OneDrive PSA: the day it forgot about history

OneDrive is marketed as one product when in reality there are 3 very different offerings. Unfortunately the main business product lacks the security features of the personal product. Nevertheless the marketing and documentation does not state this sufficiently. This needs to be taken into account when performing a risk analysis of your file storage. I will share the learning from a recent ransomware incident when OneDrive failed. The majority of small business IT admins may only realize they’ve made a mistake when it’s too late.
 
Microsoft suffers from too many products. Their attempt to unify products and brands has been futile at best. But at worst it’s resulted in a dangerous and incorrect feeling of safety that I will explain.
 
A look at the history of OneDrive, SkyDrive, SharePoint, Groove and more is beyond the scope for a single post. But all these products and technologies now all live under the brand name of OneDrive in some fashion.
 
Microsoft’s own description is:
 
OneDrive is the Microsoft cloud service that connects you to all your files. It lets you store and protect your files, share them with others, and get to them from anywhere on all your devices. When you use OneDrive with an account provided by your company or school, it’s sometimes called OneDrive for Business. (Link)
 
Unfortunately the statement is misleading. OneDrive for Business is not OneDrive. There are commonalities such as the software uesd to sync files to your computer is the same. And on the web some parts of the interface overlap. But the storage system and feature set behind the scenes is very different. Unfortunately in it’s marketing and announcements Microsoft does not seperate enough between:
  • OneDrive,
  • OneDrive for Business (SharePoint MySite), and
  • OneDrive for Business Shared Folders (SharePoint Workspaces/Subsites/Office365 groups).

Choosing OneDrive for your organisation’s file storage

When deciding where to store your company files you need to evaluate how well it fulfills the requirements. A big requirements is data safety. To be a valid option it has to guard agains three levels of failures:
 
  1. Local Failure (computer or drive failure)
  2. Version Failure (mistakes, overwrites or concurrent editing).
  3. Cloud Failure (everything else)
 
Office365 offers two products for file storage. The first is “OneDrive for Business – Personal Folder”. Backed by SharePoint MySite this is the place to store personal files. But it lacks in manageability. User’s can share folders, but the user stays the owner which is not acceptable for company files.
 
This is where the second product “OneDrive for Business – Shared Folders” comes in. It’s managed centrally by the organisation’s IT admins. It integrates well with other Office365 features (Groups and Teams) and uses SharePoint. More specifically it uses “Document Folders” in SharePoint.
 
How does it handle the above failures?
 
1. If an employee’s device fails, all files back up to the cloud. Check.
 
2. OneDrive has you covered in two ways:
Previously you relied on versioning and simply reverted to an older version of the file. The new second option is Microsoft introduced Files Restore at the beginning of the year:
 
Files Restore is a complete self-service recovery solution that allows administrators and end users to restore files from any point in time during the last 30 days. If a user suspects their files have been compromised, they can investigate file changes and allow content owners to go back in time to any second in the last 30 days. Now your users and your administrators can rewind changes using activity data to find the exact moment to revert to. (Link)
 
3. Microsoft offers POIT (Point-In-Time-Restore) of SharePoint in case of a massive disaster.
 
That’s a good score for “OneDrive for Business – Shared Folders”, so it’s a choice I’ve recommended to many clients.

OneDrive’s protection in action

Now let’s see what happened when one morning all files on the main company OneDrive are scrambled. An employee’s computer was infected with Ransomware. Based on the above checklist you would think this can be solved quickly.
 
The fastest recovery would be using “Files Restore”. I went online, found the restore interface and my job was done in 5 minutes. End of story.
 
Not quite. Turns out this particular feature is not available in “OneDrive for Business – Shared Folder”. This is not mentioned in the announcement and also not mentioned as a limitation in the technical documentation.
 
I had to confirm with Microsoft Support that indeed this feature is only available for the consumer OneDrive and “OneDrive for Business – Personal Folder”.
 
That’s a nuisance but not a deal breaker. After all the client had file versioning switched on for all OneDrive folders. Using Powershell you can revert to the previous version of a file. In this case the ransomware had conveniently appended it’s own file extension, so identifying the files was easy.
 
When the script completed a quick look into the log file showed that 2/3 of the files had no previous versions. By definition of how this type of malware works – it encrypts an existing file – this was impossible. But some manual checks confirmed that most files had lost their version history and there were no copies in the deleted items on OneDrive.
 
Until now Microsoft Support could not say why this happened and could not offer any advice on how to prevent this in the future. My support engineer was very empathetic to the problem and did his best. The final solution we got to was to do a complete SharePoint Restore to a point in time before the malware hit. Sounds great until you realize this restores the whole SharePoint to that day. This includes all administrative settings, new groups or teams, OneNote and Wiki content. This has to be backed up seperately and republished to SharePoint once the restore is complete. A real PITA, but after 1-2 weeks we were able to close the case with a full recovery of all data.

Redundancy is key

So what can we learn from this. First of all hitting that third and ultimate level of data recovery is unacceptable. Obviously I’m glad this level was available. But in the end Microsoft almost lost all file versions of a large part of the OneDrive. I have revised all my Office365 client installations and added a new level. Each one now uses a third party backup provider (e.g. CloudAlly) that performs a complete daily file backup of all OneDrives. If file versions fail again we can retrieve any file version using these backups. This way we can even perform the “Files Restore” that Microsoft announced but doesn’t offer for the core product.
 
So what’s the TL;DR or actionable advice:
  • Features announced to OneDrive may not be available in the OneDrive you use.
  • Versioning in OneDrive has a serious loss of data issue that is still unsolved at this time.
  • Do not rely on a single provider for important data and files. Use a redundant backup provider*.
 
I will still recommend Office365. It offers great value at a reasonable price. It covers most requirements a small business would have. If you follow the advice and get an extra backup provider it is safe to use for file storage. Even if file versioning worked as expected you should still use a backup provider to ensure you’re following best practice.
 
The bigger issue here is the path Microsoft is going down in terms of naming. Even their own marketing, technical documentation groups and support are confused. The available documentation is incorrect. And it’s not the first time either. Talk to someone in the know about Skype vs. Skype for Business and you will hear a lot of very similar points being made.
 
Microsoft has too many products doing the same thing with different feature sets. As a decision maker you have to be extra vigilent in choosing the right product for your use case.
 
*PS: Regardless of how and why Microsoft failed here, ultimately I am to blame for the incorrect risk assessment. I had tested the file versioning in depth and ensured that it worked at the time of the test. But I had based all my levels of data protection on a single provider. Risk is impact vs probability. It’s unlikely that a large provider like Microsoft will fail, but the impact of losing data is enormous (for any business). It’s not acceptable to rely on one provider. Redundancy is a must and can be achieved with just a little added cost through a backup provider.
 

Appendix

Some clarification of terms used:
  • OneDrive (without a suffix, refered to as OneDrive Personal): a cloud file sync software with a feature set comparable to Dropbox. It’s available in a free and paid versoin. It is not included in Office365.
  • OneDrive for Business – Personal Folder: Included in Office365 and uses an interface that’s almost identical with OneDrive Personal. But underneath it is very different and shares only some of the feature set of OneDrive. The files are stored in the My Site of your organisation’s SharePoint.
  • SharePoint: Microsoft’s intranet portal server that offers collaboration and also file storage.
  • OneDrive for Business – Shared Folders: Included in Office365 and designed for company wide sharing of files. It allows you to create groups (for business units, projects, etc.) and create seperate folders for each.
  • OneDrive Client: This is the software that will actually synchronize the files to your local hard disk. It will sync OneDrive Personal, OneDrive for Business – Personal Folder and Shared Folders. This is a vast improvement by Microsoft after years of having three different clients.
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s