SolarWinds pits Microsoft with Dell and IBM over how companies store data

Government and industry cybersecurity experts for about two months have been trying to uncover details of the incident that is causing a reassessment of long-standing network security assumptions. Hackers, researchers believe, have gained access through network company SolarWinds Corp. and other avenues of attack.

At a House committee hearing on the hack on Friday, Microsoft President Brad Smith said in prepared comments, “Cloud migration is critical to improving security maturity in many organizations.” All the attacks the company identified involved local systems, he said earlier.

The debate is part of the consequences of the suspected Russian-led hack that Senate Intelligence Committee chairman Senator Mark Warner (D., Virginia) said on Tuesday that it may be in scope and scale “beyond anyone who we have confronted as a nation. “

Microsoft, one of the largest cloud providers in the world, said cloud services offer customers the most robust data protection. A mixed approach “creates an additional divide that organizations need to protect. One consequence of this decision is that if the on-premises environment is compromised, it will create opportunities for attackers to target cloud services, ”said Microsoft in a blog post about the hack investigation.

The notion that the hybrid cloud is less secure is inaccurate, said Paul Cormier, chief executive of Red Hat, the company that IBM acquired two years ago in part in a bet on the growing demand for hybrid cloud services. “Any software can be hacked. Cloud providers can also be hacked, ”he said.

Companies traditionally invest in large servers to store much of their product and customer data. That changed about a decade ago, with the rise of cloud computing. Amazon.com Inc.

AMZN 1.17%

and Microsoft popularized the business model in which they provide remote hardware and software with pay-as-you-go, eliminating the need for companies to buy and maintain expensive equipment. The cloud business has been a major driver of earnings for both.

There is no indication that Amazon’s systems were breached directly, but hackers used their extensive cloud computing data centers to launch an important part of the attack, security researchers said. Senators expressed irritation that Amazon did not attend a Senate hearing on the hack. Amazon said it was “unaffected by the SolarWinds problem” and shared with law enforcement officials what it knew and informed government officials and lawmakers.

One of the biggest security concerns around cloud computing is the fear that a service provider’s commitment could cause a wide range of customers to have their data accessed, cybersecurity experts said.

Expecting customers to move all of their data to the cloud is impractical, said Cormier of Red Hat. Many companies, especially in the financial sector, are required to keep data in place for security or regulatory reasons, he said.

Maintaining data internally is seen as more secure by many customers, said Keith White, a former Microsoft cloud executive and senior vice president of hybrid cloud services at Hewlett Packard Enterprise Co.

HPE 0.48%

HPE did not find any of its customers exposed to SolarWinds attacks, he said in an interview.

“One of the main reasons for keeping things in place is because the customer wants to know where their data is,” said White.

Raising questions about hybrid cloud security “serves Microsoft’s broader narrative,” Deepak Patil, senior vice president of cloud business at Dell Technologies and a former Microsoft cloud executive, told the Journal. “But the reality is, look at most customers, their workloads are running on the spot.” Dell sells hardware and software to manage hybrid cloud systems.

Microsoft in a statement said that “we offer security options for cloud and on-premises deployments”, but added that built-in cloud protection requires more effort to be delivered to on-premises servers.

In comments to the Congressional hearing on Friday, Mr. Smith of Microsoft said that “when Microsoft cloud services are attacked, we can detect anomalies and indicators of compromise in ways that are not possible in a local environment.” Nor can the company hunt down Russian hackers on local networks, he said.

The attack on SolarWinds affected at least nine federal agencies and 100 private companies and dates back to at least September 2019. American officials say the attackers are likely to be Russian intelligence agents. Moscow has denied responsibility.

Microsoft itself was a victim of the attack and downloaded part of its source code to write software. Hackers saw software linked to Microsoft’s Azure cloud, the company said. Mr. Smith, at the Senate hearing on the hack on Tuesday, called for a “thorough examination of what other cloud services and networks the Russians accessed”.

Historically, Microsoft has had a large local business with its Windows operating system running servers. But under CEO Satya Nadella, the power of the software has been aggressively pushing its customers towards its cloud products. It also provides products that make it easier for customers to use their data centers.

–For more WSJ Technology reviews, analysis, advice and headlines, sign up for our weekly newsletter.

—Robert McMillan contributed to this article.

Write to Aaron Tilley at [email protected]