A common misconception persists even among businesses using cloud services extensively: if your data is in Microsoft 365 or Google Workspace, it's backed up. It is not. Redundancy is not backup. Understanding this distinction is the difference between data you can recover and data you've lost forever.
Redundancy Is Not Backup
Cloud providers build redundancy into their infrastructure to ensure uptime. If one data centre fails, your data exists on other servers. If one server fails, the data is replicated instantly. This redundancy is essential for availability, but it solves a different problem than backup solves.
Redundancy protects against hardware failure. Backup protects against deletion, corruption, and encryption. When you delete a file from Microsoft 365, it doesn't vanish immediately—it moves to a recycle bin with a retention period of 90 days by default. After that window, it is gone. The "redundant" copies that exist across Microsoft's data centres all reflect the same deletion. When ransomware encrypts your files in OneDrive or Google Drive, the encrypted versions are redundantly distributed across the provider's infrastructure. Redundancy will not help you.
The Marketing Illusion
Cloud providers market reliability heavily. Their uptime percentages are excellent. Their disaster recovery capabilities are robust. What they do not promise is recovery from your own actions or from attackers who compromise your account. That protection must come from elsewhere.
Think of it this way: there is no cloud. It is just somebody else's computers. Those computers are very reliable. But they still follow the instruction to delete or encrypt data when told to do so. Reliability of the infrastructure does not equal protection of your data.
Retention Policies That May Not Match Your Needs
Microsoft 365 retention policies exist, but they are often misunderstood. By default, deleted items in OneDrive or SharePoint are retained for 93 days. Items deleted from Recycle Bin are gone. Users can empty the Recycle Bin manually. Administrators can soft-delete entire sites. None of these actions trigger recovery from a backup—because there is no backup managed by Microsoft for this purpose. Your retention policy, if enabled, will protect against permanent deletion, but only if it was enabled before the deletion happened and only if your recovery point is within the retention window.
Email retention policies in Exchange Online work similarly. Messages deleted, purged, or trapped by security filters are subject to your retention rules. But if no retention rule exists, deletion is permanent. Ransomware or a compromised account can delete everything.
What a Real Backup Actually Is
A backup is a separate, independent copy of your data stored on different infrastructure, controlled by a different system, ideally held by a different organization. It exists outside your production environment. It can be restored to a specific point in time, before the deletion or encryption occurred. A backup is immutable—attackers cannot reach it through your network.
This is why businesses need third-party backup solutions for cloud data. Microsoft and Google do not provide this. They provide retention policies within their own systems. That is not backup. It is data preservation within the same infrastructure that was compromised.
Protecting What You Cannot Afford to Lose
Implement business continuity solutions that include independent backup for your cloud data. These solutions capture your Microsoft 365 data, Google Workspace data, and on-premises systems to a separate platform. They allow you to recover files, emails, or entire accounts to a point in time before the incident.
This is not optional for businesses that depend on their data. The cost of recovery after ransomware, accidental deletion, or a prolonged outage far exceeds the cost of proper backup. Start with an assessment of your current data protection, identify the gaps, and close them with independent backup solutions.