Microsoft is urging customers to embrace the cloud for security, warning customers with on-premises services that they are responsible for protecting their own identity infrastructure.
The software giant strongly recommends that customers manage identity and access from the cloud, noting that with Azure Active Directory, Microsoft is responsible for protecting the identity infrastructure from the cloud. Microsoft said it’s able to detect and remediate attacks no one else can see thanks to visibility provided by the company’s cloud-scale machine learning systems.
“We were also reminded of the importance of cloud technology over on-premises software,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, wrote in a blog post Thursday. “Cloud technologies like Microsoft 365, Azure and the additional premium layers of services available as part of these solutions improve a defender’s ability to protect their own environment.”
Microsoft said Thursday that the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.
Organisations that delegate trust to on-premises components in deployments that connect on-premises infrastructure and the cloud end up with an additional seam they need to secure, the Microsoft Security Research Center (MSRC) wrote in a blog post Thursday. As a result, if an on-premises environment is compromised, Microsoft said there’s an opportunity for hackers to target cloud services, the MSRC said.
Many organisations with hybrid deployments delegate trust to on-premises components for critical authentication and directory object state management decisions, according to Alex Weinert, Microsoft’s director of identity security. But if the on-premises environment is compromised, Weinert said these trust relationships mean that hackers can also compromise a victim’s Microsoft 365 environment.
“As we have seen in recent events related to the SolarWinds compromise, on-premises compromise can propagate to the cloud,” Weinert wrote in a Dec. 18 blog post. “Because Microsoft 365 acts as the ‘nervous system’ for many organizations, it is critical to protect it from compromised on-premises infrastructure.”
The SolarWinds hackers have taken advantage of Microsoft’s technology on numerous occasions to go after the emails of U.S. government agencies or private sector organizations. The hackers infiltrated the email system used by the Treasury Department’s senior leadership by performing a complex step inside Microsoft Office 365 that tricked the Treasury’s system into thinking the hackers were legitimate users.
The SolarWinds hackers tried and failed to get into CrowdStrike and read its emails via a Microsoft reseller’s Azure account that was responsible for managing CrowdStrike’s Microsoft Office licenses. In addition, the certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect products to Microsoft 365 was compromised by the SolarWinds hackers.
The chief technology officer of a large national solution provider who asked not to be named cautioned that the cloud doesn’t solve everything from a security standpoint and urged customers to determine for themselves on a workload-by-workload basis whether the cloud or on-premises is a better fit. For some customers, the CTO said there’s more customization available on-premises around security configuration and management.
“I don’t believe it’s technically sound for Microsoft to shift the blame of [the SolarWinds hack] to just on-premises software and things like on-premises services,” the CTO told CRN. “A cloud provider, like a Microsoft, isn’t completely responsible for compliance, for privacy and for all the security a company might need.”
Jakkal acknowledged in her blog post Thursday that Microsoft was “of course” an early target of the SolarWinds hackers given the expansive government and commercial use of Microsoft’s productivity tools as well as the company’s leadership in security. Media reports and high-profile industry figures like Alex Stamos have attributed the SolarWinds hack to the Russian foreign intelligence service, or SVR.
CRN reached out to Microsoft for comment on this story but had not heard back by press time.