Originally posted by DataEndure Director Of Technical Operations, Joseph Dickens, on linkedin.com
Microsoft on-premise Exchange in the crosshairs
Earlier in the year, we saw multiple zero-day exploits being used to attack tens of thousands of US organizations with on-premises Exchange servers, giving attackers full access to user emails and passwords on the affected servers, administrator privileges on the server, and access to connected devices on the same network. And the attacks continue – with the most recent urgent high severity vulnerability being announced just a couple weeks ago. Threat actors are actively scanning for vulnerable Microsoft Exchange servers and abusing Microsoft Exchange vulnerabilities, using these flaws to obtain remote access to Exchange servers and then attempt to exfiltrate sensitive information, including entire mailboxes.
Threat actors are actively scanning for vulnerable Microsoft Exchange servers and abusing Microsoft Exchange vulnerabilities.”
Companies hosting their email communication on premise are in the crosshairs of cyber adversaries, causing organizations to fast-track their evaluation of Exchange Online. In fact, Tony Redmond, Microsoft MVP and noted author stated, “The bottom line is that if you can move email off on-premises Exchange to the cloud you should do so as quickly as you can.”
Although cloud computing continues to gain ground in organizations worldwide, its reasonable (and prudent) to ask questions about costs, effort and above all, security when making this decision. The information below serves to illustrate the activities and costs you eliminate AND the capabilities you gain by moving to Exchange Online.
Hardware and Software costs
Cost is one of the many reasons why companies are switching to Exchange Online. Moving from a Capex to Opex service model is an easy choice for most companies, especially start-ups and smaller businesses that have a limited IT budget.
When purchasing (or upgrading) an on-premise email server, you’ll need to purchase Windows Server and Exchange licensing, in addition to client access licenses for every user within your organization. The licensing costs alone can run into thousands of dollars before you’ve even purchased the hardware!
And don’t forget the running costs involved with hosting a server. You’ll need to include costs associated with powering and cooling the server 24/7 in addition to ongoing maintenance and some form of backup solution.
In comparison, Microsoft Exchange Online incorporates ALL of the features found in an on-premise exchange solution for a manageable and predictable monthly cost.
Cloud email services are more reliable than on-premise email servers. With an on-premise solution, the reliability of service could be affected by power outages or hardware failure, especially if no redundancy has been put into place.
In addition, with an on-premise Exchange server, you are responsible for the ongoing server maintenance. This maintenance includes updates, patching, general administration, and security.
With Microsoft Exchange Online, service up-time is the responsibility of the vendor. Microsoft’s confidence of their Cloud-platform is financially backed with a 99.9% up-time guarantee. Microsoft Exchange Online provides all the functionality of your on-premise Exchange server without the responsibility of ongoing maintenance, or the cost/requirements of building out redundancy to protect you in the event of an outage.
Maintenance and Operations
Maintenance is a cost that often gets overlooked when businesses conduct their budgetary planning for the year ahead, and one that can be surprisingly high.
On-premise Microsoft servers require ongoing scheduled and unplanned maintenance in the form of patching and rolling out updates and service packs. Maintaining an Exchange server isn’t simple or straightforward. Implementing updates and patching can be a complex exercise – and one that can be further complicated if any updates fail or are not applied correctly.
If regular maintenance isn’t conducted, you risk compromising not only your company emails but your overall security posture. Adversaries know most companies struggle to stay current with patching and updates and are aggressively exploiting these vulnerabilities to get inside a network and extract or ransom data.
With Exchange Online, the responsibility of all security updates, patching and upgrades is the responsibility of the vendor. You will still be required to administrate Exchange server (adding/removing accounts/ AD integration/ user permissions etc.) but all other maintenance tasks are the responsibility of Microsoft.
Software Updates and Capabilities
Once your on-premise Exchange server becomes outdated, you will need to purchase new Server Licensing and client access licenses. Depending on the size of your business, this cost can run into thousands.
With Exchange Online, your version of Exchange will always be updated to the latest version at NO additional cost.
Exchange Online is far more scalable when compared to an on-premise solution. With an on-premise Exchange solution, you’ll need to make sure that you purchase enough licenses for new employees that join the company over time. However, if your business takes an unexpected downturn and your staff is scaled back then you’ll be left with the same amount of licenses because they cannot be returned or resold.
As a subscription-based service, with Exchange Online you can add and remove users as needed without incurring any unnecessary licensing costs.
Compliance and Security
Exchange Online meets numerous compliance and regulations certifications. These regulations include ISO 27001 and European Union (EU) model clauses.
Exchange Online features Exchange Online protection (EOP), a cloud-based email filtering solution that helps to protect you against spam and malware threats. It also offers multi-factor authentication with the service, which significantly cuts the chance of people gaining unauthorized access to your user accounts.
The caveat here would be for organizations who have particularly strict security requirements that prohibit or exclude cloud as an option for hosting email.
Should you move to Exchange Online?
For most organizations, it’s hard to recommend an on-premise Exchange server over Exchange Online once you look at the pros and cons. In particular, it makes both commercial and financial sense for smaller or growing businesses to move to Exchange Online, offering the switch from Capex to Opex, increased/enhanced service reliability, and mitigating the risk of system downtime or compromise.
For most businesses, the benefits of Exchange Online far outweigh any drawbacks. It’s fast, convenient, and affordable. If you are considering a change, let’s talk about how DataEndure can help.