A few weeks ago, disturbing news went around the world: The Chinese hacker group “Hafnium” has successfully attacked Microsoft’s “Exchange Server” software. Hundreds of thousands of e-mail servers worldwide may have been infected with malware in the process, allowing the hackers to read emails. Why this event should make us all think about our reservations about cloud technologies and where cloud-based solutions make sense – these are the questions I explore in this article with our IT experts Jens Thienhaus and Thomas Droste.
At the beginning of March, Microsoft announced that security vulnerabilities had been discovered in the globally distributed e-mail software “Exchange Server”. At the same time, several security patches (IT-speak for security updates) were released, including a warning that attacks had already been registered. Over the next few days, it became known that more than 250 thousand mail accounts could be affected by the hack. Ironically, according to IT security experts, Germany is particularly affected by the hacker attack because many German companies shy away from cloud computing due to security concerns.
According to Microsoft, the cloud-based “Exchange Online” service was not affected by the hack, unlike the locally installed “Exchange Server” software. Does this mean that cloud systems are ultimately more secure than on-premises installations? According to our IT expert Thomas Droste, a clear “yes and no”. Because as always in life – and also when it comes to weighing up locally installed software and hosted cloud services – thinking in black and white doesn’t get us anywhere, because there are sensible areas of application for one just as much as for the other.
Where Cloud Technologies Can Really Score
Increased Security through Provider Updates
The big problem with the latest Microsoft security leak was the delay in applying the security updates provided by Microsoft. The German government’s computer emergency response team, CERT-Bund, announced in a Twitter tweet that even eight days after the patches were released, 25,000 of 65,000 affected “Exchange Server” accounts were still vulnerable. This means that after more than a week, around 38% of the installed software had not yet been patched.
With cloud systems, on the other hand, the provider itself installs the patches. The significantly higher speed of the updates increases data security, as delays such as in the Microsoft case, where the patches had to be installed individually by the company’s own administrators, are eliminated.
Reduced Maintenance Tasks and Costs
While security against unpatched leaks is increased with cloud computing, the administrative effort for the company’s internal IT team is reduced. This is because the technical maintenance of the cloud servers is handled by the respective provider, as are the updates. Consider, for example, the monitoring of patch levels (i.e., the degree of up-to-dateness): doing this for every piece of installed software is very time-consuming. Not all security vulnerabilities are discussed as publicly and are thus as obvious as those of Microsoft, which is why regular and careful research must be carried out for this.
The necessary internal infrastructure is also reduced by cloud computing. It is no longer required to purchase a lot more server services for safety’s sake, which then remain unused for a large part of the time, just to absorb overload peaks. Instead, with cloud solutions, you generally only rent and pay for what you actually use, and the buffer for peak loads is distributed among all cloud users in terms of costs.
The cost-effectiveness of cloud solutions is also due to the fact that they are usually very easy to scale. This is because cloud services can usually be adapted to the dynamic needs of the users within a very short time. If, for example, an additional team is to be integrated into a cloud workflow, most solutions based on cloud technologies can be expanded with just a few clicks. And vice versa, licenses can often be easily canceled when they are no longer needed.
Green IT: Cloud Technologies as an Environmental Factor
The cloud can also score points when it comes to environmental protection. After all, it is often worthwhile not to have your own server. Our IT Manager Jens Thienhaus has a good comparison:
In addition, the waste heat generated in the cloud servers can be reused, e.g. for heating office complexes. There are also CO2-neutral servers, the use of which makes it easy to get started on the topic of “Green IT”. And finally, as we noticed during the pandemic year, remote work via cloud services also relieves the strain on our highways, thus protecting the climate.
Must-Have for Digital Collaboration
We’ve saved the most obvious current plus point for cloud technologies for last: collaboration without the constraint of physical presence. Cloud solutions overcome geographical boundaries in collaboration. Data can be accessed from anywhere at any time, documents and files can be edited together, and video telephony with additional features such as screen sharing or a digital whiteboard has been a must-have for companies at least since the Covid-19 pandemic. All of this enables team members to work together in a way that may be inferior to collaboration in local presence in terms of social proximity, but not in terms of functionality. The boundaries between companies are also blurring here, as communication between the respective employees is potentially facilitated, firstly through video conferencing, and secondly through collaboration in cloud-based enterprise software. This is also relevant for the New Work approach to the work environment.
Thinking outside the box: Thanks to the wide range of communication and collaboration options, companies can also effectively counter the current shortage of skilled workers. Especially in the area of knowledge work, many positions can be filled remotely without any problems if the necessary cloud systems are in use. All of a sudden, the search for skilled staff is no longer limited to the immediate geographical area, but the entire world of qualified future employees is potentially available.
Here You Better Choose On-Premises Software
Even though we said above that cloud systems are sometimes patched faster: the transfer and retention of business-critical data to a cloud server remains a security risk. With locally installed software, all data remains on-site at the company. This reduces this risk accordingly and you retain greater control over your data. It can therefore make sense to prefer the on-premises variant when dealing with business-critical data, such as sensitive customer data or software source code. If the advantages of a cloud solution outweigh the disadvantages for the area of application (for example, in collaborative processes), you would be well advised to obtain precise information from certified, reputable providers about their security standards.
Processing of Large Data Volumes or Low Latencies
If large amounts of data are generated in the work process, the processing of the same is usually preferably done on locally installed software. Whether it is the production of video content or large databases that are moved regularly: the transfer speed is usually many times higher in the local network. In the area of connecting machines and software, cloud technology is also usually not (yet) capable of connecting them at the necessary speed. If, for example, sensors control a production process, this control should be as fast as possible. So if the lowest latencies are required, it makes more sense to use the local network.
Control and Independence
Physical control of your own server can be worth its weight in gold. On the one hand, you can see and touch your own server on site; it is haptically tangible and thus conveys a secure feeling. For another, the company’s own IT expertise can make independent decisions about what happens to the installed software. The time for maintenance work can be individually defined, and in the case of updates, the decision about the “when” but also the “if” of the installation lies with the company’s own administrator. This can be a decisive criterion, especially in the area of highly regulated processes. One example here is medical technology, where regulated, specially approved processes also include a specific version of a software. In the case of an update, the entire process must be revalidated, which is why control over the update activity is absolutely essential here. You can read more about standards and quality management in medical technology in the article Quality is Life.
Moreover, unlike cloud technologies, with on-premises software a discontinuation of service by the provider (for example, in the event of insolvency or realignment) is not a risk; the installed software can potentially be used forever (within the terms of the license).
Internet as a Disruptive Factor
If you use software on your own PC, you are logically not dependent on the Internet. This factor should not be underestimated when deciding between cloud services or on-premises software. Even in large cities, the Internet connection is not always as stable as we might wish. It is therefore essential to consider whether a sudden loss of connection would be critical for business operations. Fun fact: Even with a stable Internet connection, the transfer to a cloud server can sometimes be interrupted. This is what happened when I was writing this article; I had to start all over again …
Locally installed solutions are usually better suited for data backup. This is because cloud services do not provide raw data access, and a full backup of the entire server is of course also not possible, since you have not purchased a server but merely rented a part of it. Backups are part of the service provided by the provider, but unfortunately, according to Patrick Ruppelt, founder and CEO of ITK Security, many cloud providers cut corners when it comes to data backups and do not adequately protect the data stored with them. However, due to the distribution of various companies with their data on one server, a comprehensive backup is hardly possible even from a technical point of view. This is not only a problem for regular data backups, but also usually leads to a comprehensive loss of data in the event of a provider change, since access to the data stock after the end of the subscription is not provided for. On the user side, this quickly leads to a dependency on a specific cloud solution, a so-called vendor lock-in, which prevents a company from flexibly switching to other cloud or on-premises software. On the other hand, if a company has its own server with installed software, a comprehensive backup of all data can be set up and an archive version of the old application can also be created when switching to a different software.
Integration into Your Own System Landscape
A patchwork of solutions can quickly lead to problems for permeability within one’s own system landscape. Of course, data exchange between systems should be guaranteed, but security quickly suffers in the process. Networking various locally installed software solutions is usually easier than a hybrid linking of cloud services and on-premises software. But here, too, massive technical progress has recently been made.
Especially if a high degree of individualization and adaptation to one’s own processes is important to you, locally installed software solutions still often offer a wider range of customizing options.
Why Say "Or" When You Can Say "And"?
While we have so far considered cloud technologies and on-premises software separately, it should be noted at this point that an absolute “or” will not be expedient in most cases. Because as we have seen in this article, both paths have unbeatable advantages. Some software manufacturers have also recognized this and have created hybrid models: an on-premises software is installed and can be docked to a cloud platform in certain areas. These hybrid solutions often offer the advantages of both variants.
Whether such a hybrid version made available by the provider or an independently assembled portfolio: a heterogeneous set-up of cloud technology and on-premises software will be a sensible reality for many companies in the near future – and that’s a good thing. Thomas Droste explains this with a basic IT principle that he also uses to guide his work:
A team member from software development, for example, faces different challenges in terms of data security and processing data volumes than a colleague from marketing. Therefore, one thing is essential for a balanced system landscape that serves all teams: internal communication. As an IT manager looking for the answer “cloud technologies or on-premises software?”, the first task is to gather and understand the requirements of the various departments and then, on the basis of individual consulting (which this article cannot replace, of course), carefully weigh up where one technology is preferable and where the other.