Microsoft recently announced that multiple hacking groups affiliated with nation-states were targeting Microsoft Exchange servers in coordinated attacks. These attacks utilized multiple zero-day exploits, and allowed hackers to not only read email, but also install additional malware to ensure long-term access to compromised servers. Over 60,000 servers may have been affected. An interesting note is that only on-premises Exchange servers are vulnerable, while Microsoft’s cloud-based Exchange Online service is not.
Zero-day exploits are so serious because they utilize a method of attack that was completely unknown before it was used. This means that no systems are patched against the exploit until the developer has time to build and test patches. Then, once the builder has released patches, IT departments worldwide must scramble to apply patches while also dealing with fallout from the attack.
WHAT DOES THIS MEAN FOR MY BUSINESS?
If your business uses on-premises Exchange servers, this means that your IT department has been very busy. It might mean that you have compromised servers that need to be addressed. It certainly means that you’ll be worried about data exfiltration. However, if your business uses Office 365 and Exchange Online for mail, it means that you don’t have to worry about this attack – not just because Exchange Online wasn’t vulnerable in the first place, but because Exchange Online is inherently more secure against these types of attacks.
LEGACY SYSTEMS: A SECURITY PATCHWORK
In a traditional enterprise environment, a company might employ a dedicated staff to maintain hundreds of servers. Despite the best efforts of IT Staff, this type of environment often falls out of standard over time. Patches get deferred on servers for a variety of reasons: Maybe the organization can’t accept the downtime. Maybe the staff doesn’t have the bandwidth to do it. Maybe the staff doesn’t see it as a priority. Some servers get patched, but others don’t. No mechanism exists to ensure that patches are applied in a standardized and timely manner. This is a huge problem because current patches often rely on the existence of previous patches that might be missing. Even in organizations with sufficient resources and very strict patching regimens, staff must take the time to patch machines. All of this leads to a patchwork security posture where the most important machines are critically behind on updates.
Server Cost Example
Another issue: servers are expensive. A new Exchange Server might cost $10,000 just for the hardware. If you’re running on-prem Exchange, you’ll also need at least 2 Domain Controllers at another $10,000 each. You’ll need licensing for each server – that’s around $1000 for Windows Server 2019, $780 for Exchange Server, plus about $97 in CAL licensing for EVERY user who wants to access the server. Then, you’ll still need to buy Outlook for your users – Office 2019 Professional Plus is $439.00 today. Once all of that’s done, you’ll still have to pay to maintain the systems – if your server goes down, you pay to fix it.
CLOUD SYSTEMS: A STANDARDIZED SECURITY POSTURE
In a modern Microsoft cloud environment, everything is standardized and centrally managed, with very high availability and very low downtime. In fact, Microsoft touts a worldwide uptime average of 99.98% over the past four years. You never have to worry about a server being outdated or unpatched because you never have to worry about a server at all. Hardware problems and patching are things of the past. In Microsoft’s Cloud, you never actually have to deal with an OS, or see a server. Instead, you see a unified dashboard for your entire environment. All you need is a connection to the internet. In the Microsoft Cloud, it’s literally impossible to be un-patched. In fact, patching is irrelevant because Microsoft handles it for you, silently and unobtrusively, all the time. While a zero-day exploit is still technically possible, the risk is greatly reduced because attackers know that any exploit will be patched immediately, automatically, worldwide.
ARE CLOUD SYSTEMS COST-EFFECTIVE?
Above, I discussed the cost of servers. In that example, we were looking at $33,000 for servers, and $536 of licensing per user just to get started. You would also require an IT employee to manage those servers, make sure they’re secure and patched, and handle outages – we’ll call that $100,000 including salary and benefits. In an organization with 100 users, you’ve already spent $187,380, your environment is still vulnerable, and you’ll still have to spend money every year to upgrade outdated software.
In contrast, a Microsoft 365 Business Premium license costs just $20/user per month. The entire environment is baked into that license – the administrative dashboards, the servers, the storage space the Office Professional licensing. You don’t have to buy hardware and patching happens automatically. Administration is much less labor intensive – in fact, Anders Technology advisors can handle this for you for a small monthly fee. In this model, your 100 users would cost just $24,000 for the entire first year. Your software would remain perpetually up to date, not just for the year, but for as long as you pay for the license. And, following best practices, your user accounts and data would be secure right out of the box.
How Microsoft 365 Can Replace Other Costly Tools
So far, we’ve been talking about Exchange servers, but your $20/user Microsoft 365 Business Premium license gets you far more than just email. After all, your Active Directory (AD) Domain is a lot more than just email. You have Domain Controllers and file shares, all running on server hardware. Maybe you have a System Center Config Manager (SCCM) Server. Maybe you’re also paying for a collaboration service like Zoom. Amazingly, all of those features can be replaced by a $20 Microsoft 365 license.
Microsoft 365 contains many products beyond just email, and each of them has the potential to sunset an on-premises service. Azure AD replaces the need for on-premises AD and Domain Controllers. OneDrive and SharePoint Online replace the need for on-premises file servers. Microsoft InTune replaces the need for SCCM. Microsoft Teams replaces the need for Webex, Slack, or Zoom. All of these technologies are included in the $20 Microsoft 365 Business Premium license. Post-migration, you could potentially shut down all of your servers, permanently. In fact, many of our clients do exactly that.
Cost of Migration
The initial investment of migrating to the cloud might be less than you think. For a simple on-premises to cloud email and file migration, Anders averages right around $100 labor per user. Of course, each organization is different, and cost depends on several factors. Anders Technology advisors have performed hundreds of on-premises to Microsoft Cloud migrations and have the expertise to design a custom migration plan that works for your business and your budget. Contact an Anders advisor below to discuss your company’s unique migration situation.
Joe M. Szoke