I actually really appreciate just whipping out my phone and hitting “Adopt” when I am setting up new hardware at a site (UniFi stuff). It gets added, updated, and it’s done. Then I can leave and go manage it from the office.
Yes, but the number of hours they can withstand these reads is rather insane. I’ve seen SAS level drives with millions of hours of runtime and no bad blocks. They are pretty robust these days!
I was happy to see the FortiCloud interface was updated recently, and pushing this update was about as easy as can be. I updated over 25 devices in a span of about 2 hours the other night and it all went without a hitch.
Based on this quick article, softwarekeep.com/help-center/what-is-gstatic-com#…. It feels like just allowing all of gstatic is a bit of a security nightmare. I’d push back and have them identify the parts of gstatic they actually need for their website to work and allow those.
Alternatively, if this application needs a cdn but is only intended for local hosting in the secure network, perhaps a locally hosted cdn could be a good idea.
Without knowing the security in place it’s hard to do much beyond give general maybe this or that.
I thought that legally the server side had to retain emails for 5 - year terms particularly for legal situations. If google were subpoenaed I believe they would hav two provide
What makes you think that? Which country and law says that it’s the cloud providers responsibility, and not the company in question?
Where I am, there’s law that says architects need to keep building drawings for 99 years. That’s not up to autodesk. That’s up to the architecture firm using autodesk products.
It happened to an IT client of mine. He attempted to delete 10 years of cloud files and emails on google to escape forth coming legal troubles about a year in advance. The accounts were deleted. Long before I was involved. He thought he could get away with it. It was at that point that I learned that wasn’t the case. At least with all of his google files, and any email he sent over another AOL account going back five years.
I figured that made sense. Ofcourse shady people will try to cover their digital tracks.
Ok so two things here: you were probably never privy to the legal costs associated with Google being required to do a re-discovery. Google makes no promise to backup your data though there are provisions to restore things from the trash. Eg emails and files lost or deleted recently. Google then also have tools for you to do some of this work yourself eg: workspace.google.com/products/vault/ which meets your company legal requirement if you configure and pay for it. Again that’s not backup, that’s archive for legal discovery but lines can get blurry when multiple tools which solve different issues can effectively do the same thing.
Issue two: As an administrator there’s no denying even if they did you still wouldn’t have followed the backup 3-2-1 rule. You never had something on a medium not google even if you thought there were three copies and you consider Google replication to at least two physical sites.
To be honest I’m not experienced with Google but this is the normal expectation of cloud services. If you don’t have explicit terms of agreement to data recovery in a disaster, then you probably don’t have it.
Ps: I’m going to imagine your former boss paid a lot of additional fees, lawyer fees, google fees and court fees if it really had to be recovered that way. Nothing comes for free.
I’ve my own experience with Microsoft not having backups and directors not understanding that Microsoft explicitly do not promise backups. A user mailbox got delicensed, but when it was delicensed, the mailbox didn’t reattach. In the end it never came back after using our Gold partnership and paid support. We even had the guid. It was lost forever.
I reconstructed much of the mail, other mailboxes in the tenancy had emails from them or to them or were either cc or BCC so doing enough discovery I could eventually restore about 75% of the mail by getting the same email but from other mailboxes.
Nobody has ever doubted using a backup solution is required since.
Thank you for sharing those additional details. The individual in question had an interesting background, an officer leaving a publicly traded tech company during the dot com bubble and returning to face a massive lawsuit with involving all his former partners. The fact that everyone associated with the company was subpoenaed suggests a comprehensive investigation. Perhaps it was the clients profile?
Regarding the individual’s attempt to delete correspondence, it’s challenging to ascertain the exact reasons for the data being provided to legal. Several factors might have played a role, such as the timing of the lawsuit, data retention policies of the tech companies involved, and legal obligations to cooperate with investigations going on while this individual was sailing the world for a decade completely disconnected from his past involvement with that entity. I was never privy to more information, so it’s hard to determine if it was related to the person’s identity or simply what they did.
As for data deletion, tech support informed me that deactivating or deleting said m accounts and waiting for a significant period (5-years) might ensure complete deletion. However, the companies explained that they had their own data retention policies (mid 2010s) that could impact the extent of data removal even after the user made such attempts. And the user couldn’t count on it being really gone due to those retention policies.
The outcome was that at least enough of his data was recovered to be condemning.
I have had other similar experiences with retention of deceased’s data. However I do not have expert knowledge on how each of on the specific practices of the companies involved.
Sure, crosspost away. As long as we’re not getting too many duplicate posts within /c/sysadmin about the same topic, it doesn’t matter much the source.
I woke in business tech support for an ISP. I wonder how many times I’ve been yelled at by IT because of those and them not understanding the fucking product they bought.
Exactly this. MECM even has this sort of feature built-in with Orchestration Groups. You can set group 1 to perform updates and reboot at a certain time, then group 2 will only begin its update/reboot cycle when group 1 has completed or crossed a certain threshold.
Usually in these kind of situations I fall back to sharing a OneDrive / Teams (SharePoint) folder out to the external vendor. Anyone can say that they can’t receive the encrypted email and there could be legitimately good reasons for that, but if they don’t know how to login to 365 to access a shared folder that’s on them.
If they absolutely refuse to allow you to share or email an individual vs. a distro group then I’d do it that way, but not using an “anyone with the link” share depending on the sensitivity of the information. If it’s something that isn’t as sensitive sure, but otherwise they’ll need to setup credentials with that distro group and use it to login to access the shared folder.
I don’t have any retired hardware from my current job, since I’m 100% cloud (and I don’t miss hardware one bit (well, except for the one time I found that I didn’t have any spare power cables for the homebrew PC)).
I have, however, converted my old QNAP NAS to TrueNAS, and it’s much better now.
On-prem infrastructure is way less fun than having a full cloud stack, how are you enjoying that, and are there any big snags you all have run into?
Currently in the process of doing the same at work, we mainly utilize file servers(already migrated to SharePoint), DC’s (in process of going full AAD, Endpoint Manager[intune], AutoPilot), and Print Servers (currently testing full cloud solution to replace). This would allow us to be “server less” and no on-prem infrastructure aside from switching/routing/firewalls, and we can segment our network completely since users won’t need to talk to anything on-prem anymore.
undefined> On-prem infrastructure is way less fun than having a full cloud stack, how are you enjoying that, and are there any big snags you all have run into?
There are people who do enjoy playing with hardware, and I’m not going to say they’re wrong, especially since I’m glad they’re around. But that’s not what I want to do for a living.
I think the biggest challenge I’ve seen is: with on-prem hardware, you can brick a server or a router, and have to go down to the machine room to reimage it from the console. With cloud infrastructure, it’s possible to not just brick, but destroy your entire machine room.
Having said that, I really like infrastructure-as-code. I’ve set up racks of hardware, and IaC is way more fun.
We tested out Pulseway a while back but weren’t confident in it’s patching process. We ended up using Action1 because of the price and the simplicity of it. They have a good community on discord that’s always helpful and they’re consistently adding new features. The also host weekly webinars (usually about patching) to help to get up and running.
I guess RMM is a broad term though, cuz I’m not sure about the VPN to AD situation you’re talking about. Are you hosting Pulseway on your own server?
AFAIK Action1 is only cloud-based right now, just install the agent and go. You can also set up a service account on your DC and use their deployer to auto install the agent on domain devices.
I’ve never used SolarWinds patch manager, but after all of those breaches I’m very leery on any of their stuff. Another option to look into is manage engine patch manager plus. It can be a bit of a pain but it worked decently enough. Also, very cheap. Just don’t expect a super robust and deliable program
Sysadmin
Top