Skip to content

Do you need a backup tool with Google Workspace?

A question we get asked a lot is do we need a backup tool on top of Google Workspace? What are the current backup capabilities of Google Workspace? What about the e-discovery tool in Google Workspace, Google Vault? All these questions and more we try to answer in this blog post. 

Why would you need a backup?

Google Workspace backup requests generally are about either Gmail messages or Google drive files. In our experience we see 2 business cases for taking a backup: 

  1. Functional backup in case of mistakenly deleted files
    One of the main reasons to have a backup is to better be safe than sorry. When users mistakenly delete files they often rely on IT to magically restore these to make sure business continuity is ensured. 
  2. Legal and audit Compliance requirements to retain data
    When a legal dispute happens and a relevant party has deleted data from their account to remove evidence, you, of course, want to be able to retain that information to make sure you can handle the legal dispute as best you can.

Functional backups with Google Workspace

If users mistakenly delete files, Google Workspace gives you the ability to restore deleted files or emails up to 25 days after a user permanently deleted them. Another thing to keep in mind is the 30 days these emails or files are kept in the user’s bin before permanent deletion. If we look at the day-to-day usage of Gmail and Google Drive, this is usually enough of a backup for the functional requirements. 

Other functional backups could include moving the drive ownership of users leaving your environment to a specific user. Usually, we see that this is the manager of the user. This can either be done through transfer ownership or when offboarding a user. Another option is to move files from  deleted users to a shared drive afterwards to make sure your manager’s my drives are not cluttered. 

When it comes to offboarding, we encourage you to have a clear process in place. Do consider the following tips when you start the offboarding of a user so that no data is lost on a functional level : 

  • Utilize employee notice periods to start handing customers relations to managers or colleagues
  • To keep everybody thoroughly informed, update signatures for replies during notice periods
  • Ask the employee to set up an OOO for the last part of their notice period. 

The above measures should be able to capture all functional needs. If there is still some data needed afterwards there are some ways how you can get to that data without logging in to the account

  • The usual go-to method is mail delegation. We would advise keeping the mailbox active for a month with mail delegation. During this time the requester forwards the relevant emails to his own mailbox and after this month, we set up a recipient address map (forwarding) for this address to his account if he so chooses. 
  • While it is possible to have an indefinite backup of the mailbox, it is a bit more tricky. Here you could either migrate the content of a user’s mailbox through IMAP to another user’s Gmail account using the DMS embedded in your admin console or you could pull an MBOX archive through the Google takeout of his Gmail inbox. 
  • If you are on an enterprise plus license, you can directly investigate users’ mailboxes. Do be aware that if you check the content of somebody’s mail, you will have to fill in a justification as to why you checked that content.

Retaining & investigating data with Google Vault

For compliance reasons, you might need to retain data for quite some time. All legal requirements in terms of data retention are usually picked up with Google Vault. Google Vault is an E-discovery tool that makes all of your data from Google Workspace services like Gmail, Google Drive, Google Sites, GoogleChat,… (all services can be found here) and makes it exportable. Then, from the Google Vault UI, you would be able to investigate & extract that data, usually for legal purposes.

Keep in mind that Google Vault is NOT A BACKUP TOOL. Any extracts made from this tool come in archive formats (e.g. PDFs, eml’s, MBox, PST,…) so it is hard to re-add this content to your Google Workspace.  

For offboarding users, Google Workspace has the archived user. An archived user is a separate license you purchase. Within the admin console, you can apply the “archived user” state to a user.  After that, that user goes into cold storage. All of this user data will be retained and will even be kept in Google Vault!

Are Google Workspace backup capabilities sufficient for your business?

Currently, we see companies move away from backup tools as the backup capabilities of Google Workspace in combination with Google Vault are sufficient for business needs. However, some companies still opt for an additional backup tool as they consider the functional backup possibilities not sufficient for their business needs. But what are the caveats when using a third-party backup solution? Check out the next chapter to find out more!

Caveats when working with a third-party backup solution.

Lower your technical debt

As Devoteam G Cloud constantly tries to advise its customers the best they can, we also advise our customers to keep things simple and not to add too many solutions in one environment if one solution can fit their needs. This is both a pricing and an efficiency consideration as you are paying for an additional application and are maintaining it. 

They run on a schedule

One thing to consider with these third-party backup solutions is that they, contrary to Google’s native backup solution, run on a schedule. This means that, for example, at the end of each day a backup is being made. But if a user creates and deletes a file in that same day, ergo in between the schedule, then this file is never picked up by said third-party backup tool. Google’s native backuping does not work on a schedule and picks up the file as soon as it’s created.

Data hosting, Data Loss Prevention and personal data requests

By hosting your corp data on multiple platforms, you can now no longer solely use Vault for your legal audits, all DLP compliance rules you create will not be implemented on your 3rd party backup tool either. Also when you get requests for personal data you will need to rely on o the 3rd party tool to search all data in that backup tool. 

Furthermore, you are increasing your vector for attack to access data, you are adding administration for data requests, and you are affecting the chain of custody. You are also putting a lot of trust that the backup tools store this data security, some of them utilize storage in AWS, others in Azure or even GCP but your corporation might no longer be covered by Google’s ISO security certifications because you are using an external backup tool.

Backup tools in Google Workspace: what not to forget

  • Consider your Backup needs with the capabilities of Google Workspace backups
  • Understand the caveats when using a third-party backup solution
  • Keep your technical debt to a minimum.

Do you want to discuss your own security project with us? 

Get in touch with

Mark De Winne

Google Cloud Business Developer at Devoteam G Cloud