By Aaron Tilley
The cyberattack that compromised many U.S. government and corporate networks is fueling a debate among big tech companies over what the safest way is for customers to store critical data.
It pits Microsoft Corp., which is urging clients to rely on cloud-computing systems, against others including Dell Technologies Inc. and International Business Machines Corp., who argue customers want to mix the cloud with the more traditional on-premise data-storage systems in a construct called hybrid-cloud.
Government and industry cybersecurity experts for about two months have been trying to unravel details of the incident that is causing a reassessment of long-held networking-security assumptions. The hackers, investigators believe, gained access via networking company SolarWinds Corp. and other avenues of attack.
In a House committee hearing about the hack Friday, Microsoft President Brad Smith said in prepared remarks, that "cloud migration is critical to improving security maturity across many organizations." All of the attacks the company has identified involved on-premise systems, he has previously said.
The debate is part of the fallout from the suspected Russia-led hack that Senate Intelligence Committee Chairman Sen. Mark Warner (D., Va.), on Tuesday said might be in scope and scale " beyond any that we've confronted as a nation."
Microsoft, one of the world's biggest cloud vendors, has said cloud services offer customers the most robust data protection. A mixed approach "creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services," Microsoft said in a blog post on its investigation of the hack.
The notion that the hybrid cloud is less secure is inaccurate, said Paul Cormier, chief executive of Red Hat, the business IBM acquired two years ago in part in a bet on the growing demand for hybrid cloud services. "Any software could get broken into. The cloud providers could get broken into as well," he told The Wall Street Journal.
Companies traditionally invested in big servers to store much of the data on their products and customers. That changed about a decade ago, with the rise of cloud-computing. Amazon.com Inc. and Microsoft popularized the business model where they provide remote hardware and software on a pay-as-you-go basis, eliminating the need for companies to buy and maintain expensive equipment. The cloud business has been a major earnings driver for both.
There is no indication Amazon's systems were directly breached, but hackers used its sprawling cloud-computing data centers to launch a key part of the attack, security researchers have said. Senators expressed irritation that Amazon didn't participate in a Senate hearing on the hack. Amazon said it was "not affected by the SolarWinds issue" and had shared with law enforcement what it knew and had briefed government officials and lawmakers.
One of the biggest security concerns around cloud computing is fear that the compromise of a service provider could lead to a broad set of its customers having their data accessed, cybersecurity experts have said.
Expecting customers to shift all of their data to the cloud is impractical, Red Hat's Mr. Cormier said. Many companies, especially in the financial industry, are required to keep data on-premises for security or regulatory reasons, he said.
Holding data in-house is seen as safer by many customers, said Keith White, a former Microsoft cloud executive and senior vice president for hybrid-cloud services at Hewlett Packard Enterprise Co. HPE didn't find any of its customers exposed to the SolarWinds attacks, he said in an interview.
"One key reason to keep things on-premise is because the customer wants to know where their data is," Mr. White said.
Raising questions about hybrid-cloud security "serves the broader Microsoft narrative," Deepak Patil, a senior vice president of Dell Technologies' cloud business and former Microsoft cloud executive, told the Journal. "But the reality is, look at a majority of customers, their workloads are running on-prem." Dell sells hardware and software to manage hybrid cloud systems.
Microsoft in a statement said "we offer security options for both cloud and on-premises deployments" but added that the protection built into the cloud requires more effort to deliver to on-site servers.
In remarks for the Friday congressional hearing, Microsoft's Mr. Smith said that "When Microsoft's cloud services are attacked, we can detect anomalies and indicators of compromise in ways that are not possible in an on-premises environment." The company also couldn't hunt for the Russian hackers in on-premises networks, he said.
The SolarWinds attack affected at least nine federal agencies and 100 private companies and dates back at least to September 2019. U.S. authorities say the intruders are likely Russian intelligence agents. Moscow has denied responsibility.
Microsoft itself was a victim in the attack and had some of its source code used to write software downloaded. The hackers viewed software linked to Microsoft's Azure cloud, the company said. Mr. Smith, at the Senate hearing on the hack on Tuesday, called for a "full examination of what other cloud services and networks the Russians have accessed."
Historically Microsoft has had a large on-premise business with its Windows operating system running servers. But under CEO Satya Nadella, the software powerhouse has aggressively pushed its customers toward its cloud products. It still provides products that facilitate customers using their data centers.
-- For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.
--Robert McMillan contributed to this article.
Write to Aaron Tilley at firstname.lastname@example.org
(END) Dow Jones Newswires