SMB resources on the move

Francesco Provino

This post is very interesting.
The scenary that you are drawing for a small business of 10-30 people is something like that: a file sync layer (like dropbox for business) that replicate everything locally, eventually on big'n'cheap ssd (compared to costly enterprise storage), so remote offices wouldn't be a problem. This way, is possible to leverage all the power of modern hardware (even a core i3 of the latest gen has plenty of power), without the hassle and the big uprofont investment of phisical servers, thin clients, storage etc. Every other service that canno be served in a SaaS way, of course can be hosted in a IaaS (I'm thinking about the typical windows-based ERP) and connected via a router to the local network.

So, the shopping cart to start a full-fledged IT infrastructure in SMB should be composed of just switches, a router with vpn capabilities (edgerouter er8?), desktops with big ssd (AMT - vPro) and a bunch of services like AWS, office 365, dropbox for business etc.
Maybe 1000-1200€ per seats (every 4 years) plus 30-40€/month/user… not bad, considering that one of the SMB in which I work bought upfront 70000€ of servers/storage/vmware/windows server tl… I'm afraid, with less performance and reliability.

thwr

@BBigford said in SMB resources on the move:

I was driving home from work last night, thinking about how to better serve the SMB market. More on the side of micro businesses under 20 people. A few questions I was processing and expanding on:

• Do they really need servers? You could buy a simple NAS, or use a cloud storage provider like OneDrive for Business, Dropbox for Business, etc.

• Do they need a domain? If so, they could use something like Azure AD.

• Do they need central email? If they don't need central email like Exchange, but want their email to appear like a business email, with their domain. Whoever is hosting their domain, usually provides email services at an extra cost.

What are your thoughts on some of those displacements? Thinking about this from, say, an MSP perspective. Not in-house IT. I'm thinking of how to better serve those micro businesses so as not to remain in the stagnant mindset of "you will have on-premises servers for file serves, AD, and Exchange."

TLDR

The single most important thing to keep in mind should be the clients data privacy requirements. There are lots of business like advocates, doctors or research companies which just don't want or flat-out can't store data or credentials in the "cloud".

No matter what the vendor says, you can't audit their systems and processes in any way to be sure about the privacy of the data. And even if the vendor guarantees total privacy, what about a hack? Just a small security hole may leave tens of thousands of customers (read: SMBs) with their pants down.

Dashrender

@thwr Normally I would agree with you, but I've been listening to @scottalanmiller a lot - perhaps to much.

His argument is that big players like AWS and Microsoft (Azure) can provide significantly better resources and management of breaches etc.
I'll agree that most SMBs don't have the manpower or dollars to spend on internal resources to check logs for access let alone be ensured of no breaches compared to larger companies like MS and Amazon.
This is the same logic that @scottalanmiller applies to why you shouldn't run email yourself. The scale, etc just makes them more suited to providing the best experience for this.

When considering if a SMB should do this in-house versus in the cloud, well of course it depends on the cloud provider, but it seems like the cloud should be the way to go.

I understand the belief that SMBs think they need all the controls in the world, but do they really have them if they have them in house? In the American clinical world (non hospital) don't employ anywhere near the resources that the likes of MS and Amazon do in protecting their networks.

The belief that a larger company makes them a larger target, well sure that's true, but just being a little fish doesn't protect them - the tools of hackers are mostly automated today. They don't care if they are stealing $1 or millions, 1 health record or 100 thousand.

stacksofplates

@Dashrender

I'll agree that most SMBs don't have the manpower or dollars to spend on internal resources to check logs for access

No one does that anyway. It's automated and notifications are sent out based on keywords.

scottalanmiller

@thwr said in SMB resources on the move:

The single most important thing to keep in mind should be the clients data privacy requirements. There are lots of business like advocates, doctors or research companies which just don't want or flat-out can't store data or credentials in the "cloud".

That's conflicting needs, though. If your top concern is privacy, then you listen to someone who doesn't care about security for personal emotional reasons, you have a conflict to deal with. Cloud is the most secure option (with obvious territorial limits.) So if security and privacy are of concern, you have to override the emotional pleas of the doctors who want the appearance of control over the reality of security.

There are regulations that counteract security needs that stop you from doing whatever it takes to be cost effective and/or secure. That's a different concern. But security needs push you to the cloud. The most secure organizations in the world look to cloud computing as a means of increasing security.

scottalanmiller

@thwr said in SMB resources on the move:

No matter what the vendor says, you can't audit their systems and processes in any way to be sure about the privacy of the data. And even if the vendor guarantees total privacy, what about a hack? Just a small security hole may leave tens of thousands of customers (read: SMBs) with their pants down.

That's sort of true, but it's incorrect thinking. It's the security equivalent to looking at "how many drives can fail in my RAID array" rather than asking "how reliable is the array?" By worrying about auditing, for example, we are immediately looking at paper pushing instead of the reality of security. No matter how little you can audit Amazon, they are more secure than any SMB, ever. Would it be nice to audit them? Sure. Is it required for them to be more secure, nope. Auditing doesn't make something secure. In fact, as PCI companies show over and over, auditing might actually make something insecure. Just like ITIL can be the cause, rather than the cure, to business workflows.

Basically, we get caught thinking that the means matter, rather than the ends. Or we are looking at proximates instead of goals.

No matter what the vendor says, you can't audit them. But no matter what you do with an SMB, you can't get them as secure. So which is better, not auditing but getting better security? Or auditing and getting worse security.

Depends... is your goal politics, or results?

scottalanmiller

@Francesco-Provino said in SMB resources on the move:

So, the shopping cart to start a full-fledged IT infrastructure in SMB should be composed of just switches, a router with vpn capabilities (edgerouter er8?), desktops with big ssd (AMT - vPro) and a bunch few services like AWS, office 365, dropbox for business etc.

Normally just a few services. But other than that, yes. Most SMBs need to own basically nothing other than the necessary physical infrastructure to supply the end user experience. Physical cable, switches, firewall, desktops. That's it.

VPN... nope, that's old style thinking. VPNs have lots of good uses, but in a greenfield scenario? Almost never. That's a legacy vestige in most cases. Think simpler.

And many SMBs, maybe most, need zero servers of their own. No AWS at all. And solutions like O365 cover what Dropbox does. So often you only need one of those.

scottalanmiller

For really core SMB functions, you might have something like this:

• Productivity, Email and Storage Suite: O365 or Google Apps or Zoho Suite
• Accounting: Zero, WaveApp, etc.
• One industry specific SaaS application for their unique industry.

In a lot of cases, that's all you would have. Just three SaaS products. As companies get bigger, that gets less and less common. But for a greenfield SMB... three things is often all that is needed. No VPN, no AD, no servers, no storage... just three SaaS apps and some office physical infrastructure.

Move to "work from home" modern models and even the office switches, cabling and desktops vanish.

Francesco Provino

@scottalanmiller how is o365 comparable to drobpox for business? I'm very curious about that because I'm going to switch a company to D4B and I want to make a comprehensive evalutation of the alternatives…

About the VPN, I was thinking about the connection between the cloud provider and the LANs, nothing more!

Francesco Provino

@scottalanmiller I think that sometimes AWS or other public clouds are the way to go, because often the ERP or CRM are old-style windows applications that are available only for on-permise deployments.

scottalanmiller

@Francesco-Provino said in SMB resources on the move:

@scottalanmiller how is o365 comparable to drobpox for business?

Pretty similar. O365 is a suite, so we have to compare the individual pieces. O365 offers two storage systems: Sharepoint and OneDrive for Business.

SharePoint is not like DropBox, but is a great system on its own. OneDrive for Business is much like DropBox and probably isn't as good, but is pretty good. We use ODfB as our main storage system and it is quite effective. It's full integration into O365 is the big winner. The entire suite operates as a single entity making it really feel like you are inside a polished company portal.

And O365 adds tools like Delve to make ODfB more powerful as well.

scottalanmiller

@Francesco-Provino said in SMB resources on the move:

About the VPN, I was thinking about the connection between the cloud provider and the LANs, nothing more!

I know what you were thinking And that's unneeded in the type of system that I propose. No reason for there to be a LAN at all, or nothing thought of as the LAN, and nothing in the cloud that would need to connect to the LAN or extend it. That's LAN thinking and in most cases for greenfield deployments can be (and should be) left in the dust.

scottalanmiller

Brownfield... we will see VPNs as a necessity for a long time to come.

scottalanmiller

@Francesco-Provino said in SMB resources on the move:

@scottalanmiller I think that sometimes AWS or other public clouds are the way to go, because often the ERP or CRM are old-style windows applications that are available only for on-permise deployments.

That's a halfway approach. There are basically three ways to handle these kinds of systems:

• On Premises / Legacy where you run your own server and put the software on the LAN
• IaaS like you propose here. Taking the legacy system and just moving it to AWS or the like. This is a bandaid. It's generally an improvement, but only barely and often not cost effective.
• SaaS. The real solution. No reason to run your own infrastructure, let the vendor do it.

MS CRM, for example, has been available as SaaS for years. It's part of Office 365 already. Fully integrates with all of the rest of the suite.

scottalanmiller

@Francesco-Provino said in SMB resources on the move:

I'm very curious about that because I'm going to switch a company to D4B and I want to make a comprehensive evalutation of the alternatives…

There are lots of competitors these days. Google Drive gets a lot of attention, too. And there is Box. And you can get ownCloud hosted by Datto. And there is SmartFile. And you can run your own with NextCloud and others. So many options.

thwr

@scottalanmiller said in SMB resources on the move:

@thwr said in SMB resources on the move:

No matter what the vendor says, you can't audit their systems and processes in any way to be sure about the privacy of the data. And even if the vendor guarantees total privacy, what about a hack? Just a small security hole may leave tens of thousands of customers (read: SMBs) with their pants down.

That's sort of true, but it's incorrect thinking. It's the security equivalent to looking at "how many drives can fail in my RAID array" rather than asking "how reliable is the array?" By worrying about auditing, for example, we are immediately looking at paper pushing instead of the reality of security. No matter how little you can audit Amazon, they are more secure than any SMB, ever. Would it be nice to audit them? Sure. Is it required for them to be more secure, nope. Auditing doesn't make something secure. In fact, as PCI companies show over and over, auditing might actually make something insecure. Just like ITIL can be the cause, rather than the cure, to business workflows.

Basically, we get caught thinking that the means matter, rather than the ends. Or we are looking at proximates instead of goals.

No matter what the vendor says, you can't audit them. But no matter what you do with an SMB, you can't get them as secure. So which is better, not auditing but getting better security? Or auditing and getting worse security.

Depends... is your goal politics, or results?

@scottalanmiller : I can understand (and partly agree with) your point. From a (pure) technical point of view, everything cloud would be better for a lot of factors like reliability (given a fast and redundant uplink), security, energy consumption, zero server-side hardware costs and so on. That's not even a question IMHO. I totally agree with you that a small IT department can't get you the same level of security, how to say, not the level a whole security division at Amazon or MS Azure will give you. On the other hand, great danger may occur when someone finally hacks one of the cloud platforms. The question is not if, but when. And in this case, all your customers credentials, construction plans, research results, medical files, internal financial data, marketing strategies, generally confidential material etc may be in danger.

scottalanmiller

@thwr said in SMB resources on the move:

On the other hand, great danger may occur when someone finally hacks one of the cloud platforms. The question is not if, but when. And in this case, all your customers credentials, construction plans, research results, medical files, internal financial data, marketing strategies, generally confidential material etc may be in danger.

Not really, this is an illusion. This only seems worse because it is a shared platform. The fact that the breach itself would be worse is irrelevant to the individual businesses. That it would be worse to the provider and to the news media is true, but doesn't matter to us as IT pros or to the businesses we represent. Consider these two scenarios:

1. SMB has all data on premises. SMB gets hacked, all data exposed.
2. SMB has all data at cloud provider. Cloud provider gets hacked, all data exposed.

There are two enormous reasons why this means that going to the cloud is better. First, the chances that #1 will happen is vastly higher than #2. The first happens all the time, the second has never happened yet. Nearly every SMB gets hacked as it is. So reducing the chances of getting hacked with the same exposure risk when hacked is a no brainer win.

The second factor is that in the case of #1, when a breach occurs, it is purely the SMB's fault. They used hubris and emotion to make a security judgement call and lost. That's not something that they could defend easily in court, to customer, to investors, etc. Basically they took a risk and bet against known security principles and did what is known to increase their risk. But if #2 happens they get to show that at least they did the best job that they could, used logic, statistics and industry security knowledge to reduce risk as much as possible AND they have someone else who is at fault to blame.

Lower risk, lower impact in case of a breach. It's pure win from a security perspective.

stacksofplates

@scottalanmiller

SMB has all data on premises. SMB gets hacked, all data exposed.
SMB has all data at cloud provider. Cloud provider gets hacked, all data exposed.

But to his point, for the first scenario you were the target and they got your data. For the second scenario you might not have been the target and they still got your data.

stacksofplates

@scottalanmiller

The first happens all the time, the second has never happened yet

Not really a good argument. There are millions of businesses and a handful of cloud providers.

Didn't we have a discussion previously about a PaaS that had been hit by crypto because they were using Windows does servers on the back end? For reasons like this I agree with some auditing if done correctly.

stacksofplates

We have a few audits and I'm fine with that as long as it's not a check box scenario. I totally understand that people want to know that we meet certain requirements.