When clients decide that it’s time to retire their aging, on-premise Exchange servers, questions often come up on where to go with their next Exchange server. With few exceptions, the answer is the cloud due to uptime requirements for email flow and minimal cost differences when comparing against traditional on-premise servers, but the question becomes which cloud. Microsoft is the market leader, with attractive, cost-effective licensing bundles in their 365 platform, but it is not always the right home depending on business needs and add-on costs. We help weigh those costs for our clients and make sure we help put them in the most ideal environment for their cloud-based email long term.
First, lets talk security, since that tends to be the most hot-button IT topic these days. Microsoft’s cloud is public, and available anywhere. There is no ability to restrict access or block inbound mail based on geography or IP addresses. Many attacks target the platform due to this, with distributed login attempts originating from different physical and virtual locations until a username and password combination is found successfully. The platform does not have great alerting for these types of events, much less a good way to mitigate them. Even if users shouldn’t be logging in from outside the US, logins are still allowed from any country. Once an account is compromised, that user’s mailbox is under the attacker’s control. If the user happens to be an administrator, the entire company can be compromised, as a global administrator can access any email account, change passwords, delete accounts, and so on. The biggest security risk comes for administrative users that have the power to control the domain and potentially make major changes to mail flow and domain registrations.
Many of these risks can be mitigated very easily with a privately hosted Exchange server, as login access and mail flow can be restricted to certain geographies with administrative control panels being locked down even more specifically. If international travel is required, restrictions can be lifted temporarily. A privately hosted Exchange server almost completely negates the administrator risk, where we typically practice only allowing access from our offices, our data centers, and the specific client’s office IPs to administrative control panels. Domain control risk can be addressed by setting up an off-domain email account, which would work for Microsoft hosted and privately hosted Exchanges.
Another key difference is backups and email retention. Many people mistakenly think that because their email goes to the cloud, everything is being backed up, confusing backup and high availability. Microsoft and other cloud providers platforms are highly available, with multiple copies of live data in play, making outages extremely rare, but there are little to no sets of retention on that live data. By default, Microsoft and many other publicly hosted Exchange email options only retain 14 days once items are deleted. This can be extended past 14 days, with Microsoft allowing this to be pushed out to 30 days if the default is altered, but this retention is extremely short in the business world. This means that if left unaltered, and a third-party backup or email archiving add-on is not purchased, then deleted email cannot be restored on day 15. Sometimes, email restoration has to occur because items were lost by accident, sometimes people misplace emails with large folder structures or archived files that they can’t locate what they want, and in rare cases, users may try to purge trails with critical information for malicious reasons. Having the ability to restore in any of those events when business and liability are on the line is critical and needs to be thought through seriously.
While Third party backups mitigate the risk of retention loss, they also usually negate or exceed any cost savings obtained by using a public cloud option. In a privately hosted Exchange environment, backup retention policies can be tailored by you and your business needs. We typically retain at least six months of backup snapshots on email, but have clients with retention strategies exceeding ten years.
A secondary benefit to a privately hosted Exchange server is that our space is allocated by the total number of users, and not specific to each user. Where public models may give you 50 GB per user, we budget space at 50 GB per user without a hard limit. The overall storage pool can be consumed by users as needed, so one user may have 100 GB balanced by two others only using 25GB of space, all three still hitting the same combined quota giving our clients the flexibility to operate however they need for their desired workflow.
Hopefully these points can help you and your company think through the next location for your email server. If you have any questions, please do not hesitate to reach out to our team to help explain things further.
To our shared future success and helping to keep your company running efficiently,
The Computer St. Louis Service Delivery Team