Network Security - UTM
-
@Dashrender said:
getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.
Why not great?
-
@Dashrender said:
While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares
Once they do that, they are past the point of there being anything we can do. That means that we will be infected, without us being involved, from the Internet and none of the security or blocks that you put in place matter.
So not a situation to be concerned about.
-
@scottalanmiller said:
@Dashrender said:
While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares
Once they do that, they are past the point of there being anything we can do. That means that we will be infected, without us being involved, from the Internet and none of the security or blocks that you put in place matter.
So not a situation to be concerned about.
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
So you're right, from that point - OwnCloud, SharePoint, etc all we can do it restore from that point.
-
@Dashrender said:
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
Great and perfect are not synonymous. It seems like a pretty great solution to me... make everything as secure as the outside connection. It's as full of a solution as there can be. Nothing is perfect, but many things are great.
-
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
-
@scottalanmiller said:
@Dashrender said:
This is why not great - because it's not a full on solution. That was all I was getting at - it's not a full solution, as there can't be as long as users have access.
Great and perfect are not synonymous. It seems like a pretty great solution to me... make everything as secure as the outside connection. It's as full of a solution as there can be. Nothing is perfect, but many things are great.
I give ya that
-
@hobbit666 said:
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
Then the best security would be the best, right? The best is always the best.
-
@hobbit666 said:
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
That depends, does "securing" that resource make the security better or worse? Often it makes it worse.
-
@hobbit666 said:
OK what abut from a PCI/Data protection standpoint.
Shouldn't we be doing everything we can to secure all ways into the network no matter how remote the chance a hacker will try is?
You can, by not trusting the local network at all.. not making it important in any way.
What I mean is no more file shares that are just open, logons for anything that is accessed.
Basically treat your local network as if it's the internet, and then you don't have to worry about it as much.
I think you can still use Active Directory in a setup like this.
-
@hobbit666 Did someone say PCI? Hold everything!
What level of PCI compliance are you working towards? Or has the goal not been set yet?
-
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
-
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
-
@Dashrender said:
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
Entirely possible, but not likely a default setup for someone using ownCloud (or any other solution) in replacement of foldershares.
-
@JaredBusch said:
@Dashrender said:
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
Entirely possible, but not likely a default setup for someone using ownCloud (or any other solution) in replacement of foldershares.
Really? For folder shares? I don't know anyone who by default syncs folder shares (a network share used by many people) to their local system. Sure it's possible, and I know JB has the situation where his techs need to maintain copies of their technical manuals while offline, but would you call that common?
-
Now if you tell me that they are moving from a person shared drive (say a typical U: drive or redirected folders) or something like DropBox, then I would agree, moving to OwnCloud from those things, I would expect a sync client to be completely common.
-
@Dashrender said:
@JaredBusch said:
@Dashrender said:
@JaredBusch said:
ownCloud does not protect you from Crypto, because the file will be encrypted locally and then synced up to the server and back down to everyone that has access to it.
One huge reason why offline sync clients are a bad thing.
Perhaps a needed thing, but still a bad solution.
It might be better if the files could be saved in a webapp instead through a sync client just dumped into the filesystem.
Entirely possible, but not likely a default setup for someone using ownCloud (or any other solution) in replacement of foldershares.
Really? For folder shares? I don't know anyone who by default syncs folder shares (a network share used by many people) to their local system. Sure it's possible, and I know JB has the situation where his techs need to maintain copies of their technical manuals while offline, but would you call that common?
Yes, because they expect the files to be available. We are discussing this form the point of veiw of replacing shares on a LAN. You would add a LOT of steps to these users to access files before they can open them. Users would quickly start using local files and emailing copies around.
-
While I agree that using OwnCloud/SharePoint, etc through a web portal is many more steps... without those steps... you're really no better off than you are with standard file shares, other than possibly a better sync engine.
You're just as much at risk for crypoware as you are with traditional file shares.
So Scott tells me - the reason you aren't (at least when it comes to SharePoint) is because you stop opening the shares themselves - be they SharePoint or OwnCloud, instead you open the app which has a plug in that gives you direct access to the storage, making it easier for the end user.
While I personally almost never open Word to go and find a Word document (Instead I open Explorer, go to my network location and double click on the file in question, when then launched the correct application). Assuming I know the correct application for the file I'm search for, It would be a tiny bit faster for me to search for the file from within the application itself.
Also, by using the application, you pull the user one step further from the storage because hopefully the default location for storing things is your storage solution, so it's not really a question of where to find things for them.
-
@Dashrender said:
While I agree that using OwnCloud/SharePoint, etc through a web portal is many more steps... without those steps... you're really no better off than you are with standard file shares, other than possibly a better sync engine.
You're just as much at risk for crypoware as you are with traditional file shares.
So Scott tells me - the reason you aren't (at least when it comes to SharePoint) is because you stop opening the shares themselves - be they SharePoint or OwnCloud, instead you open the app which has a plug in that gives you direct access to the storage, making it easier for the end user.
While I personally almost never open Word to go and find a Word document (Instead I open Explorer, go to my network location and double click on the file in question, when then launched the correct application). Assuming I know the correct application for the file I'm search for, It would be a tiny bit faster for me to search for the file from within the application itself.
Also, by using the application, you pull the user one step further from the storage because hopefully the default location for storing things is your storage solution, so it's not really a question of where to find things for them.
If you stay in the MS world, you can use OD/ODfB/SP via Word and Excel directly form the open dialog without needing the files synced locally.
ownCLoud does have webdav connectivity so it is entirely possible that something could be done, but I have never looked into it.
-
Right, and MS is adding more cloud providers to the list. I heard last week that Dropbox and Box were both being added to O365 for storage options, just like OD or ODfB currently are.
-
@Breffni-Potter said:
@hobbit666 Did someone say PCI? Hold everything!
What level of PCI compliance are you working towards? Or has the goal not been set yet?
No idea its a "buzz" word i've been hearing from meetings that i've not been attending. Most coming from the Credit Control dept and our CRM person