[Lincoln LUG] Advice needed on backing up laptops

Terry Froy via Lincoln LUG tez+lincoln-lug at spilsby.net
Fri Jun 30 14:18:36 UTC 2017 

On 29/06/2017 17:35, J Fernyhough via Lincoln wrote:

> On 29/06/17 07:27, Terry Froy via Lincoln wrote:
>> .... and so far no-one has mentioned any item of free software :-(
> I thought this was more of an architectural question. :)
>
> Without knowing whether you mean Free (beer) or Free (Libre) I'd also
> hope people support companies that provide open-source software so they
> can keep doing so. ;)

Hi J,

The question was rather open but went on to give detail as to how,
presumably the OP's employer, does it.

My definition of free software is as the FSF defines it:
https://www.fsf.org/about/what-is-free-software

>
>> I suggest you look at Nextcloud - http://www.nextcloud.com/ - both the server and clients are mature/stable and will do what you need plus lots more besides.
> Nextcloud (and its parent project ownCloud) is, at its core, for file
> access rather than file storage - it still needs a backing filestore
> which needs to be managed, backed-up, etc.

The original question was 'What is your companies backup policy for
staff laptops?'.

In this case, Nextcloud provides for another copy of the data, on a
different machine, which may or may not have file versioning turned on,
or may be using a snapshot-based filesystem and may even be backed up
further to an off-site location which periodically archives to removable
storage.

As far as users are concerned, they have ready on-line access to
previous versions of files in case of accidental
changes/deletions/ransomware plus these files are synched to other
machines which share the same account - they get safety, security and
convenience all in one.

>
> I'm also not sure how well it scales or allows for HA. Filestore
> fail-over is critical when you move beyond a workgroup-sized setup.

Nextcloud is PHP running on a webserver (in this case, nginx) which
stores data in MariaDB (replicated via Galera cluster) and a
CephFS-based filesystem... it definitely scales!

>
> If you already have a setup where you can mount a filestore directly on
> a given device I'm not sure what Nextcloud adds to that.

Nextcloud provides other functionality besides backup.

>
>> Assuming your Nextcloud server is HTTPS-only, you will also not require a VPN client in order to ensure security of data while in transit.
> HTTPS will secure the data in transit but doesn't help with data
> management - the point of a networked file store (whether NFS,
> Samba/SMB, Sharepoint etc.) is to allow data management (as well as HA,
> snapshots, etc.).

As you say, HTTPS solves the problem of data transit.

Nextcloud is about data access and permits mobile clients to
transparently upload/download/sync their data back to base - wherever
they are - and using protocols which are unlikely to be blocked in a
third-world coffee shop.

Once the data is replicated back to base, the question then shifts to
that of "What is your company's backup policy for *servers* ?"

> I'd probably even argue that having web servers that allow access to
> data exposed to the internet is a bad idea

You might as well make the argument that online banking and web-based
e-mail are a bad idea too!

> - keeping everything behind a
> single ingress (VPN) means you have only one thing to monitor and keep
> secure (I'd also assume you're running a firewalled network ;).

Any security-conscious company should be operating their own X.509 CA
with root CA keys held in a hardware security module and insisting that
all forms of remote access uses it; the only inbound connections
permitted into our corporate network are HTTPS, IMAPS, SMTPS and SSH -
and SSH forces use of key-based authentication - with the other
protocols using our own X.509 CA for trust/encryption and clients
optionally using X.509 certs for authentication.

Your 'you have only one thing to monitor and keep secure' is a dangerous
approach to take; this line of thinking has been responsible for the
meltdown of NHSnet during the recent WannaCry ransomware outbreak as a
hard outer shell does little to protect the egg once it has been
compromised.

A 'single ingress' is also a bad idea if you are running a multi-homed
Internet Service Provider network like we are ;-)

We run multiple X.509 IPsec/L2TP endpoints at each of our PoPs and for
some access (access to customer PII data), we insist on connectivity via
one of those endpoints, but for other less-critical access, we are happy
for that to come in via the Internet from a trusted X.509 client
certificate or trusted SSH key.

Regards,
Terry Froy
Spilsby Internet Solutions
http://www.spilsby.net/

More information about the Lincoln mailing list