Microsoft SharePoint Attacks Show Weaknesses of On-Prem Storage vs. Cloud

Is your data safe anywhere? 

In the past week, more victims have emerged from the attack on Microsoft’s SharePoint servers in which a Chinese hacking group called Storm-2603 exploited a vulnerability to deploy ransomware on clients running SharePoint from on-premise networks, rather than those hosted by the tech giant.

While many companies maintain on-premise networks and servers, believing that they are more secure than the cloud, increasingly sophisticated cyberattacks such as the SharePoint breach have introduced fresh doubts. The reality isn’t comforting: “No environment is safe. Not the cloud, nor on-prem, nor hybrid,” said Trevor Morgan, COO of OpenDrives.  

“Given enough of an attack surface – and SharePoint has a massive attack surface – it is going to be attacked,” said Morgan. 

Often, decisions around cloud and data storage strategies are made “too rapidly,” Morgan said, without considering the real needs of a business. Cloud and on-premise data and system storage strategies each have their risks and benefits, he added. “Neither one is a safer option.” 

• Cloud comes with a scalability, ubiquity and ease of use that make it a popular option, said Morgan. Cloud can be costly, however, especially when considering data egress fees. Additionally, Morgan noted, “cloud is very porous.” One incorrect misconfiguration is all a hacker needs to expose your whole business to vulnerability. 
• On-premise strategies, meanwhile, offer enterprises more control over what goes where. Along with being expensive in their own right, however, requiring expertise, cash and resources, the buck always stops with the enterprise, said Morgan. “The problem with on-premise is that it convinces people that the physical points of security take care of it.”

While a hybrid approach strikes a balance between the two, finding the best of both worlds still won’t offer your enterprise complete protection, said Morgan. 

Hybrid solutions tend to involve the consistent movement of data from one place to another, which in and of itself can be “scary,” he said. “What’s protecting data in motion? It’s crossing switches and routers and all sorts of threat points. Sure, there’s encryption, but encryption can be cracked.” 

In reality, the problem with any of the options usually isn’t the tech, he said. It’s an enterprise’s culture around security. A business is only as strong as its weakest link, he said, and that link tends to be human. It’s why adopting zero-trust strategies, or the idea that no one entity is innately trustworthy, is the best way to prevent pitfalls, he said. 

“Why does everybody need to have access to (all) data?” Morgan said. “Zero trust is this notion that at every single stop along the way, the accessing person or group needs to be challenged. Hybrid needs to be coupled with some sort of philosophy … where we don’t just give blanket permissions.”