By Aaron Tilley
The cyberattack that compromised many U.S. government and
corporate networks is fueling a debate among big tech companies
over what the safest way is for customers to store critical
data.
It pits Microsoft Corp., which is urging clients to rely on
cloud-computing systems, against others including Dell Technologies
Inc. and International Business Machines Corp., who argue customers
want to mix the cloud with the more traditional on-premise
data-storage systems in a construct called hybrid-cloud.
Government and industry cybersecurity experts for about two
months have been trying to unravel details of the incident that is
causing a reassessment of long-held networking-security
assumptions. The hackers, investigators believe, gained access via
networking company SolarWinds Corp. and other avenues of
attack.
In a House committee hearing about the hack Friday, Microsoft
President Brad Smith said in prepared remarks, that "cloud
migration is critical to improving security maturity across many
organizations." All of the attacks the company has identified
involved on-premise systems, he has previously said.
The debate is part of the fallout from the suspected Russia-led
hack that Senate Intelligence Committee Chairman Sen. Mark Warner
(D., Va.), on Tuesday said might be in scope and scale " beyond any
that we've confronted as a nation."
Microsoft, one of the world's biggest cloud vendors, has said
cloud services offer customers the most robust data protection. A
mixed approach "creates an additional seam that organizations need
to secure. A consequence of this decision is that if the
on-premises environment is compromised, this creates opportunities
for attackers to target cloud services," Microsoft said in a blog
post on its investigation of the hack.
The notion that the hybrid cloud is less secure is inaccurate,
said Paul Cormier, chief executive of Red Hat, the business IBM
acquired two years ago in part in a bet on the growing demand for
hybrid cloud services. "Any software could get broken into. The
cloud providers could get broken into as well," he told The Wall
Street Journal.
Companies traditionally invested in big servers to store much of
the data on their products and customers. That changed about a
decade ago, with the rise of cloud-computing. Amazon.com Inc. and
Microsoft popularized the business model where they provide remote
hardware and software on a pay-as-you-go basis, eliminating the
need for companies to buy and maintain expensive equipment. The
cloud business has been a major earnings driver for both.
There is no indication Amazon's systems were directly breached,
but hackers used its sprawling cloud-computing data centers to
launch a key part of the attack, security researchers have said.
Senators expressed irritation that Amazon didn't participate in a
Senate hearing on the hack. Amazon said it was "not affected by the
SolarWinds issue" and had shared with law enforcement what it knew
and had briefed government officials and lawmakers.
One of the biggest security concerns around cloud computing is
fear that the compromise of a service provider could lead to a
broad set of its customers having their data accessed,
cybersecurity experts have said.
Expecting customers to shift all of their data to the cloud is
impractical, Red Hat's Mr. Cormier said. Many companies, especially
in the financial industry, are required to keep data on-premises
for security or regulatory reasons, he said.
Holding data in-house is seen as safer by many customers, said
Keith White, a former Microsoft cloud executive and senior vice
president for hybrid-cloud services at Hewlett Packard Enterprise
Co. HPE didn't find any of its customers exposed to the SolarWinds
attacks, he said in an interview.
"One key reason to keep things on-premise is because the
customer wants to know where their data is," Mr. White said.
Raising questions about hybrid-cloud security "serves the
broader Microsoft narrative," Deepak Patil, a senior vice president
of Dell Technologies' cloud business and former Microsoft cloud
executive, told the Journal. "But the reality is, look at a
majority of customers, their workloads are running on-prem." Dell
sells hardware and software to manage hybrid cloud systems.
Microsoft in a statement said "we offer security options for
both cloud and on-premises deployments" but added that the
protection built into the cloud requires more effort to deliver to
on-site servers.
In remarks for the Friday congressional hearing, Microsoft's Mr.
Smith said that "When Microsoft's cloud services are attacked, we
can detect anomalies and indicators of compromise in ways that are
not possible in an on-premises environment." The company also
couldn't hunt for the Russian hackers in on-premises networks, he
said.
The SolarWinds attack affected at least nine federal agencies
and 100 private companies and dates back at least to September
2019. U.S. authorities say the intruders are likely Russian
intelligence agents. Moscow has denied responsibility.
Microsoft itself was a victim in the attack and had some of its
source code used to write software downloaded. The hackers viewed
software linked to Microsoft's Azure cloud, the company said. Mr.
Smith, at the Senate hearing on the hack on Tuesday, called for a
"full examination of what other cloud services and networks the
Russians have accessed."
Historically Microsoft has had a large on-premise business with
its Windows operating system running servers. But under CEO Satya
Nadella, the software powerhouse has aggressively pushed its
customers toward its cloud products. It still provides products
that facilitate customers using their data centers.
-- For more WSJ Technology analysis, reviews, advice and
headlines, sign up for our weekly newsletter.
--Robert McMillan contributed to this article.
Write to Aaron Tilley at aaron.tilley@wsj.com
(END) Dow Jones Newswires
February 27, 2021 15:16 ET (20:16 GMT)
Copyright (c) 2021 Dow Jones & Company, Inc.
Hewlett Packard Enterprise (NYSE:HPE)
Historical Stock Chart
From Aug 2024 to Sep 2024
Hewlett Packard Enterprise (NYSE:HPE)
Historical Stock Chart
From Sep 2023 to Sep 2024