The cyber attack that has compromised many U.S. government and corporate networks is fueling a debate among major tech companies about the safest way for customers to store critical data.
It puts Microsoft Corp., which urges customers to rely on cloud computing systems, against others, including Dell Technologies Inc. and International Business Machines Corp.
IBM -2.89%
, claiming that customers want to mix the cloud with the more traditional on-premise data storage systems in a construction called hybrid cloud.
Government and industry cybersecurity experts have been trying to unravel details of the incident for about two months, leading to a reassessment of long-standing assumptions about network security. The hackers, researchers think, gained access through network company SolarWinds Corp. and other attack methods.
In a House committee hearing about the hack on Friday, Microsoft president Brad Smith said in prepared remarks that “cloud migration is critical to improving security maturity in many organizations.” All attacks identified by the company involve on-premise systems, he said earlier.
The debate is part of the fallout from the suspected Russia-led hack that Senate Committee Chairman Senator Mark Warner (D., Va.) Said on Tuesday that it “could go beyond what we as a nation in terms of scope and scale.”
Microsoft, one of the world’s largest cloud providers, has said cloud services provide customers with the most robust data protection. A mixed approach “creates an extra seam that organizations must secure. As a result of this decision, if the on-premise environment is compromised, it provides opportunities for attackers to target cloud services, ”Microsoft said in a blog post about its investigation into the hack.
The idea that the hybrid cloud is less secure is imprecise, says Paul Cormier, CEO of Red Hat, the company that IBM acquired two years ago in a bet on the growing demand for hybrid cloud services. “Any software can be broken into. The cloud providers can also be compromised, ”he said.
Traditionally, companies invested in large servers to store much of the data about their products and customers. That changed about ten years ago, with the emergence of cloud computing. Amazon.com Inc.
AMZN 1.17%
and Microsoft has popularized the business model, where they provide hardware and software remotely for pay-per-use, eliminating the need for businesses to buy and maintain expensive equipment. The cloud business has been an important source of income for both.
There is no evidence to suggest that Amazon’s systems were directly compromised, but hackers used the sprawling cloud data centers to launch an important part of the attack, security researchers said. Senators were upset that Amazon did not participate in a Senate hearing on the hack. Amazon said it was “unaffected by the SolarWinds issue” and had shared what it knew and notified government officials and lawmakers to law enforcement officials.
‘Any software can be broken into. The cloud providers could also be broken into. ‘
One of the biggest security concerns surrounding cloud computing is a fear that a service provider’s compromise could result in a wide range of its customers gaining access to their data, cybersecurity experts say.
It’s impractical to expect customers to move all their data to the cloud, said Mr. Cormier of Red Hat. Many companies, especially in the financial sector, are required to keep data on-site for security or legal reasons, he said.
Keeping data internal is considered more secure by many customers, said Keith White, former Microsoft Cloud Executive and Senior Vice President for Hybrid Cloud Services at Hewlett Packard Enterprise. Co.
HPE 0.48%
HPE did not find any of its customers exposed to the SolarWinds attacks, he said in an interview.
“A big reason for keeping things on-premise is because the customer wants to know where their data is,” said Mr. White.
Asking questions about hybrid cloud security “serves the broader Microsoft story,” Deepak Patil, a senior vice president of Dell Technologies cloud operations and former Microsoft cloud manager, told the Journal. “But the reality is, look at the majority of customers, their workloads are running on site.” Dell sells hardware and software to manage hybrid cloud systems.
Microsoft said in a statement “we provide security options for both cloud and on-premise deployments,” but added that the protection built into the cloud requires more effort to deliver to on-site servers.
In comments for Friday’s Congressional Hearing, Mr. Smith of Microsoft said that “when Microsoft’s cloud services are under attack, we can detect anomalies and indicators of compromise in ways that are not possible in a local environment.” The company also could not hunt the Russian hackers in local networks, he said.
Mark Warner, chairman of the Senate intelligence committee, said the suspected Russia-led hack could “ go beyond anything we have faced as a nation in scope and scale. ”
Photo:
Pool / Getty Images
The SolarWinds attack has hit at least nine federal agencies and 100 private companies and dates back to at least September 2019. US authorities say the intruders are likely Russian intelligence agents. Moscow has denied responsibility.
Microsoft itself was a victim of the attack and some of the source code was used to write software. The hackers looked at software linked to Microsoft’s Azure cloud, the company said. Mr Smith, at the Senate hearing on the hack on Tuesday, called for a “full investigation of the other cloud services and networks to which the Russians have access.”
Historically, Microsoft has had a large company on premises with servers on the Windows operating system. But under CEO Satya Nadella, the software powerhouse has aggressively pushed its customers towards its cloud products. It still offers products that allow customers to use their data centers.
Sign up to our weekly newsletter for more analysis, reviews, advice and headlines from WSJ Technology.
—Robert McMillan contributed to this article.
Write to Aaron Tilley at [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8