PMI is a South Florida company that works in the construction industry. Project managers travel frequently to prepare estimates and surveys for individual construction projects. PMI has a local file server because certain workflows and applications related to construction are tied to a Windows file server and cannot be easily transferred to SharePoint Online. Originally, Dropbox was used for remote file sharing. Before a manager leaves for a site visit, he or she copies a set of files into a Dropbox account so they are instantly available on the road. It is unwise and unnecessary to copy 100% of the contents of the file server to a personal Dropbox account, so only as many files as are relevant to the project at hand are ever copied. However, there are always unexpected requests where the relevant files remain on the company's file server, leaving clients' questions unanswered until they can return to the office to access the relevant files with accurate information. Managers are also equipped with remote desktop portals. This allows them to access company files from home via remote desktop. However, it is a very bad practice to leave remote desktops open to brute-force password attacks on the Internet. Therefore, they have limited the IP address range to the IP addresses of the managers at home. This gives managers full access to files at home, but when they are on the road, they can only access the files they have copied to their personal Dropbox accounts.
Granted, construction is one of the industries that employs the most field workers. Do you also have remote workers in your company and are you using a combination of VPN, RDP and Dropbox to support your remote workers?
Hoffman York is an advertising agency in Milwaukee. They also have an on-premises file server because it contains a large dataset of Adobe Create Suite workflows, neither of which work well with SharePoint Online. When the pandemic hits, everyone works from home. VPN access is considered a security risk because it opens up the corporate network directly and includes endpoints at employees' home offices. Almost all graphic designers use Remote Desktop to access corporate files and do their work with Adobe Suite. Many employees experience being kicked off the corporate network every hour or so. Direct VPN access is not very helpful for large Photoshop files transferred over the VPN.
Pogue Construction of Texas has many field technicians working from job site trailers. WLAN is not stable at the trailer sites, so using VPN to connect to corporate headquarters is a problem. VPN technology relies on active, concurrent connections on the corporate firewall to allow access to SMB-based file servers. When the Internet is sporadic or contention on the firewall increases, employees' active sessions are interrupted and file access is disrupted. In this case, file synchronization and sharing technologies are beneficial because they allow files to be downloaded asynchronously, modified locally, and synchronized back to the data source. Usually, file synchronization and sharing is associated with Dropbox, OneDrive, Box and Google Drive. However, there is also a solution that combines file sync and share technology with the company's file server and provides HTTPS-based drive mapping for offline editing. The advantage is that you can use your existing file server as the main data store without the data ending up on third-party sites.
Zero Trust Network is a security solution for employees logging in from mobile internet stations. In this scenario, employees must prove their identity, such as to Azure AD or a third-party identity service connected to Active Directory, before they can connect to the corporate network. Azure AD Application Proxy, for example, is a good way to provide a trusted network for mobile workers.
Enterprise administrators also have other ways to combat VPN security issues. For example, Amazon EC2 has a security group that can be used to restrict the IP address range for a particular protocol to the Amazon VPC. Or, a whitelist IP address can be provided for certain private IP addresses to pass through the corporate firewall. These are more stopgap solutions that provide additional security beyond VPN technology, but are not as mobile as a Zero Trust Network.
HTTPS-based drive mapping works well with Azure Application Proxy or other Zero Trust solutions because it can be considered basic cloud technology due to the HTTPS protocol.
As mentioned earlier, sending large Photoshop files over a VPN connection or browsing a large folder structure in a photo editing workflow like Hoffman York's is very slow. In PMI's case, managers also need to run applications over a remote desktop when 3D rendering over RDP is slow. HTTP-based drives use HTTP streaming, which means file transfer is in streaming mode rather than chit-chat mode as with the SMB protocol. Of course, the SMB3 protocol also performs file streaming. However, the HTTPS-based drive technology includes offline editing and asynchronous transfer so that files can be cached locally and synchronized later. Local caching provides additional performance improvements.
Both VPN and RDP were invented and existed long before the advent of the cloud. Today, when we talk about the cloud, we no longer mean the old Internet, but also cloud-based single sign-on, cloud-based directory, cloud-based applications and so on. For example, enterprises use OneLogin, Okta, Duo, Azure AD or VMWare Horizon for single sign-on. Users are presented with a Web browser-based login screen, and once logged in, they are presented with applications like the app icons on an iPhone screen, only in a Web browser. Pretty much all cloud applications live and stay in a web browser, with the exception of the file server application.
So the question is, how do you tie your file server into this single sign-on paradigm as an app icon on the screen? HTTPS-based Drive Mapping is compatible with cloud-based single sign-on and can present itself as if it were a "cloud file server" app.
Virginia-based Dominion Engineering is an engineering firm that provides services, equipment and technology for nuclear power plants and facilities. Internet connectivity within a power plant is limited, so on-site engineers typically must synchronize all required data at a hotel before entering the power plant to work. Not all hotels offer RDP and VPN access, as ports may be blocked. However, almost every hotel offers HTTP and HTTPS-based web browser access.
In this case, HTTPS-based drive mapping offers field technicians better mobility for accessing the company's file servers, especially for those files that require some level of security and cannot be copied to a third-party Dropbox site.
PMI, Hoffman York, Pogue Construction, and Dominion Engineering not only have in common that they are North American companies, but also that they are all Triofox customers using the HTTPS-based drive mapping solution to support their remote workers. In summary, they use all or a subset of the following 5 advantages that Triofox offers over RDP and VPN.
1. offline editing capabilities, so unstable internet or firewall conditions are no longer a productivity factor.
2. use of zero-trust networking technology to protect access to file servers while ensuring mobility.
3. faster file access performance, including large Photoshop files, video editing, and 3D rendering.
4. integration with cloud-based single sign-on and integration of "File Server" from a web browser.
5. Provide better mobility for field workers than VPN or RDP can.
Does this sound too good to be true?
Interested in how a web-based approach connects drive mapping, mobile apps, and web browsers?
Are you wondering how we can provide more security than a VPN? Or what if you need the VPN or even RDP to run applications? Read on, and we will address each of these questions.
Employees can map a drive letter to company file servers without using a VPN
With the web-based approach, it is much easier to combine mobile devices and web browsers and traditional drive mapping solutions into one offering. By comparison, an IPSec-based VPN solution is not on the same level as web applications.
The web-based approach is just as secure while not being as finicky as an IPSec-based solution. It's much easier to continue working on files without worrying about interrupted VPNs.
IPSec-based VPN solutions open up the entire network to remote devices. Web-based drive mapping can limit it to the minimum required ports and protocols, significantly reducing the attack surface.