SolarWinds Hack pits Microsoft against Dell and IBM over how companies store their data

For the past two months or so, cybersecurity experts in government and industry have been trying to unravel the details of the incident that is leading to a reassessment of long-held assumptions about network security. Hackers, investigators believe, gained access through network company SolarWinds Corp. and other means of attack.

During a House committee hearing on the hack on Friday, Microsoft Chairman Brad Smith said in prepared remarks that “Cloud migration is essential to improve security maturity in the world. many organizations ”. All of the attacks the company identified involved on-premises systems, he has previously said.

The debate is part of the fallout from the alleged Russian-led hack that Senate Intelligence Committee Chairman Sen. Mark Warner (D., Virginia) said on Tuesday it could have scope and scale “at – beyond anything we have faced as a nation. “

Microsoft, one of the world’s largest cloud providers, said cloud services provide customers with the most robust data protection. A blended approach “creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, it creates opportunities for attackers to target cloud services, ”Microsoft said in a blog post about its investigation into the hack.

The idea that hybrid cloud is less secure is incorrect, said Paul Cormier, chief executive of Red Hat, the company IBM acquired two years ago in part in a bet on growing demand for cloud services. hybrid. “Any software could be hacked. Cloud providers could also be burgled, ”he said.

Companies have traditionally invested in large servers to store much of the data about their products and customers. That changed a decade ago with the rise of cloud computing. Amazon.com Inc.

AMZN 1.17%

and Microsoft popularized the business model where they remotely deliver hardware and software on a pay-as-you-go basis, eliminating the need for companies to purchase and maintain expensive equipment. Cloud business has been a major revenue driver for both.

There is no indication that Amazon’s systems were directly breached, but hackers used its vast cloud computing data centers to launch a key part of the attack, security researchers said. Senators expressed their irritation that Amazon did not participate in a Senate hearing on hacking. Amazon said it was “unaffected by the SolarWinds issue” and shared with law enforcement what it knew and briefed government officials and lawmakers.

One of the biggest security concerns with cloud computing, according to cybersecurity experts, is the fear that a service provider’s compromise will lead a wide range of its customers to access their data.

Expecting customers to move all of their data to the cloud is impractical, said Red Hat’s Cormier. Many companies, especially in the financial industry, are required to keep their data on-premises for security or regulatory reasons, he said.

Retaining data internally is viewed as safer by many customers, said Keith White, former cloud manager at Microsoft and senior vice president of hybrid cloud services at Hewlett Packard Enterprise. Co.

HPE 0.48%

HPE has not found any of its customers exposed to SolarWinds attacks, he said in an interview.

“One of the biggest reasons to keep things onsite is that the customer wants to know where their data is,” White said.

Asking questions about hybrid cloud security “serves Microsoft’s larger narrative,” said Deepak Patil, senior vice president of cloud business at Dell Technologies and former head of Microsoft cloud. “But the reality is, for a majority of customers, their workloads run on-premises.” Dell sells hardware and software to manage hybrid cloud systems.

In a statement, Microsoft said that “we provide security options for cloud and on-premises deployments,” but added that built-in cloud protection requires more effort to be delivered to on-premises servers.

In remarks for Friday’s congressional hearing, Microsoft’s Mr. Smith said that “when Microsoft’s cloud services are attacked, we can detect anomalies and indicators of compromise in ways that are not possible. in an on-site environment ”. The company also couldn’t hunt Russian hackers in local networks, he said.

The SolarWinds attack affected at least nine federal agencies and 100 private companies and dates back to at least September 2019. US officials say the intruders are likely Russian intelligence operatives. Moscow has denied any responsibility.

Microsoft itself was the victim of the attack and some of its source code was used to write downloaded software. Hackers looked at software related to Microsoft’s Azure cloud, the company said. Mr Smith, during the Senate hacking hearing on Tuesday, called for a “full review of other cloud services and networks that the Russians have accessed.”

Historically, Microsoft has had a large on-premise company with its Windows operating system running servers. But under the leadership of CEO Satya Nadella, the software powerhouse has aggressively pushed its customers to its cloud products. It always provides products that make it easier for customers to use their data centers.

–For more analysis, reviews, tips and WSJ Technology headlines, sign up for our weekly newsletter.

—Robert McMillan contributed to this article.

Write to Aaron Tilley at [email protected]