Microsoft On-Premises Warning: Customers Must Protect Their Own Identity Infrastructure
‘We were also reminded of the importance of cloud technology over on-premises software. Cloud technologies like Microsoft 365, Azure and the additional premium layers of services available as part of these solutions improve a defender’s ability to protect their own environment,’ writes Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, in a blog post.
Microsoft is urging customers to embrace the cloud for security, warning customers with on-premises services that they are responsible for protecting their own identity infrastructure.
The Redmond, Wash.-based software giant strongly recommends that customers manage identity and access from the cloud, noting that with Azure Active Directory, Microsoft is responsible for protecting the identity infrastructure from the cloud. Microsoft said it’s able to detect and remediate attacks no one else can see thanks to visibility provided by the company’s cloud-scale machine learning systems.
“We were also reminded of the importance of cloud technology over on-premises software,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, wrote in a blog post Thursday. “Cloud technologies like Microsoft 365, Azure and the additional premium layers of services available as part of these solutions improve a defender’s ability to protect their own environment.”
[Related: SolarWinds Hackers Kept Going After Microsoft Until January]
Microsoft said Thursday that the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.
Organizations that delegate trust to on-premises components in deployments that connect on-premises infrastructure and the cloud end up with an additional seam they need to secure, the Microsoft Security Research Center (MSRC) wrote in a blog post Thursday. As a result, if an on-premises environment is compromised, Microsoft said there’s an opportunity for hackers to target cloud services, the MSRC said.
Many organizations with hybrid deployments delegate trust to on-premises components for critical authentication and directory object state management decisions, according to Alex Weinert, Microsoft’s director of identity security. But if the on-premises environment is compromised, Weinert said these trust relationships mean that hackers can also compromise a victim’s Microsoft 365 environment.
“As we have seen in recent events related to the SolarWinds compromise, on-premises compromise can propagate to the cloud,” Weinert wrote in a Dec. 18 blog post. “Because Microsoft 365 acts as the ‘nervous system’ for many organizations, it is critical to protect it from compromised on-premises infrastructure.”
The SolarWinds hackers have taken advantage of Microsoft’s technology on numerous occasions to go after the emails of U.S. government agencies or private sector organizations. The hackers infiltrated the email system used by the Treasury Department’s senior leadership by performing a complex step inside Microsoft Office 365 that tricked the Treasury’s system into thinking the hackers were legitimate users.
The SolarWinds hackers tried and failed to get into CrowdStrike and read its emails via a Microsoft reseller’s Azure account that was responsible for managing CrowdStrike’s Microsoft Office licenses. In addition, the certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect products to Microsoft 365 was compromised by the SolarWinds hackers.
The chief technology officer of a large national solution provider who asked not to be named cautioned that the cloud doesn’t solve everything from a security standpoint and urged customers to determine for themselves on a workload-by-workload basis whether the cloud or on-premises is a better fit. For some customers, the CTO said there’s more customization available on-premises around security configuration and management.
“I don’t believe it’s technically sound for Microsoft to shift the blame of [the SolarWinds hack] to just on-premises software and things like on-premises services,” the CTO told CRN. “A cloud provider, like a Microsoft, isn’t completely responsible for compliance, for privacy and for all the security a company might need.”
Microsoft’s on-premises warning flies in the face of a hybrid cloud strategy aimed at securing a customer’s most prized assets with best-of-breed security technologies, said Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech Enterprise, No. 96 on the 2020 CRN Solution Provider 500.
“The message that the cloud is more secure than the local on-premises provider or customer is a reaching statement,” said Venero. “The fact is the large cloud providers like Microsoft Azure are higher targets. They are constantly being bombarded by bad actors to gain access into their organizations. They are a bigger target with their tens of thousands of customers versus me locking down my local on-premises scenario utilizing best-of-breed technologies and tools from different security ecosystem providers.”
Jakkal acknowledged in her blog post Thursday that Microsoft was “of course” an early target of the SolarWinds hackers given the expansive government and commercial use of Microsoft’s productivity tools as well as the company’s leadership in security. Media reports and high-profile industry figures like Alex Stamos have attributed the SolarWinds hack to the Russian foreign intelligence service, or SVR.
As for Venero, he sees “embrace the cloud” for a more secure infrastructure as a “give it all to me” approach that puts the customer at greater risk. “We can harden an on-premises solution and provide better security with a hybrid cloud approach versus someone that decides to outsource all of their data, strategic organizational information, financial data and personnel information with a single cloud provider,” he said.
The all-in cloud methodology also ignores the exponential increase in the number of employees at the cloud provider that gain access to customer’s data, said Venero. “You are increasing your footprint of risk just by the simple fact that you are outsourcing to a global cloud provider,” he said.
Venero pointed to the case two years ago of a former Amazon Web Services software engineer arrested in connection with the spring 2019 breach of Capital One, which ended up exposing personal information from 106 million credit card applicants and customers in the U.S. and Canada. In that case, Capital One agreed to pay $80 million to settle federal charges over the 2019 hack of its computer systems, which was one of the largest financial data breaches.
Venero said there are also issues of cloud providers potentially shutting down a customer because of the data or information being hosted in the cloud. “What if a defense contractor has information about a tactical kill weapon and the cloud provider does not agree with that socially?” said Venero. “Think about that risk.”
Future Tech itself stands by its hybrid cloud recommendation to customers, said Venero. “Microsoft’s message is, ‘Give it all to us, give us your hungry, tired and poor,’” he said. “They believe in a world where on-prem is not necessary for companies. For certain organizations that may be the case. For enterprise corporations and government agencies, that is not appropriate. They can’t have all their eggs in one basket that they don’t control. Then it is not your systems, not your people, not your processes, policies and procedures—it is theirs now.”
Venero said he sees an increasing number of customers who move to the cloud for cost savings but then realize the savings do not measure up. “The challenge is to get out of the cloud after you go all in, and sometimes it is just cost-prohibitive so they end up staying there,” he said. “We have seen that in numerous cases.”
Venero’s advice to customers: “Our message is always going to be the same: There needs to be a hybrid approach to on-premises and cloud. Each one of those approaches is going to be specific to the customer, what their business is, what their applications are, and how they measure risk in their organizations. Once you understand, that you can build the proper cloud strategy that can give you the best of both worlds. That is what we are here to do for our valued customers.”
CRN reached out to Microsoft for comment on this story but had not heard back by press time.