The cyber attack that has compromised many US government and corporate networks is fueling a debate among large technology companies over which is the safest way for customers to store critical data.
It contradicts Microsoft Corp., which urges customers to rely on cloud computing systems for others, including Dell Technologies Inc. and International Business Machines Body.
IBM -2.89%
, who claim that customers want to mix the cloud with more traditional local data storage systems in a construct called hybrid cloud.
Government and industry experts in cybersecurity for about two months have been trying to find out the details of the incident that is causing a reassessment of long-term network security assumptions. The hackers, investigators believe, gained access through the network company SolarWinds Corp. and other remedies.
At a hearing in the House committee on Friday on piracy, Microsoft President Brad Smith said in prepared remarks that “cloud migration is key to improving the maturity of security in many organizations.” He previously said that all the attacks the company identified involved local systems.
The debate is part of the aftermath of the suspected Russian attack, which Senate Intelligence Committee Chairman Sen. Mark Warner (D., Va.) Said Tuesday that it could be “beyond anything we have faced the nation.” . “
Microsoft, one of the world’s largest cloud providers, said cloud services offer customers the most robust data protection. A mixed approach “creates an additional seam that organizations need to provide. One consequence of this decision is that if the local environment is compromised, this creates opportunities for attackers to target cloud services, “Microsoft said in a blog post about its investigation into the hack.
The notion that the hybrid cloud is less secure is inaccurate, said Paul Cormier, chief executive of Red Hat, the business that IBM acquired two years ago, partly in a bet on growing demand for hybrid cloud services. “Any software could be split. Cloud providers could also be divided, “he said.
Companies have traditionally invested in large servers to store much of the data about their products and customers. This changed about a decade ago with the advent of cloud computing. Amazon.com Inc.
AMZN 1.17%
and Microsoft has popularized the business model in which it provides remote hardware and software for a fee, eliminating the need for companies to buy and maintain expensive equipment. The cloud business has been an important gain factor for both.
There is no indication that Amazon’s systems were directly breached, but hackers used its extensive cloud computing data centers to launch a key part of the attack, security researchers said. Senators expressed irritation that Amazon did not attend a Senate hearing on the hack. Amazon said it was “not affected by the SolarWinds issue” and shared with law enforcement what it knew and informed government officials and lawmakers.
“
“Any software could be split. Cloud providers could also be split. ‘
”
One of the biggest security concerns about cloud computing is the fear that compromising a service provider could lead to data being accessed by a wide range of customers, cybersecurity experts said.
Expecting customers to transfer all their data to the cloud is not practical, said Mr. Red Hat Cormier. He said many companies, especially in the financial industry, have to keep data on premises for security or regulatory reasons.
Keeping data indoors is considered safer by many customers, said Keith White, a former Microsoft cloud executive and senior vice president for hybrid-cloud services at Hewlett Packard Enterprise. Co.
HPE 0.48%
HPE did not find any of its customers exposed to SolarWinds attacks, he said in an interview.
“A key reason to keep things in place is that the customer wants to know where their data is,” White said.
Raising questions about hybrid cloud security “serves the broader Microsoft narrative,” Deepak Patil, senior vice president of cloud technology at Dell Technologies and former Microsoft cloud executive, told Journal. “But the reality is that, look at most customers, their work is done on-prem.” Dell sells hardware and software for managing hybrid cloud systems.
Microsoft said in a statement that “we offer security options for both cloud and local deployments,” but added that built-in cloud protection requires more effort to deliver to servers on the site.
In remarks for Friday’s congressional meeting, Mr. Smith, Microsoft said that “when Microsoft’s cloud services are attacked, we can detect anomalies and compromise indicators in ways that are not possible in a local environment.” The company also failed to hunt down Russian hackers on local networks, he said.
Senate Intelligence Committee Chairman Mark Warner said the alleged Russian-led hack could have a magnitude and scale “beyond anything we have faced as a nation.”
Photo:
Pool / Getty Images
The SolarWinds attack has affected at least nine federal agencies and 100 private companies and dates back to at least September 2019. US authorities say the intruders are likely Russian intelligence agents. Moscow has denied responsibility.
Microsoft itself was the victim of the attack and downloaded some of its source code to write the software. The hackers viewed software related to the Microsoft Azure cloud, the company said. Mr. Smith, at the Senate meeting on the hack, on Tuesday called for a “complete examination of what other services and cloud networks the Russians have accessed.”
Historically, Microsoft has had a large business on the ground, with its Windows operating system running servers. But under CEO Satya Nadella, the software plant has aggressively pushed its customers to its cloud products. It continues to offer products that make it easier for customers to use their data centers.
–For more WSJ Technology reviews, reviews, tips and headlines, sign up for our weekly newsletter.
—Robert McMillan contributed to this article.
Write to Aaron Tilley at [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8