The Canadian government is committed to providing better data, insights, and services to all Canadians. To do so, all branches of government must evolve into data-centric organizations. Public sector organizations operate more effectively and provide better value to citizens when they facilitate online- and self-services, digitize documents, share information between agencies, and use collaboration platforms with cloud-based software.

While agencies recognize the many benefits of IT modernization, they also see the challenges around how to best store and protect the large volumes of mission-critical data that accompany this modernization. Because many government organizations collect data that may be both extremely sensitive and highly sought-after, the challenges of protecting that data have grown.

Public sector organizations cannot afford the financial and civic impact of lost or compromised data. More than six in ten Canadians (63%) feel that the federal government, in general, respects their data privacy rights.[i] This statistic demonstrates a tenuous trust that must be upheld. Government agencies understand that they must be good stewards of the data they collect, ensuring it is backed up in the most secure, sovereign, and compliant manner available.

However, many agencies, believing that adequate backup safeguards are in place across their organization, often have one critical weakness—Microsoft 365.

The Microsoft Misconception

Microsoft 365 is deployed extensively throughout every level of government. It’s a common misconception that Microsoft 365 takes responsibility for your data. With applications like Microsoft 365, SaaS providers offer enough underlying infrastructure protection assurances to meet their contractual SLAs. The problem lies in the fact that those guaranteed protections do not extend to customer data created on SaaS platforms. It is vital to employ solutions to protect your data from risk, based on your terms rather than on the potential limitations of the SaaS platform’s offerings.

You don’t have to take our word for it; Microsoft itself recommends having a regular data backup plan provided by a third-party service in three different subsections (4a, 4f, and 6b) of the Microsoft Services Agreement.

The Microsoft cloud is highly secure; however, the possibility of your sensitive data being exposed or lost does exist. The reality is that if something happens to your data—something outside of Microsoft’s responsibilities, such as data corruption, security threats such as ransomware, application failure, retention policy gaps, disabled accounts, or accidental deletion—it’s not Microsoft’s problem, it’s yours. Yet, fewer than 25 per cent of Microsoft 365 users have dedicated third-party protection[ii] even though 70 per cent of organizations have suffered a business disruption due to unrecoverable data loss in a SaaS (Software-as-a-Service) application.[iii]

“While [Microsoft] 365 is fast becoming the [center] of business productivity, a backup and recovery strategy is an afterthought,” says Archana Venkatraman, Research Manager, IDC European Datacenter.  “Relying on Microsoft’s native backup capabilities and infrastructure-level uptime features is a risky strategy because, regardless of where the data is, it is the company’s responsibility.”[iv]

Without third-party backup, your organization is vulnerable to ransomware, legal and compliance issues, business interruption, loss of data control, and human error.

The Azure Cloud Conundrum

Just as you would never have put your server and your tape backup in the same room, don’t use the same cloud for your applications and your backup. It’s putting all your data eggs in one basket. If you’re using Azure to back up Microsoft 365 and Azure goes down, then you’re going to lose both your primary and backup sites.

When vetting third-party backup solution providers, be sure to identify what cloud they are backing up to. Other backup solution providers use Microsoft Azure as the repository. While an Azure backup for a Microsoft product seems logical, it’s not a safe choice. Again, if Azure fails, that backup provider won’t be able to give you access to your data, resulting in costly service disruptions and downtime.

Don’t let a lack of appropriate backup lead to governance paralysis.

Managing the Costs of Managing Data

Given the ongoing shift to digital services, it’s critical to protect citizen data while also managing costs. You may look to another hyperscale cloud provider to back up your SaaS data. The problem with using a hyperscale cloud provider to store your Microsoft 365? Cost.

The cost of the initial storage adds up over time, especially as data expands but the real cost comes when you need to get your data back. Ingress and egress fees can really add up, becoming prohibitive for agencies that need to be accountable to taxpayers.

One of ThinkOn’s great differentiators is that there is no cost to retrieve your data. We believe in transparent pricing with no hidden fees—ingress, egress or otherwise. You, and the citizens you’re accountable to, should know exactly what you’re paying for.

Canadians Who Will Protect Your Microsoft 365 Data Like it’s Our Own

ThinkOn is a proudly Canadian-owned and -operated cloud solution provider (CSP) with a global data centre footprint. With cloud locations across Canada, ThinkOn is the only Canadian CSP capable of offering data sovereignty to the Government of Canada. We are PBMM certified and a  Canadian VMware Sovereign Cloud partner. ThinkOn is by far the safest place for your data to reside.

To help you keep your data safe and secure, we’ve put together a fun and informative comic book called, A Superhero’s Guide to Microsoft 365 Backup & Recovery. It follows the journey of three Microsoft 365 backup superheroes as they combat the top use cases affecting organizations when backing up Microsoft 365 data.

Click this link to download the comic today and learn how to become the data superhero of your department.


[i] Office of the Privacy Commissioner of Canada, “2020-21 Survey of Canadians on Privacy-Related Issues.”

[ii] IDC, “Microsoft’s Office 365 Data Protection Strategy: Ignoring Backup and Recovery is Risky for Resilience, Continuity, and Productivity.”

[iii] Gartner, “Assuming SaaS Applications Don’t Require Backups is Dangerous.”

[iv] IDC, “Why a Backup Strategy for Microsoft Office 365 is Essential for Security, Compliance, and Business Continuity.”