[Lincoln LUG] Advice needed on backing up laptops

Sat Jul 1 10:44:30 UTC 2017

Hi Everyone

Thanks for your comments. I have also spoken to colleagues  in IT and 
the "general" policy appears to be companies are using VPN and as much 
data as possible is being kept on in house servers. Computers/laptops 
etc. are fully encrypted and external storage devices are not an option.

It is not as clear cut  when it comes to data not on the server. Some 
companies do backup files held on the device, others don't because they 
are trying to get users to use VPN.

I think we will be looking at VPN with some sort of file backup, as a 
backup!

What to use? Well, management have asked the Council to install a 
solution because there is just me covering two schools so I don't think 
it will be an open source solution.

For your information, I have been testing:

FreeFileSync https://www.freefilesync.org/

Very good, lots of features.

Urbackup https://www.urbackup.org/

Very promising. The only open source backup solution I have been able to 
get running in minutes.

Regards

Kevin

On 30/06/17 15:57, J Fernyhough via Lincoln wrote:
> Ah, a meaty reply. :)
>
> On 30 June 2017 at 14:18, Terry Froy via Lincoln LUG via Lincoln
> <lincoln at mailman.lug.org.uk> wrote:
>> Nextcloud is PHP running on a webserver (in this case, nginx) which
>> stores data in MariaDB (replicated via Galera cluster) and a
>> CephFS-based filesystem... it definitely scales!
> The application scales - I'm more concerned about the file storage.
>
>> Nextcloud provides for another copy of the data, on a
>> different machine
> How do you deal with conflicts and canonical versions in this case?
>
>> Nextcloud is about data access and permits mobile clients to
>> transparently upload/download/sync their data back to base - wherever
>> they are - and using protocols which are unlikely to be blocked in a
>> third-world coffee shop.
> Why are you using a company laptop on an insecure wifi network? :P
>
>> You might as well make the argument that online banking and web-based
>> e-mail are a bad idea too!
> Not really. A bank providing online banking knows it has to be secure.
> Web-based email isn't all that much different to POP/IMAP (and can
> easily be made more secure via e.g. 2FA).
>
>> Any security-conscious company should be operating their own X.509 CA
>> with root CA keys held in a hardware security module and insisting that
>> all forms of remote access uses it; the only inbound connections
>> permitted into our corporate network are HTTPS, IMAPS, SMTPS and SSH -
>> and SSH forces use of key-based authentication - with the other
>> protocols using our own X.509 CA for trust/encryption and clients
>> optionally using X.509 certs for authentication.
> Yes!
>
>> Your 'you have only one thing to monitor and keep secure' is a dangerous
>> approach to take; this line of thinking has been responsible for the
>> meltdown of NHSnet during the recent WannaCry ransomware outbreak as a
>> hard outer shell does little to protect the egg once it has been
>> compromised.
> I didn't mean you ignore everything else - I meant more that you're
> not spreading your watch/efforts over multiple disparate
> externally-facing services (similar to having an SSH bastion host vs
> all devices externally accessible). Network segmentation, e.g., is
> still important.
>
>> A 'single ingress' is also a bad idea if you are running a multi-homed
>> Internet Service Provider network like we are ;-)
>>
>> We run multiple X.509 IPsec/L2TP endpoints at each of our PoPs and for
>> some access (access to customer PII data), we insist on connectivity via
>> one of those endpoints, but for other less-critical access, we are happy
>> for that to come in via the Internet from a trusted X.509 client
>> certificate or trusted SSH key.
> I don't run an ISP but I'm glad you know what you're doing. :D
>
> J
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/lincoln/attachments/20170701/abf720b4/attachment.html>