Why backing up Office 365 with Veeam is a functional mistake, a technical nonsense, a security loophole, and a financial aberration.

Those who follow me a little know that this is a subject I particularly enjoy. And since it arouses passions among Veeam partners, William asked me to lay out my argument in this post.

Far from wanting to take the passion out of the debate, because it is fascinating, as it demonstrates the difference between the old on-premise world and the new world of the cloud – and the difficulty for some integrators to operate their transformation – I propose to provide, via this article, some explanations…

Veeam, seeing a risk to its market share with the massive migration of its customers to the cloud, tried to adapt. All those mailboxes and SharePoint sites that Veeam used to back up have been decommissioned. Tough luck.

Veeam was providing excellent services at that time.

So, they decided to continue doing what they did on-premise with Office 365. Bad idea.

It must be acknowledged that while their strategy for backing up on-premise assets to the cloud (PaaS or IaaS, especially Azure) is an excellent idea, the saying ‘you can’t make good jam in old pots’ doesn’t apply to Microsoft’s SaaS offering.

In other words, riding on the on-premise habits of our customers to continue selling Veeam is merely a commercial calculation based on fears and age-old habits, which it is our responsibility, as integrators, with the help of the publishers, to deconstruct and rationalize among our clients.

The functional mistake

It’s a mistake made by IT professionals who see a migration project to the cloud as an infrastructure project or something technical. The IT professional has always used Veeam on-premise for their mailboxes and SharePoint, so, as they move their mailboxes to the cloud, they’ll use Veeam in the cloud…

It’s important to remember that migration projects to the cloud are transformational projects. They’re not technical projects – although some aspects of these projects are technical. And when we say transformational, the first areas that need to be transformed are those within the IT department. It’s the integrator’s job to ensure that the client understands that what was true on-premise is no longer true in the cloud.

Veeam comes with a discourse oriented towards compliance, saying ‘you must manage data retention, blah blah, you can’t do it with Office 365, blah blah.’ These messages find particular resonance during GDPR compliance periods.

To bolster its discourse, Veeam relies on a network of well-established integrator partners and on on-premise usage habits among end clients – where the transformative approach of the IT department may have been little (or not at all) initiated by these integrator partners, as they themselves have not undertaken it internally.

Naturally, the client tends to turn to what they know from the old on-premise world. And this happens without the integrator, who earns commissions on Veeam sales, indicating to the client that the solutions to their needs already exist in the Office 365 E1, E3, and E5 plans they have contracted.

I have found myself several times in situations where I have had to inform the client about the existence of retention policies in Outlook/Exchange Online, immutable retention, email deletion timelines, etc., without the integrator having mentioned them; they were more interested in making the client pay again for a tool they don’t need just to get their cash back and sell a Veeam integration service. This borders on lack of advisory… No, it’s outright in it.

[UPDATED 01 2021] On the lack of advisory, it is even more pronounced now that Veeam and its partners regularly pull out an excerpt from the terms of use of Microsoft’s consumer cloud services (XBOX, MSN, Hotmail, etc.), explaining that there may be data loss and that it is advisable to make a copy of the data using a third-party tool. This is done to scare clients and push them into purchasing.

Users of Microsoft 365 for Business or Enterprise are obviously not affected by this consumer cloud services terms of use. The binding contract is called the Online Services Terms (OST).

The fact is that, probably out of convenience and perhaps due to a lack of curiosity, I discover over time that integrators, especially some Veeam partners, are very poorly informed about the advanced compliance and data lifecycle management features offered by Office 365. In fact, to my knowledge (please speak up if you disagree, so we can form a club), there is only one integrator in France with genuine expertise in the Compliance Center: the ECM experts at SWORD in Lyon.

The second functional mistake lies in the fact that Veeam, in its operation and interface, is not designed for compliance professionals but for IT professionals. Therefore, Veeam cannot be sold as a compliance tool (although they position themselves as such).

Microsoft 365’s Compliance Center, accessible from the E1 plans onward, fully integrated into Office 365, provides far stronger technical and contractual guarantees than Veeam – whose hosting must be operated by the client – regarding data retention modalities (long-term storage, scheduled destruction, response to investigative needs, advanced classification, retention, etc.). It addresses both IT professionals and legal teams.

In addition to this, there’s the Compliance Manager, an excellent tool for compliance teams. These are real business tools for legal and DPO teams. There’s also the Service Trust Center…

The technical nonsense

Microsoft provides through the Service Trust Center a whole bunch of documents explaining how data resilience is organized. The concept of backup, stemming from the on-premise world, is nonsense for the cloud, where by nature, data must be accessible at all times.

The approach to data management strategy involves a multitude of processes operated within Microsoft’s data centers. Backup is just a small element of it – and has nothing to do with “usual” backups, on-premise. The Enterprise Business Continuity Management (EBCM) Program.pdf is a rich source of information to understand how these complex processes work – all in compliance with standards (ISO, HDS, …) and local legislation.

As part of the shared responsibility between Microsoft and its customers, especially regarding data management, Microsoft hands over control to customers, in an integrated manner, for a number of operations. We’re talking about operations like restoring SharePoint or OneDrive site collections, thanks to a simple slider that allows you to move back in time. We’ve already discussed email and document retention policies, classification, and more. But once again, these tools cover the wide range of needs expressed by clients who think they need to address them with Veeam.

I would like to add that every Veeam scenario I’ve heard of involving Office 365 consists of copying data from Office 365 to Azure… … … … THESE ARE THE SAME DATACENTERS (no client located in France wants to back up their data outside of France), OPERATED BY THE SAME HOST… It doesn’t even reduce the pseudo-risk of “Microsoft stops functioning”… As a consultant from Wavestone, with whom we had a lot of laughs at Engie, often repeated: “it makes no sense”.

No alt text provided for this image

In a SaaS model, it’s a technical nonsense to think that one will substitute the data host – especially for the services it already provides. It’s a major misunderstanding of the very nature of these platforms to want to copy their data “just in case.”

The “just in case” scenarios…

  • “Just in case three Microsoft data centers stop functioning”… That would mean a simultaneous nuclear bomb has fallen on Paris and Marseille (for the France geo) or on Amsterdam, Dublin, and another city in Austria, I believe – to be verified (for the Europe geo). Your only concern would then be escape, survival, … Not checking your work email or asking your colleagues about the progress of deliverable X in project Y on Teams.
  • “Just in case Microsoft deletes my data”… I have never heard of such a case, because the EBCM precisely addresses these issues with processes that work – and that no client could implement as reliably in their infrastructures.
  • “Just in case we want reversibility”… Reversibility is a dream made to fill the last line of tenders and reassure decision-makers. When you enter Office 365, you enter a captive model from which it is extremely difficult to exit. I don’t know of any client who has done it – but there are probably some. With the hindsight and the massive adoption of Teams, I believe that it becomes almost impossible in the current market state.
A security loophole
It’s easy to understand.
  1. Your data is in Office 365 = SaaS service. Microsoft manages 90% of the security – better than 99% of organizations – you manage the remaining 10%. Little risk for your data.
  2. Veeam takes this data (emails, documents, etc.) to copy it to Azure (or worse, on-premise) = PaaS or even IaaS service. Microsoft now only manages 50% – or even less depending on the container – of data security. And it’s up to the client to hope to secure their copies as well as in Office 365… They are therefore more exposed than if you had left them in Office 365.
In short, by copying your data, especially to a place inevitably less secure than Office 365, you increase your attack surface – while other “in-place” solutions exist natively in Office 365 to meet business needs.

A financial aberration

For all the reasons previously mentioned, wanting to purchase Veeam when Office 365 already meets the needs of 99% of clients is a financial aberration.

This only fattens Veeam and its partners, who have bet on a competitive strategy against Microsoft – and anti-transformational. Let’s remember that Microsoft is a provider of compliance solutions much more integrated into Office 365 and advanced than Veeam.

Beyond the licensing costs of Veeam, you will also have storage, processing, and operating costs in Azure (or another platform).

You would be better off buying Office 365 E5 with this money – which includes Advanced Compliance (and thus a much more comprehensive response than Veeam on data management).

Finally, I would like to add that Veeam’s commercial actions, sowing doubt among our clients, especially hospitals, sometimes lead to project deployments being blocked while we resolve “the question of backup”. Fortunately, one or two meetings often suffice to convey the most important message…

… We do not back up the cloud. Thank you.