In early March of 2021, a serious vulnerability in on-premise implementations of Microsoft’s Exchange Server came to light. The new strain of ransomware used in the attack, known now as DearCry, impacted the servers used by hundreds of thousands of organizations around the world, from governments to banks to healthcare to charities.
While many Exchange users are concerned for the integrity of their systems, there is a group that doesn’t have to worry—those that use Exchange in the cloud.
Because the vulnerability was localized to on-premise (or “on-prem”) Exchange implementations, those organizations that use Exchange as a cloud-based service were excluded from the scramble and panic that ensued with the announcement.
This attack should be causing CIOs and other technology leaders to take another look at the benefits of using cloud-based services. And there are good reasons to consider making the switch, from security to budget to resource management.
The Disadvantages of Not Using the Cloud
In small companies and organizations, IT wears many hats. The focus is frequently on tasks that meet business needs or on implementing forward-thinking solutions. Routine tasks, like patching, can take a back seat to more mission-critical projects.
Manual scanning and patching are time-consuming, and these tasks often fall to a low priority status in comparison to the urgent requests your IT team is likely already juggling. Plus, the patch processes can be more cumbersome than the actual patching activities.
And even when patches are performed monthly or quarterly, there could still be work left undone. New patches and new vulnerabilities could come up during the planning phase and be missed or could conflict with other planned patching activities.
Scanning may help, but it doesn’t solve the problem. Unless your vulnerability management solution runs all of the time, your scans are only a snapshot of the vulnerabilities that exist at the time of the scan. A company could pass a vulnerability scan today and fail it tomorrow.
Worse, some companies complete their vulnerability scans, but lack of bandwidth leaves identified risks unaddressed. Without remediation, the scan is worthless.
When there is a critical security vulnerability released, like with Exchange, it can be all hands on deck to handle remediation. This leaves other projects to flounder while the IT team jumps on the issue that needs immediate attention.
All of this is to say that managing, monitoring and mitigating risk for on-prem solutions are time-consuming and can still leave you open to attack. And nation-state attackers and other bad actors know this.
The Advantages of Using the Cloud
The Exchange hack gives us a clear explanation of why it’s so beneficial for companies to move to cloud-managed solutions. Not only do cloud services offer stable, predictable budget requirements, things like patch management and risk mitigation are taken off of IT’s plate.
That’s because a cloud-based service is constantly being patched, monitored and evaluated. A managed service provider has staff whose entire purpose is to keep the implementations under them up to date and secure.
While many cloud and SaaS providers tout that their users receive the latest features frequently and well before on-prem users, those using managed cloud services are getting the benefits of the latest patches without needing to divert their own internal resources to do so.
A managed cloud provider will also be monitoring and scanning for vulnerabilities constantly. With dedicated staff available to immediately handle and mitigate new issues or a detected breach, a cloud provider can handle proactive risk mitigation and reactive breach and vulnerability management efficiently.
The Microsoft Exchange server hack and DearCry are wake-up calls for companies that are trying to juggle the resources they need to keep their systems running and secure. IT groups, especially those within smaller organizations, have a lot on their plates already, and the constant need to monitor and patch on-prem implementations is just one more task on a long list—a task that shouldn’t be ignored, but is more often than not.
Switching to managed cloud-hosted services is an easy and cost-effective way to protect your organization. At the same time, cloud services allow you to refocus your technology teams on business-critical projects that move the needle on your goals instead of patching, scanning and mitigating, only to miss a critical zero-day vulnerability.