups of important data. The steps to configure backups will vary from product to product. The guidance below is general in nature and will need to be adapted to the backup product selected by your organisation. Install the software to a trusted device. If possible, the device used should be a hardened workstation used only for backup purposes. For guidance on hardening a workstation, consider following Microsoft advice on securing devices as part of the privileged access story. Connect your backup device to your Microsoft 365 tenancy using your own administrator credentials. Ensure that you use multifactor authentication and that you use strong authentication methods, for example, strong passphrases and reputable authenticator applications. Create a storage location for the backup data. If you are using a dedicated backup device this can be on disk. If you are not using a dedicated backup device, it is best practise to use a removable storage device such as a USB or external hard drive. Initiate a backup of tenancy data to your chosen storage location. Consider setting up a process to automatically perform backups on a scheduled basis. Many Microsoft 365 backup programs support scheduled backups. If you are unsure of how frequently to schedule backups, consider how many days of work your organisation is willing to lose in the event of an incident and schedule your backups accordingly. Disconnect the device where your backups are stored from your network and store it in a secure location, for example, a safe. Consider following existing Microsoft guidance on enabling disk encryption to further reduce the risk of unauthorised access to backup data. Repeat the backup process regularly to ensure business continuity needs are met. Performing regular backups of configuration The Microsoft 365 Desired State Configuration Tool (Microsoft365DSC) can be used to backup and restore the configuration of your Microsoft 365 tenancy. Use this tool to extract the configuration from your Microsoft 365 tenant and save it as a series of files. These files will assist you to restore your configuration, if needed. Microsoft365DSC is an open-source initiative lead by Microsoft engineers and maintained by the community. The project has published guidance for users, including guidance on taking a snapshot of a tenant and deploying configurations. Testing restore Regularly test that your backup solution can effectively restore your important data, software and configuration settings. Performing regular tests will give your organisation confidence that it can minimise disruptions to businesses continuity in the event of a cyber incident. When testing a backup, ensure that the entire backup is tested, not just a subset of data or a ‘spot check’. There can be synchronisation issues or critical interdependencies that are unknown until a full back-up is tested.