Extending the perimeter – thoughts on establishing Collaboration in cloud vs on-premise

Understanding the file sharing collaborative products available from Microsoft

We tend to split file sharing and collaboration into 2 categories, real-time and non-real-time.

Microsoft’s core real-time tool is a Lync which is available both online and on premise. Lync users are able to is to message each other, people’s availability via real-time presence linked to their Exchange Server calendar and elevate discussions from text to voice over IP with supporting video and/or screen sharing. Lync is a great tool for meetings, team briefings and small groups working together on activities in real-time.

For off-line use the traditional way would be to store documents on file servers and, due to limitation of file servers, distribute documents and other content that needs to be worked on or approved via email. The new approach utilises a combination of SharePoint and OneDrive for Business (which actually also uses SharePoint under the hood). SharePoint allows Microsoft Office documents and other types of file to be stored in libraries and worked on by multiple users at the same time. Some key features include genuine multi-author editing in many cases (up to 16 authors can have the same Word document open for editing simultaneously); support for sophisticated metadata including document status (e.g. draft, awaiting review, published, expired); version control and approvals; the ability to send a link to the document via email without sending the whole document. Collaboration extends to other kinds of content, such as lists of information rather than documents, and can include other things such as shared calendars, tasks and more.

Generally, SharePoint is used for formal corporate collaboration, internal processes and team collaboration. It is possible to include an extranet solution within SharePoint to allow collaboration with people outside the organisation. Recommended best practice is for this to be a separate set of sites within a separate site collection. For this to work with an on premise SharePoint farm there needs to be a route to the SharePoint environment from the Internet through the organisation’s firewalls.

OneDrive for Business can be used to support collaboration with external parties or for informal collaboration activities and is a cloud solution only.

The other core collaboration technology, in our opinion, is OneNote. Our best practice recommendation is to have multiple OneNote notebooks, and to store these in SharePoint or OneDrive. We find that one notebook per collaboration site works very well and provides a real-time information capture, note taking and semi-structured knowledge capture tool.

Understanding the ease of deployment of an internal HyperV cloud based solution,

Although organisations talk about internal clouds or private clouds, the reality is that the crowd benefits don’t really manifest themselves until organisations have large farms running where the individual HyperV servers can take on or switch roles according to the load on the farm as a whole. We rarely see this for farms under about 12 servers, which is substantially more infrastructure and is required for this kind of deployment.

Nevertheless, installing SharePoint on-site requires a considerable amount of investment. Key steps are:

  • design farm architecture
  • provision Windows servers on HyperV
  • source SharePoint Server licenses
  • Install SharePoint Server on HyperV servers
  • configure SharePoint server instances, including permissions, site collections, templates etc.
  • source SharePoint Client Access Licenses and allocate

Only the last 2 items would be required using the Office 365 platform

Once installed, and on premise farm requires around 20% of an FTE to provide ongoing admin for the farm and the application.

Understating the security functionality / configurability in both the HyperV cloud solution vs Office 365 cloud options.

SharePoint security is a massive discussion in its own right. The summary version is as follows:

SharePoint maintains a sophisticated internal security model that provides granular access based on permission groups (which may be tied to or interact with Active Directory groups), supports security trimming (which prevents users seeing any content to which they have no access) and assigns different rights (such as view, edit, approve) to different roles and allows different roles to be assigned to different artefacts (sites, lists, libraries etc.) throughout the application.

Access to SharePoint is via a standard logon process. For on premise solutions this is usually based on the users Active Directory/Windows credentials, providing single sign-on. For cloud solutions there is an option to synchronise these credentials or to employ full Active Directory Federation which gives the same single sign-on option.

On premise solutions (e.g. a HyperV farm) are protected from the outside world by the organisation’s standard perimeter security, i.e. firewalls, threat protection and prevention. While this is often considered to be secure, the issue with this is that any content that needs to be accessed remotely or shared with 3rd parties have to circumvent this perimeter protection and this sharing rarely have strong governance; the extranet option referred to above requires holes to be created in the firewall etc. which can present a risk not only to the SharePoint farm and content but conceivably to other applications as well if not managed correctly.

Cloud solutions, including Office 365, generally has a much more sophisticated perimeter security solution. Furthermore the physical security of the server farm is far greater than can be easily achieved by most organisations with an on premise solution. Communication with the cloud solution is encrypted via SSL certificates (https:) and there is an option to enable encryption of the database. There is also an option to employ 2 factor authentication, which is achieved using a one-time code delivered via text message or using an authenticator app on a smart phone. We recommend using this sparingly as is option interferes with the ease of access to information for users, who will typically revert to less secure methods in response. The cloud solution includes an option to enable external sharing without compromising any of the organisations applications; Best practice still needs to be adhered to to protect the content within the SharePoint environment as noted above.

Security within the SharePoint application is, to all intents and purposes, the same whether on premise or in the cloud. In most cases an Office 365 environment is as secure as an on premise environment; while it is exposed to more potential threats from the intranet this is balanced by more sophisticated threat prevention built into the environment. In cases where the solution is only required for internal, on premise collaboration an argument could be made that an on premise solution can be made more secure; however when external sharing is required Solution has the benefit of segregating itself from other business applications, reducing the threat surface and avoiding compromise to the organisations network perimeter while enabling external collaboration and remote working.

This position is backed up by a number of security certifications for Office 365 and other cloud solutions. This includes an announcement from the EU in April 2014 that Microsoft’s cloud contracts and infrastructure comply with EU privacy laws and the UK data protection act across all of their infrastructure (data centres in the US and Singapore are treated as being within Europe for these purposes under this clarification). Details can be found here: http://blogs.microsoft.com/blog/2014/04/10/privacy-authorities-across-europe-approve-microsofts-cloud-commitments/

Organisations are wise to do appropriate diligence and research on the security capabilities of cloud offerings. However cloud services have matured over the last 5 years and the Microsoft ones are considered to be particularly strong. There are few reasons to reject cloud solutions out of hand on the basis of security; many financial institutions, multinationals and other organisations with commercially or legally sensitive information are committing their content to the cloud, with appropriate safeguards (which can include tools such as AvePoint’s compliance Guardian which can monitor what is being uploaded).

In reality most organisations employee local security and network security that is, at best, no better than cloud solutions. As ever the single greatest threat is the action of staff, and this needs to be addressed equally strongly regardless of the location of the application.


Leave a comment

Filed under Cloud, SharePoint

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s