Work has moved from local file servers to cloud

[rangor gubbins]

Our IT dept has recently started transitioning our data storage from local file servers, which we used to access via vpn if we were not on-site, to MS sharepoint and one drive.
They claim it will be cheaper and easier to manage. However, what about security. I can see it could be cheaper and easier to manage by outsourcing most of the file storage work to MS, but now we don't need a vpn and can log in to access our data from any machine isn't that a large security risk?
Previously, we could only access data off-site using a work supplied and controlled laptop, and logging in to the vpn.

 

[Jim99]

They should be able to deploy the same kind of controls if they want them.

If they've decided that all you need to access corporate files is a username and password, that does strike me as a bit odd.

It's not really a problem with cloud, it's more about how they've decided to secure the data and how they came to those decisions.

 

[pepp77]

I would be surprised if there wasn't some form of MFA or even intune or autopilot requirements coming into the situation as well. We have used Sharepoint and OneDrive for years and haven't had an office since Covid so every body works from work laptops or even their own desktops and mobile phones.

Its secure if setup correctly and makes life so much easier for the end user than having to rely on an outdatedVPN access method.

 

[the-evaluator]

There might be some sort of ZTNA in place.

 

[Rroff]

Seems to be the way a lot of businesses are going - we've moved so much to Sharepoint in recent years at work and can do loads of stuff remotely. (MFA is enabled by default).

 

[rangor gubbins]

Thanks for your comments.
There is MFA, but currently it's only for logging into our laptops. However if I log into MS from another computer (e.g. my own) I don't need MFA.
I don't know what in tune or autopilot or ZNTA is, but I don't think we have it.

 

[Caged]

Sounds like it's Not Your Problem, though there is no reason why a VPN and a file server is inherently more secure, file servers over VPN are outdated technology that belongs in the past.

SharePoint can be set up to protect the files that are stored there, rather than just working on the basis that if you're connected to a file share that must mean you have the rights to be there. It doesn't sound like your employer is doing this part though.

 

[rangor gubbins]

Yeah, you're right, it's not my problem, and I won't worry about it any more. I was just wondering if they are doing the right thing. The process has caused significant disruption to my and many other's work for best part of a week, and I'd be even more annoyed if the change is a bad idea.

 

[Jim99]

Yeah, you're right, it's not my problem, and I won't worry about it any more. I was just wondering if they are doing the right thing. The process has caused significant disruption to my and many other's work for best part of a week, and I'd be even more annoyed if the change is a bad idea.

I do think it's daft not to use MFA for the MS login, if they've already set it up for computer logins. But in a lot of organisations they wouldn't appreciate someone providing that feedback who isn't part of the core IT / cyber team.

 

[Caged]

If there's disruption then the job is being done poorly, there shouldn't need to be a situation where you don't have access to files at any point.

 

[WJA96]

I have seen the aftermath of a successfully hacked business and it wasn’t pretty. Fully three years after the hack they were still having IT issues because they were so paralysed with fear over it happening again.

I have no issue with anyone complaining if they think the IT policies are duff. It’s actually being a good corporate citizen.

 

[rangor gubbins]

I have seen the aftermath of a successfully hacked business and it wasn’t pretty. Fully three years after the hack they were still having IT issues because they were so paralysed with fear over it happening again.

I have no issue with anyone complaining if they think the IT policies are duff. It’s actually being a good corporate citizen.

I'll mention it to one of the IT team that I know fairly well, then leave him to raise it within the department.

 

[t2na]

We had something similar post-Covid where I worked. We always previously accessed local file servers via VPN and the few of us who worked from home pre-lockdowns would all work that way. It was great, really convenient and essentially mirrored how I worked in the office.

During lockdown everyone then was set up to access via VPN but the IT team essentially had said it was such a massive faff because it was just so archaic at this point. We moved to all remote/cloud based servers and can now either access via our work laptops or, if we want, from our own desktop/laptop. Anything 'secure' is all within a separate remote workspace - so we can login (with MFA) to access emails/calendars etc. but to access any of the ERP system we have to use a separate remote workspace (which has another level of MFA to it) and then work from that separate workspace.

MFA is enabled regardless of how you access though - so a little odd that it's not in place for you if accessing from a non-work provided machine. The main issue we had with implementing MFA was that not all staff had a work mobile and a fair amount were unwilling (somewhat understandably) to have an authenticator app from the company on their personal phone/device. Because the company mandated it had to be a particular authenticator app (vs. sms / email MFA) it meant that they ended up buying a shed load of work mobiles for people.

 

[Disco_P]

I wish we'd move on from file server over VPN. Trying to load CAD files and reports in the size of hundreds of megabytes when the connection is 3-5MB/s is painful and a waste of time.

I found out that the pdf viewer we use has a loading bar for searching, it takes that long.

I am on this forum at 10:07 because I am waiting for a file to open.

 

[Caged]

I'd give people an OTP card rather than dealing with a work phone but it's absolutely right that there isn't an expectation that people use their personal phones for work purposes.

 

[Duke]

They will be using conditional access to control this.

 

[d_brennen]

With MFA I don't see it being higher or lower risk than local file storage.

I recall working for a place that had a VPN for remote desktop and banged on about security etc. The RD server was accessibly without the VPN client, so nobody bothered with the MFA!

 

[Simon42]

I'd give people an OTP card rather than dealing with a work phone but it's absolutely right that there isn't an expectation that people use their personal phones for work purposes.

My wife's employer pressured all employees to use an authentication app the day they enabled it and most don't have work mobiles. The moment she got home I removed the app as it tracks location, IP, WiFi details, local devices and may other details from the phone and its one of the phones on my account as well.

The next day I phoned their IT department and they thought I was being unreasonable, but when I explained this to the boss it got fixed.

 

[rangor gubbins]

I wish we'd move on from file server over VPN. Trying to load CAD files and reports in the size of hundreds of megabytes when the connection is 3-5MB/s is painful and a waste of time.

I found out that the pdf viewer we use has a loading bar for searching, it takes that long.

I am on this forum at 10:07 because I am waiting for a file to open.

I know what that's like! That's what it was like for me.
Now I just have wait for ages while One Drive crashes /fails to sync / syncs hundreds of thousands of files. I don't know what's happening with MS One drive but since we moved everything over to it and share point we've had non stop syncing and access issues.

 

[rangor gubbins]

My wife's employer pressured all employees to use an authentication app the day they enabled it and most don't have work mobiles. The moment she got home I removed the app as it tracks location, IP, WiFi details, local devices and may other details from the phone and its one of the phones on my account as well.

The next day I phoned their IT department and they thought I was being unreasonable, but when I explained this to the boss it got fixed.

We've got MFA to log into our laptops, and have to use Duo.
Anyone know if Duo tracks stuff?