A couple of recent events bring to light the true costs of running an on-premises IT infrastructure. The widespread, and long-lasting power disruption in Texas, and the 0-Day Microsoft Exchange vulnerability that is still being actively exploited at this time.
First, we look at the Texas power disruptions, and how they could impact your IT infrastructure. If an organization’s disaster recovery plan consists of relaying on data backups, it is not a disaster recovery plan. As the power outage showed, having datacenters in a single geographic region can have large impacts. Even if there is backup power, usually there is only 24-48 hours of fuel stored with a generator. After a week or two of no electricity, refueling a backup generator will be a real challenge. That is also assuming an organization has multiple datacenters. What if there is only one datacenter - the situation is even worse.
If an organization can't afford to have multiple, geographically dispersed datacenters, the organization can't afford to have an on-premises infrastructure.
While initial setup may be more complex, a hybrid cloud solution is often the most cost-effective way to address this issue. Keep the existing infrastructure in place and add a cloud solution for disaster recovery. Make sure all data is quickly and regularly synchronized to a cloud environment, and periodically exercise the cloud environment with realistic tests. When not in use, keep all of the compute resources off.
Zero Day Vulnerabilities
The Microsoft Exchange vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are being actively exploited as this is being written. If your organization has an on-premises Exchange server this directly impacts you. Even if the server(s) have been patched, a question to ask is, was the system already at the latest cumulative update (CU), or did the CU have to be installed first, and then the security patch?
Our bet is a CU had to be installed first, because these aren't delivered through the normal Windows Update, many organizations miss them. So, if the CU had to be installed, the Exchange environment is NOT being regularly patched. If you don't know whether the CU had to be installed, ask the IT staff responsible for patching the server, this is important to know!
If the Exchange server isn't being patched, what about database servers? Probably not...
Why aren't these critical systems being regularly patched? Often the answer is service availability. When can the service be "taken down" to apply the patch, and then what if the patch breaks some critical part of the service?
Addressing service availability is the same as geographically dispersed datacenters above, the organization needs multiple redundant servers, where some can be removed from service, patched, tested, and brought back into service so the remaining systems can be patched. Like above, if an organization can't afford to do this, they can't afford on-premises IT infrastructure.
With Exchange specifically, organizations using Microsoft's 365 cloud suite were not impacted by this Exchange 0-day. Even with an Exchange/365 hybrid setup where the on-premises Exchange server is protected by a firewall, these vulnerabilities would have been mitigated.
For other critical systems like database servers, a hybrid cloud approach often makes the most sense here too. Build replicated database servers in the cloud that can be patched and take over the application load while on-premises servers are being patched. While licensing may be expensive, it costs much less than a compromised IT environment.
iuvo Technologies has extensive experience with full cloud migrations, hybrid cloud migrations, and migrations to Microsoft 365 from many different mail solutions, including Microsoft Exchange. We can provide guidance on what will fit your organization and how best to prepare for these types of issues in the future.
Contact us for further support or to chat about your IT infrastructure more.