Recent Exchange Server security flaw drives home the benefits of moving email to the cloud.
On March 2, 2021, Microsoft issued an emergency patch for four critical vulnerabilities in Exchange Server 2013, 2016 and 2019. The company even took the unusual step of issuing a patch for Exchange Server 2010, which reached end-of-life on Oct. 13, 2020. Additionally, Microsoft released a new version of its Defender Antivirus tool that automatically detects the vulnerability and applies the patch.
The “zero-day” vulnerabilities were being actively exploited by state-sponsored threat actors who possibly had gained access to proof-of-concept attack code Microsoft had shared with antivirus vendors. Microsoft urged customers to install the patches immediately.
The vulnerabilities affect Outlook Web Access, which gives remote users access to their Exchange mailboxes. By exploiting the vulnerabilities, an attacker could hijack a server and execute code remotely, or open a back door into the system for exfiltrating data and deploying malware. Exchange Servers have also been hit with the DearCry and Black Kingdom ransomware variants.
Experts have received conflicting reports as to how many servers have been affected by the vulnerabilities. Some estimate that as many as 60,000 had been hacked by March 8, while others put the number closer to 250,000. Many organizations have been slow to implement the patches, increasing the risk as attack attempts continue to escalate.
The vulnerabilities do not affect cloud-based Exchange Online, which is maintained by Microsoft. The incident serves to reinforce the value of migrating on-premises Exchange to the cloud.
Benefits in the Cloud
First introduced in 1996, Microsoft Exchange Server continues to be the de facto standard for business-grade email service. By some estimates, there are more than 350 million Exchange Server mailboxes, compared to about 220 million active users on cloud-based Microsoft 365.
Clearly, many organizations prefer to host their own Exchange Server or are unable to move to the cloud for some reason. Nevertheless, on-premises Exchange presents a number of challenges. The in-house IT resources required to implement, maintain and manage Exchange Server can be cost-prohibitive, particularly small to midsize businesses (SMBs).
Because these IT resources are typically in short supply, many organizations are turning to a cloud-based Exchange model to reduce costs and simplify operations. Exchange Online shifts the management and maintenance burden to Microsoft and offers several other benefits as well:
Lower, more predictable total cost of ownership. Instead of purchasing, installing, configuring email infrastructure, Exchange Online allows organizations to utilize Microsoft’s hardware, software and expertise for a monthly fee. Any software updates and new features are implemented automatically. There’s never any need to go through the costly and disruptive process of migrating to a new version of Exchange.
Deployment and scalability. Exchange Online can be deployed in a matter of hours, compared to an average of 30 days for an on-premises solution. Users can be added easily and inexpensively without the need for additional hardware purchases.
Anytime, anywhere access. All email folders, contacts, calendars and data can be accessed and shared from virtually any Internet-connected desktop or mobile device. This allows for greater productivity, flexibility and collaboration in today’s work-from-home models.
Choosing the Best Option
Exchange Online is available as a standalone service or as part of the Microsoft 365 platform. For most organizations, Microsoft 365 is the better choice, as it includes collaboration, file-sharing and productivity tools. All of these cloud-based applications are highly mature, so there’s very little risk associated with migrating from on-premises systems.
That said, cloud-based servers do require some management. While the service provider is responsible for securing its infrastructure, customers maintain responsibility for controlling user access and protecting data stored in the cloud. Additionally, Microsoft 365 includes only limited recovery options for recently deleted files. Customers must have a cloud backup strategy to prevent data loss.
And moving all email to the cloud isn’t the best strategy for every organization. Some government and industry regulations require that certain mailboxes remain on-premises. Organizations may also have older hardware and software that won’t integrate with Exchange Online, or large public folders that they’d rather not migrate. In these instances, a hybrid environment with most mailboxes in the cloud and some on-premises might be the best choice.
Whether on-premises, in the cloud or a hybrid blend of the two, it makes sense to partner with a managed services provider (MSP). The MSP can handle the monitoring, maintenance and administration of Microsoft 365 and on-premises Exchange Server. This approach not only frees in-house staff of routine management tasks but provides greater reliability and security and responsive technical support.