Security and Integrity

Does IBM Storage Protect for Cloud Microsoft 365 Support Data Deduplication and Compression?

IBM® Storage Protect for Cloud Microsoft 365 applies standard .zip compression to data. Although our DAT files can support deduplication algorithms, we currently do not support deduplication on Blob storage as this requires a physical/virtual storage system that is not as cost-effective as Azure Cold storage. Additionally, since our backup data is encrypted and the encryption key is dynamic, the deduplication performance may not be optimal.

My organization plans to use the Customer Key feature in Microsoft 365, so we will be in control of our own encryption keys for our data in Microsoft 365. Will IBM Storage Protect for Cloud Microsoft 365 back up and restore this data if it is enabled?

The customer key feature in Microsoft 365 encrypts the data at rest in Microsoft 365, which indicates that Microsoft cannot access this encrypted data. However, IBM Storage Protect for Cloud Microsoft 365 uses user credentials or app profiles to access customer data with an API, same as the end user accessing scenario where the data will be decrypted to real content. Therefore, the backup and restore service will not be affected. For additional details, you can refer to Customer Key Overview from the Microsoft website.

Is backup data immutable?

Yes, IBM Storage Protect for Cloud ensures that backup data is immutable, and we employ several measures to protect and control access to always encrypts the backup data:
  • Encryption: Backup data is encrypted using with unique keys for each tenant. All data in transit is encrypted utilizing TLS 1.2/1.3 and IBM strictly uses officially supported APIs that maintain encrypted connections for backups. Data at rest is secured by default with an IBM-managed key, although customers can choose to use their own keys.
  • Storage Isolation: IBM provides customers with the option to isolate their data within a single region, supports multi-geo configurations, and offers customer-owned storage. This ensures that data remains physically isolated within the region and is never replicated across data center regions.
  • Logical Isolation: IBM Storage Protect for Cloud is segregated separately from your production environment. It includes delegated administration and role-based access controls to prevent unauthorized users from modifying or deleting backups.
  • Immutable Storage: Backup data copies cannot be directly accessed through the product user interface or API and cannot be compromised by either privileged or non-privileged users of the platform. Data can only be exported, restored to production, or defensibly destroyed when a pre-defined data retention policy is met.

    Under special circumstances, customers may request manual deletion of data through IBM Support, which requires verification. IBM also allows authorized admins to handle the DSAR (Data Subject Access Request) by removing personal information from the systems as requested. The DSAR can also be disabled completely within our platform for an added level of protection.

  • Ransomware Protection:IBM Storage Protect for Cloud learns from your backups and alerts you of unusual activities that could indicate a compromise or ransomware attack. Recovery points prior to the incident are clearly identified, and alerts can be configured to reach administrators to minimize the impact of a breach.

How is data handled after running a data deletion process in compliance with GDPR?

The process can be categorized into two scenarios:
  • Deletion of entire object – This scenario involves the complete removal of an object, such as a mailbox or OneDrive account. The entire object, along with all associated data, is permanently deleted.
  • Deletion of individual items – This scenario involves the removal of specific items, such as files or documents. The index entries associated with these individual items are permanently deleted, ensuring that the data is destroyed and non-recoverable.