SaaS Applications Change the Rules of Traditional Data Protection

This is part of a series of interviews with Asigra Partners. In this post we’re talking with Chad Whaley from Echopath about his experiences and thoughts surrounding Office 365.

TS: Tell us a little about yourself.

CW: My name is Chad Whaley, and I am the CEO and Co-Founder of Echopath (@EchopathLLC), a managed IT service provider specializing in backup and data recovery. Our team is experienced in implementing and maintaining our Asigra powered solution for organizations of all sizes. We provide more than just data backup and IT services; our clients receive a dedicated service team that is quick to respond to questions and needs in a matter of minutes.

TS: Chad as the trend continues for organizations to adopt SaaS applications in your experience are these companies thinking about data protection for office productivity tools like Office 365?

CW: Our experience in speaking with organizations that have migrated to Office 365 is that data protection is not top of mind.  Many people safely assume that when they purchase Office 365, Microsoft will be there to protect their data. A lot of people I’ve talked to choose not to pay for backup services because they don’t believe it’s worth the cost, again, with the assumption that Microsoft will be there for them and provide enough for their needs. What I see is a constant battle between what data people should protect and at what cost they want to protect it at.

Unfortunately, a lot of people don’t think about backup until after they’ve migrated to Office 365. We are working with three large corporations right now where protecting Office 365 data isn’t a budgeted item because it’s just not top of mind for them and it was not a budget consideration as part of the move to Office 365.

TS: Are there any pitfalls for organizations that rely on Microsoft to back up their Office 365 data?

CW: The data protection service provided by Microsoft is not reliable at all because their backup policies cannot guarantee a complete and speedy restore of lost data. There are also other data protection limitations. In a situation where a rogue employee (who was fired or left the company) decides to delete all their emails before leaving, you only have 30-45 days to view them, after those 30-45 days, the emails are gone forever and you can’t refer back to them. This limited time frame for restoring lost data is one of the main reasons why people shouldn’t be relying on data protection from Microsoft alone.

TS: Chad, in your opinion, why do organizations treat their data born in the cloud different than they treated their on-prem data? Why is the data in Office 365 any less important?

CW: Great question. My team and I have spoken to a number of organizations and our experience is organizations were always thinking about the catastrophic loss that might happen such as a natural disaster, fire, flood, earthquake that would have a direct and immediate impact to their office building or data center housing their servers hosting Exchange, SharePoint, file systems, etc.

Now that the data is offsite in Office 365, they think of data protection as more of a utility, not a necessity.  Most organizations think Microsoft has their back (up) covered. However, for publicly traded companies and others that need to meet compliance mandates, they should be thinking about the custody of the data and is Microsoft providing me with the data retention policies required to meet those mandates.

However, companies need to keep in mind that they need to consider that data loss events still occur, they just take a different form such as Crytolocker and other ransomware viruses.  Files synced to Office 365 can still be infected by these viruses just like other data sources.

TS: So, would you say that most organizations are contacting you to discuss data protection of Office 365 after a data loss event?

CW: Yes, in some cases, they contact us because they realize an email they needed to act as evidence in a legal dispute is permanently deleted and that’s when they realize they need to implement a backup solution for their Office 365 Exchange Online. In some cases, it is not a data loss event that made them engage with us, but rather they realize that they need help managing their overall email system from deploying new mailboxes, setting up new mailboxes, implementing and managing the backups on a daily basis, etc.

Especially for organizations that deal with a transient workforce like retail, manufacturing, healthcare, these organizations are constantly creating new mailboxes and then need to figure out how to handle the mailbox when the employee leaves the organization – do they just shut it off or point it to someone else’s mailbox.  People that approach us need help managing the churn of employees, archiving data, managing data as time goes on and managing the eDiscovery of emails.

TS: Chad, for organizations that want to implement a data protection solution for Office 365 what are the top five  things they should consider?

CW: First, I would advise all backup administrators to look for a vendor that can provide data protection for the full Office 365 suite – Exchange Online, SharePoint Online and OneDrive- even if it’s not part of the initial deployment. Organizations should always being thinking about future proofing.

Second, don’t be fooled by the pretty user interface. IT Professionals should make sure they know what is happening behind the UI – how is the data being transmitted and where is their data being stored.  This is very important.

Third, it is important to know how quickly data can be restored and exactly what services the Service Provider will provide.  Make sure you know the specific actions, tasks and responsibilities of the Service Provider.  Although some solutions are what we call “fire-and-forget”, you should always have a qualified IT professional managing it for you.

Fourth, Microsoft is constantly changing the behavior of Office 365, so there needs to be someone responsible for managing and monitoring your data and the backups to ensure all of the backup sets and schedules are running as required.  I would recommend not putting all your eggs in one basket by making sure your backup vendor isn’t storing data in the same cloud service as the SaaS application you are protecting. Make sure you look at the additional utilities and features that can help you manage Office 365 data and have a data protection strategy in place to ensure that you don’t let data loss take your company down.

Lastly, determining an action plan for handling employees that leave and preserving the emails that carry critical company information can be a very important step that many organizations fail to implement. You don’t want to be put in a situation where you discover that the email you are looking for is gone forever! Based on experience, we have seen that it is a good habit to be backing up certain emails more frequently than others to maintain employee records and paper trails.

TS: Chad, thanks for your time today and your insights relating to Office 365 data protection.

CW: Always great speaking with you Tracy.

If you have experienced an Office 365 data loss event or need data protection for Office 365, and want to know more about how Echopath can help your organization develop a data protection strategy, go to or contact Chad at

Topics Discussed

Related Posts

AssureStor Restores Files Held Ransom by Locky in 7 Minutes with Asigra Posted by Tracy Staniland This is part of a series of interviews with Asigra Partners. In this post... 7 min read
What’s the Best Way for Your Organization to Prevent Ransomware Attacks? This is part of a series of interviews with Asigra Partners. In this post we’re talking with Brent... 4 min read
Backup Industry Veteran Reveals Data Protection Risks of SaaS Applications his is part of a series of interviews with Asigra Partners. In this post we’re talking with William... 8 min read