Why You Should Migrate Away From On-Premises Exchange


For many business owners, deciding whether to host your data in the cloud or on-premise can be an overwhelming and complex matter, and is often a question directed towards their tech teams, IT experts or outsourced to external IT partners.

There are, as with any important business decision, pros and cons to either solution. However, if you are on the fence or considering making the move from an in-house server to a cloud-based alternative, now might be the best time.

As we delve deeper into the ongoing debate of on-premises Exchange VS the Cloud, it is important to note that there are a few key players in the world of cloud-based services. Microsoft and Google are the clear front-runners when it comes to business-class email, however, for the purpose of this article, our focus will be Microsoft on-premises Exchange Server VS Office 365. *

Office 365 is Microsoft’s subscription cloud offering which includes business-class email running on an Exchange back end, and for almost two decades, Microsoft on-premises Exchange has owned the majority market share. This is largely due to Microsoft continuously updating feature sets, management, and security. With significant growth in cloud computing, and in light of the COVID19 pandemic forcing businesses to switch to remote working, there are greater demands for scalability, improved efficiency, cost reduction, and increased security.

“The global cloud computing market size is expected to grow from USD 445.3 billion in 2021 to USD 947.3 billion by 2026, at a Compound Annual Growth Rate (CAGR) of 16.3% during the forecast period. Digital business transformation has entered a more challenging and urgency-driven phase due to the COVID-19 pandemic.”



We are now in the middle of a digital pandemic. Ransomware attacks are growing at an alarming rate with Cyber Gangs targeting businesses of all sizes.

By 2025, 30% of critical infrastructure organizations will experience a security breach that will result in the halting of operations, or mission-critical cyber-physical systems, according to Gartner, Inc.

Exchange servers, most notably on-premises, are easy targets for Threat Actors (TAs). Unpatched servers, legacy protocols, misconfigured firewalls, and elevated permissions leave unsecured environments exploitable and ripe for cyber-picking. Office 365 minimizes these risks by automating server patching and version updates, and by leveraging built-in security tools, including Role-based Access Control (RBAC) and the Security and Compliance Dashboard.


Microsoft Defender, which requires an additional license or modification to your subscription terms provides an assortment of security features:

  • Threat protection policies
  • Threat investigation and response capabilities
  • Anti-spam and Anti-phishing policies
  • Safe Links and Attachments
  • Realtime reporting
  • Email authentication protocols
  • Secure Score – Analyze and improve security posture


Office 365 (OpEX)

Cloud-based services incur limited up-front costs and the advantage of implementing the Operating Expense model is predictability. With a subscription-based service, you only pay for what you use. Required change to licensing is effortlessly scalable and opting for annual/multi-year terms over monthly will allow for discount pricing. High availability, redundancy, scalability, and Microsoft O365 support teams play an essential role in the value offered by cloud-based solutions.

On-premises (CapEX)

Employing the Capital Expenditure model and the deployment of on-premises infrastructure requires an investment of upfront hardware, software, and support resources. With on-premises, you will be responsible for procuring, configuring, and administrating Exchange servers and hardware, as well as acquiring server licensing and Client Access licenses (CALs). IT resources are required to manage and troubleshoot server infrastructure, including Active Directory (AD), firewalls, UTMs, and DNS, and the auditing, logging, and monitoring of Exchange data may require senior-level engineers. The installation or replacement of HVAC systems, UPS’s, generators, reliable internet connections, and hardware redundancies play a pivotal role in cost analysis.

With this in mind, moving away from a traditional CapEX model with the hidden maintenance costs and requirements to refresh the technology every 3 to 4 years that involves complex migration and potential downtime for the business, moving to a cloud-based email system gives one of the best ROIs for all cloud computing models.  In addition, with the way in which MS office and exchange licensing is moving to subscription-based models, the reticence to move to a monthly paid subscription service will soon become a moot point.


Given the rapid increase of cyber threats and the continual growth of TA groups, it is imperative we adopt strategies for securing email communication.

The term “No Auth, No Entry” is routinely used to describe an email that will not be delivered to a recipient unless properly authenticated. Modern authentication protocols, namely Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) embody the foundation of email security.

Without getting too technical, an SPF record is a TXT record created in DNS that contains allowable IP addresses to send email from your domain. Similarly, DKIM is a TXT record created in DNS that uses public keys to verify a message signature.

DMARC is the most recent adaptation for email authentication and provides both security and visibility for your organization. DMARC uses a published DNS TXT record for your domain. Tagging is used to determine what steps are taken for emails that fail DMARC authentication. The RUA and RUF tags are used for reporting. RUA is for aggregate reporting, while RUF is for forensic reporting. (Below is an example of a DMARC record)

(More information on DMARC can be found at www.dmarc.org and www.dmarcian.com)

With the assistance of SPF and DKIM, DMARC helps combat spoofing, phishing, and BEC. DMARC can exist without one of SPF or DKIM but it’s highly recommended to follow best practices and implement all three.

On-premises Exchange allows for the implementation of DKIM and DMARC. However, I have never personally deployed these security protocols for on-premises mail servers and have heard it’s a much more tedious process. The O365 Admin portal allows for simplified integration of these authentication methodologies.


Microsoft releases a new version of Exchange Server approximately every three years. Staying up to date with the latest state-of-the-art technology can be a daunting task for IT Administrators and internal IT staff alike. Office 365 seamlessly manages the upgrade for you, reducing downtime, and ensuring business continuity.


Display-name spoofing and lookalike domains are common techniques used by TAs to compromise systems. This can be avoided by carefully checking for any character errors.

  • Multi-factor Authentication – Enabling MFA in Office 365 is easily achieved and implemented. However, on-premises Exchange Servers require third-party tools such as Duo or PingFederate.
  • Review the use of legacy email protocols such as POP, IMAP, or SMTP which are easy targets for TAs and left vulnerable to compromise.
  • Prohibit automatic forwarding of email to external addresses
  • Utilize Hawk – An open-source Powershell module designed for Office 365 and Azure used for forensic analysis (https://cloudforensicator.com)
  • Education – Train end-users to be more resilient to BEC by implementing cybersecurity training programs and enrolling in phishing simulation campaigns. A human firewall plays a pertinent role in strengthening security posture by integrating a high level of awareness and identifying red flags.

*(This is not a sponsored article, and is based on our experience working with clients post-breach)

Knowledge Base

Digital Forensics, AKA eDiscovery, in a Cyber Security Context

Written by Thibault Dambrine and Laura Smith  Introduction When a cyber breach occurs, it is almost always accompanied by data...

Read More +

Incidentally Informed – Cyber coverage and incident response

During our webinar we discussed “cyber coverage and incident response”. Our Panelists Mikel Pearce – General ...

Read More +

Incidentally informed – compliance issues in ransomware claims and the pitfalls

During our webinar we discussed “compliance issues in ransomware claims and the pitfalls”. Our Panelists Mikel Pear...

Read More +
CyberClan CyberClan CyberClan CyberClan