Microsoft Exchange hack: Why so many enterprises still run their own Exchange servers
Commentary: Enterprises try their best to secure their data, but running on-premises mail servers arguably doesn’t do this. So why do they do it, anyway?
We can have a debate about how soon enterprises should embrace cloud. After all, with roughly 94% of the $3.9 trillion in global IT spending still going to on-premises software, hardware and services, we’re many years away from the last data center getting unplugged.
But can we agree that for some use cases, there’s no compelling reason for organizations to keep running their own servers? In the wake of a hack that exposed the Microsoft Exchange servers of tens of thousands of U.S. organizations (schools, local governments, police departments etc.), email servers probably belong on that list.
After all, while email is critical for communication, managing an email server in no way gives a company competitive differentiation. It’s a commodity service everyone needs, but it’s much harder to argue that everyone therefore needs to manage the server. So why do so many organizations continue with their on-premises deployments?
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
A question of trust?
In asking that question, I assume there are good answers. After all, companies (and the people they employ) generally try to do the right thing. It’s in no one’s job description to willfully run unsafe systems. And yet we do. All the time. Why?
According to noted former CTO Christian Reilly, four reasons companies have been slow to switch are “Legacy mindset, no funding to migrate, capex funding structures, asset sweating.” That first one simply refers to inertia: There’s the cloud I’ve heard of, and the existing server I’m used to managing. Couple that with a budget that is skewed toward capital expenditures (rather than cloud-friendly operating expenditures, or OpEx) and a lack of funding to move to the cloud, and it becomes easier to see how those 30,000 organizations found themselves managing Exchange. They aren’t foolish. They’re stuck.
Nor are they helped by legacy vendors, said CTO Paul Johnston: “The cloud ecosystem is big but there are many many companies still selling the old stuff.” Enterprises have relationships with these existing vendors. There’s comfort in the server you know, rather than the serverless you don’t, he stressed: “If you’ve always been used to ‘that’s my box over there’ and ‘there are the tape drives’, then the step to ‘the cloud’ is actually scary. Especially as the FUD [from legacy vendors] has been out for a long time.”
Ultimately, Johnston noted, it’s about trust: “If you don’t trust ‘the cloud’ more than yourself, then you’re not going to move. There’s a massive leap of you’ve been doing this yourself for years.”
SEE: Patch management policy (TechRepublic Premium)
It’s possible that the trust in one’s own ability to secure Exchange servers, as in this case, may be misplaced. Or, rather, the trust that one can secure a mail server as well or better than one of the cloud vendors offering it as a managed service. But ZDNet contributing editor Steven J. Vaughan-Nichols is likely correct when he stated, “If I’ve heard it once, I’ve heard it a thousand times, [‘]we need to have email in house to make sure it’s secure[‘]. With smart e-mail admins that can even be possible, but that’s not the way to bet. Signed, former e-mail admin.” (ZDNet is a sister site of TechRepublic.)
This makes sense given the resources cloud vendors are able to bring to bear on the issue. SaaS vendors will have implemented sophisticated technical and physical measures to prevent unauthorized access to their systems. Should a breach occur, they’ll have a deep pool of security experts on staff that monitor systems 24/7. A local school, for example, despite employing wonderful people in IT, simply can’t replicate this. Nor should they need to.
With the pandemic, companies were forced to think differently about their infrastructure. Incidents like this, which one cybersecurity expert said would require “Herculean” efforts to unwind the mess, may prompt introspection about the costs and benefits of self-managing Exchange.
The good news? Things like the pandemic (and, likely, this very Exchange Server hack) have accelerated the move to the cloud. According to new data from the Flexera 2021 State of the Cloud Report, organizations have responded to social uncertainty with more cloud spending (Figure A).
Will cloud fix all enterprise IT woes? Of course not. Companies still worry about security, governance and more in the cloud. But for some things, which seems to include mail servers, it’s arguably better to run them in the cloud. That’s a central theme in Microsoft’s response to this hack, reminding users that the hack didn’t reach its managed Exchange service. In this case, it’s not self-serving–it’s just good business practice.
Disclosure: I work for AWS, but the views expressed herein are mine.