The cloud has seen a HUGE amount of uptake from companies struggling to find ways to stay productive. "In-Premises" environments have transitioned to less active usage or have been slated for migration to cloud based alternatives.
As a consultant, this has given me the opportunity to work with a lot of customers lately to work on these changes and I have learned a few lessons.
- Transitioning to the cloud quickly was a necessity for many, but there are bunch of skipped steps that need to be looked a, starting with Governance.
- If your On-premises systems are still active, you may want to spend even MORE time monitoring them.
- The Cloud is not less secure, bit it is different.
To demonstrate the importance of circling back to the skipped step of Governance, I call upon a few of my colleagues at PAIT Group and their respective resources.
First up is my compatriot, Richard Calderon, who goes beyond stating the obvious about governance in MS Team (ensuring seamless access to information). He points out 4 Key Factors for successful Microsoft Teams Governance in a recent webinar.
- Striking a Balance
- The Governance Process
- Content Lifecycle
- Communication & Training
Next up is, Allie Roney, who draws attention to the Real-World lessons learned from KPMG. For those who do not recall KPMG had 145,000 of their global user personal Teams chats deleted. Now who wants to be in those shoes, Noone. Allie walks thru the process of what happened and how not to repeat it.
Both of these articles I post here not just for the excellent content and guidance, but also to point out that unless you are pretty much sick of the word "Governance" you probably haven't considered it enough as you transition content to the cloud.
PAIT Group's fearless leader, Stephanie Donahue, wrote You mother doesn't work here! ( A governance intervention) a few years ago. while it doesn't touch on the urgency we are feeling today around cloud migrations, it is 100% relevant and makes excellent points on organizing content.
I could keep going on and on with our super hits about governance, but hopefully you get the point. Despite everything needing to be done right now, governance is something that can speed up your implementations and make it more successful.
The Cloud blah blah blah blah. CLOUD! Blah, blah, blah, someone else’s server. Blah, cloud.
Did we forget anything? Oh wait, all those systems we left in place as we were worrying about the cloud!
Microsoft has extended the end-of-life for SharePoint 2010 to April of 2021, when it was slated to end October 13th, so that gave a few organizations time to catch their breath, but 2020 is a BIG year for end of support dates. A few examples,
End of Support
- Hyper-V Server 2008
- Hyper-V Server 2008 R2
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008
- Internet Explorer 10
- Office 2010 (all editions)
- Office 2016 for Mac (all editions)
Moving to extended support
- Exchange Server 2016
- Most versions of Office 2016 for PCs
That’s not to mention that any version of SQL server before 2012 Service Pack 4 is already out of support. Any version of SQL server 2014 that is not patched to at least Service Pack 3 is out of support, and SQL server 2016 needs to be at least at Service Pack 2 to be supported. So yes, SharePoint 2010 has a few months left, but unless you have been on top of your patching your SQL servers may already be out of date.
The problem with all of this, is that while lots of customers have been trying to quickly move to the cloud, maintenance and upgrades to on-prem systems may have suffered. There have seen some upticks in bad actors attacking on-prem infrastructure, precisely because they know it is often less maintained. Even though you may be using these environments less, they still contain a lot of crucial data, and need to be closely monitored until you can get the content into more supported systems. You know, in all that spare time you have while you are madly getting things set up in the cloud.
What can you do about it?
Move the content that people need to work with day-to-day to newer, more sustainable, systems. Many organizations have contractual, legal, or certification related obligations that require content to be in supported systems. There are no magical shortcuts to make that possible, but doing a “dump” into new systems is more likely to cause issues down the road. That doesn’t mean there is nothing you can do to accelerate your project.
Separate Content and Function (where you can)
If you have a complex process with detailed approval and routing for incoming content, that needs to be replicated in a supported system quickly to keep the work moving. If content that has gone through that process ends up in storage with just a few pieces of static metadata (customer, contract number, closing agent name, that sort of thing) maybe you can target that as a more “mass” move into an archival location. This strategy allows you to focus on the hard part, functionality, first.
As soon as you get your process up and running for incoming content, move day to day work to the new system. Curtail general access to the content that is falling out of support as much as possible. It may be inconvenient to retrieve content for the users, but it is one of the best ways to be aware of what needs to be prioritized for integration with the newer systems. Set the aging systems to read-only where possible. Ransomware has been big lately, and what the users can’t change, the ransomware often cannot either.
If you are telling yourself that you will sort the content later, because you have to move quickly, consider there is often a new emergency that will prevent you from doing so. That “quick” move will sometimes wipe out exactly the kinds of metadata you will need to organize things later. Having the structure in place will make arranging the incoming content much easier. If you plan the structure you are moving content into, you have gone a long way toward planning how to move the content. This is a good point at which to engage experts. People who understand the best practices of your newer environment can advise you on any changes of which you may not have been aware. If you visited those governance links above, some of this may sound familiar.
As a quick example, if you have SharePoint 2010 or 2013, you may not be aware that Microsoft has strongly de-emphasized sub-sites in the new versions of SharePoint. The new recommendation is to keep a “flat” structure as much as possible. For more information about that and other things you may be doing to make your life harder, check out this advice from some experts 5 Things You Are Doing That Challenges Your Office 365 Deployment.
I know it may be a little obvious. My perspective is possibly a little skewed by what I do day to day, but I am frankly horrified by how many organizations don’t keep backups in a way that even pretends to make sense. From organizations that think nightly VM snapshots are the best way of backing up literally everything, to groups that backup all their SQL databases twice a week to… the same drive volume the active databases are on. Give your backup strategies a review. VM snapshots are a good thing, but they can’t save you from every problem. If your content isn’t being backed up to the cloud, plan for some sort of “offsite” storage in case your physical location suffers damage or loss of some kind.
The sneaky thing about this is that content backups of an unsupported system are not only supported, they are encouraged! If you get your current “working content” into a new system, a good backup can give you much more time to work out the migration of older content into it. That time may even bring some people to the understanding that all of the content they assumed they needed in the new environment is just stuff they need to keep for legal and audit reasons. Maybe it isn’t needed in the active systems at all.
As many of our clients move to the cloud, there has been a recurring set of questions that pop up around security. If your organization has spent much of its “post internet” existence working in a local network, the cloud can look like a pretty scary place. Many of our customers have moved content and processes to Microsoft 365 because they already had it in their future, so they just accelerated with so many people working from home. That made perfect sense and it kept a lot of organizations productive during the disruptions. Unfortunately, many organizations didn’t have the time to re-evaluate their security practices to take the cloud into account. As a “quick fix” some have taken to limiting the IP addresses from which people are able to get to the tenant and forced everything back over their VPN into the internal network they have maintained for some time with its familiar security protections.
That approach is viable for small organizations and organizations that planned from the start to have all of their staff working from remote locations, but some problems appear when you start moving the traffic for hundreds of workers through a VPN that was meant to support a dozen salespeople. Most VPN’s are configured as Forced-tunnel VPNs that force all traffic through the connected network or Split-Tunnel VPN. Traditionally, Split tunnel VPN is seen as only routing traffic through the VPN when the destination (your mail server, you file server, etc.) is inside of your organization’s network. All other traffic, web browsing, your shared printer, etc. routes through your local network and out through your internet connection without passing through the VPN. Split tunnel is usually preferred by users because it is faster, and less disruptive to things like home networking. From a security standpoint Split-tunnel can be quite the headache for admins. With a Forced-tunnel VPN your organization can prevent you from downloading software from known malware sites. If your machine were to be infected with malware while not on the VPN, they would be able to see what ports and addresses the malware is trying to connect to while you are on the VPN and flag it as suspicious. Forced-tunnel is often the fallback for more security focused organizations. With so many more people working from home, full forced tunnel VPN, that was always sub-optimal for heavily cloud focused workloads, becomes even more cumbersome.
Luckily most Forced-tunnel/Split-tunnel discussions are not looking at how these technologies really work. Most modern VPNs are capable of being selective. You aren’t stuck with “all or nothing” scenarios. Your “forced-tunnel” can allow specific traffic to go through the local internet connection, and force other traffic to go through the VPN no matter where the destination is. As an example, you would probably never use, you could set the VPN to force connections to Google.com through the VPN, while allowing traffic straight from the user’s machine through their internet connection to Bing.com without passing through the organization’s network.
Why does this matter? Since March of 2020, VPN usage has gone up over 100%, straining the infrastructure of many organizations. On top of the number of users, the adoption of cloud services and remote meeting technologies has greatly increased. Forcing so much video, voice, and large document traffic over the VPN means that even with the same number of users many VPNs are carrying several times the amount of traffic they were designed for. Microsoft has published a lot of material about how to implement more selective split tunnel VPN solutions. They have published Office 365 URLs and IP address ranges to give organizations information about which IP ranges and URLs to exempt from forced tunnels, increasing the performance of things like Teams video conferencing, Windows, and Office Updates. Even many vendors such as Citrix have begun to publish their advice for configuring their products to work better with Office365. Organizations owe it to themselves and their users to explore these options. Carefully planned exceptions for VPNs is a great alternative to forcing users to deal with poor performance or spending huge amounts of money to expand VPN capacity without any real security benefit.
Cloud security is different, but it isn’t by nature less secure. Some vendors have done more work on security than others of course but Microsoft has put together a very broad set of tools to help manage possible issues.
Top Security Threats:
- Leaked Credentials -Threat Protection Policies, Integrated Multi-Factor Authentication
- Phishing- Phishing Attack
- Malware - Microsoft Defender for Office 365
- Suspicious Sign-in and Mail Activity - Anomaly detection policies
- SPAM-Transport Rules for Exchange Mail
As you can see from that small sample, you have several tools at your disposal. They may not be the same tools you have been using in your environments for some time, but in some cases, they are backed by Microsoft’s own security teams and Artificial Intelligence initiatives to stay up-to-date and deal with threats as they change. We are moving from a place where all of our data can be kept safely behind a wall, to a world where data has to be moved around between locations and partners in a way where, as much as possible, we know who is looking at it and why. PAIT Group offers services to help review and adapt your online security. Microsoft delivers new tools seemingly every week. Even some of the vendors you may have used in the past like Cisco, Citrix, and SonicWall have developed tools or tutorials specifically for Office 365. We live in interesting times and there is a lot of adapting to do, but at least we are all in this together. Let us know how we can help.