Which is more secure, on-premise or the cloud?

One of our sixteen clients who are still running an on-premise Exchange server asked a question following last week’s zero-day exploit – in advance of what seems to be an eventual migration to the Microsoft 365 cloud, they asked whether they will be raising their risk level as China seems to be “laser-focused” on targeting Microsoft Cloud based apps. This leads to a broader question – which is generally more secure, on-premise solutions, or the cloud?

As with most any technical question, the answer is “it depends”. Many people prefer on-premise over the cloud as they feel as though they have more control over an on-premise solution. They trust that they will do all the right things to protect their environment, and don’t trust that cloud vendors will do the same. On the other hand, conventional wisdom is that the cloud is more secure than the average on-premise installation, because who do you think spends more on security per employee, a behemoth like Microsoft, or the average small business?

Ultimately, the real risk is that both are inherently insecure. You want security? No one should have any access to any data at any time. As soon as you start opening up access for users to interface with data, you risk that unauthorized access may occur. Allow that access to happen remotely – via VPN, remote desktop, or web-enabled solutions like Outlook on the web (commonly referred to as OWA), and your risk profile goes up, regardless of where the data resides.

Throw in a pandemic, which only served to accelerate Work-From-Anywhere (WFA) trends, and remote access isn’t going to go away. Therefore, the best approach is to adopt a security mindset to best protect your environment and all the places that data may live.

  • Be sure to adopt Multi-Factor Authentication (MFA) wherever it is a possible to do so, but ESPECIALLY on platforms like Microsoft365.
  • Be sure to include advanced security offerings, like including Microsoft Defender for Exchange (formerly known as Advanced Threat Protection, or ATP), whenever they are available on externally facing services like email.
  • Be sure to backup data to an external target location – for most, this is top-of-mind for on-premise solutions, but cloud-to-cloud backup of solutions like the Microsoft365 tenant is critical as well.
  • Be sure to train your end-users on security awareness. Suite3 has launched a free security awareness training program for our clients (ask your account manager for details!), and also offers subscriptions to regular monthly web-based training modules to keep your employees on point with new and emerging threats.

The bottom line is that it doesn’t matter where your email lives, the risks of a user falling for a social engineering email, clicking on a malicious link – those issues are going to be the same whether data resides in the cloud or on-premise. All users, from the novice to the IT admin, need to have a health dose of skepticism when reading email, and every organization should have a plan, and stick to the plan, so that all can Keep Calm and Compute On!