With widespread hacking campaigns, endless vulnerabilities and slow and technically tough patching it may be time to migrate exchange on-premise to exchange online.
A long time ago those who cared about their privacy and security ran their own email servers but in today's world, the vast majority host their personal email in the cloud.
According to cybersecurity experts, corporate and governmental networks should make a comparable changeover because it has been long overdue. The time has come for businesses using on-premise Microsoft Exchange to switch to a cloud service if only to avoid the long-running bug problem in Exchange servers that has made it nearly impossible to keep determined hackers out. These businesses are still running their own email server somewhere in a closet or data centre.
“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI). “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”
Childs pointed out 20 security flaws in Exchange that a researcher reported to ZDI and ZDI reported to Microsoft, both of which remain unpatched. “Exchange right now has a very broad attack surface, and it just hasn’t had a lot of really comprehensive work done on it in years from a security perspective,” says Childs.
Childs cites two other ZDI Exchange vulnerability discoveries from 2018 and 2020 that were actively used by hackers even after Microsoft was notified and a patch was released. Risky Business, a security podcast, even went so far as to refer to the tedious cycle of server vulnerability disclosures and required patching by titling a recent episode "It's Exchangehog Day."
When WIRED reached out to Microsoft for comment on migrating exchange on-premise to exchange online Aanchal Gupta, the corporate vice president of Microsoft Security Response Center (MSRC), responded with an exhaustive list of measures the company has taken to mitigate, patch, and harden on-premise Exchange servers.
Gupta agreed that most customers should move from on-premise Exchange servers to Microsoft's cloud-based email service, Exchange Online. “We strongly recommend customers migrate to the cloud to take advantage of real-time security and instant updates to help keep their systems protected from the latest threats,” Gupta said in an emailed statement. “Our work to support on-premises customers to move to a supported and up-to-date version continues, and we strongly advise customers who cannot keep these systems up to date to migrate to the cloud.”
“The proof is in the pudding,” says Jake Williams, a former National Security Agency hacker who leads threat intelligence at cybersecurity firm Scythe. “This code base is not getting the love that it clearly and desperately needs.” And if Microsoft isn’t giving that love to your Exchange server, perhaps Exchange no longer deserves your love, either.
Do you need help migrating exchange on-premise to exchange online? Reach out to the Reis team and schedule a complimentary business system assessment today!