I'm new to my role and facing my first real challenge with the C-suite regarding our recent transition to a new core business application that's lacking a crucial reconciliation feature we relied on with our old software. This gap is putting us at risk of not fulfilling our obligations.
We've previously had issues with teams making purchases without consulting us, so it's a step forward that we're being consulted now. Nonetheless, we're in a bit of a scramble to find a solution due to the urgency of the situation.
Our company is now primarily using Intune devices, and while we still maintain some on-prem servers, we've phased out Terminal Services and RDP in favor of browser-based tools. The required software is niche and depends on forms authentication with a direct SQL database connection, making it incompatible with our Intune setup.
I've pushed back against the idea of installing the app on user workstations for security reasons—an open DB connection on personal devices is too risky. Instead, I'm proposing a solution where we'd set up a dedicated machine and a SQL instance, limiting access and operations to office use only. However, this is causing friction since about half our team is remote, which they're unhappy about.
While they've agreed to a short-term support strategy for 1-2 years, they're questioning why they can't just use it over VPN or install it on their own computers. Creating an RDP solution would require significant resources and time, which is not feasible given the impulsive rollout of this project.
With all this in mind, I'm looking for a sanity check: am I on the right track with my concerns? Would you be willing to compromise on any of this? I suggested investigating RDP solutions, but I made it clear that this would delay implementation further and it doesn't align with our IT strategy for the future.
5 Answers
You might want to explore Azure Virtual Desktop (AVD) for remote access. Keeping everything isolated in its own VNET can enhance security. Just be aware that setting everything up might take longer due to your company's audit requirements, so be ready to address that with the C-suite.
If the legacy app is essential, you could look into Azure AD Domain Services for supporting the legacy authentication without compromising your current security protocols. It’s a bit clunky but might be necessary given the situation.
Totally agree; using Azure AD DS can indeed complicate things, but your hands might be tied if that’s the only way to get the app to work correctly without exposing yourself to security risks.
Before proceeding, assess the potential risk to your business if a user account gets compromised. If the likelihood is low, perhaps making a concession might be worth it. If the risk is high, make sure the C-suite is aware and involved in decision-making.
Have you thought about the authentication method the app is using? It seems stuck in the past with forms-based auth. Cashing out for an RDP solution sounds like a detour from your current path toward modern security systems. Maybe a conversation with the vendor about future support could help too.
True! But switching to a less secure method for a short-term solution could open Pandora’s box. Staying firm on your security policies is vital here.
Have you considered using Entra Private Access to secure access? It creates a TCP tunnel to your SQL server based on successful authentication. It might streamline access without exposing your systems directly, allowing you to maintain better control.
That’s an interesting approach! But, with the app being dependent on direct connections, it might still require you to rethink how you set this up. Just be careful about moving too far from your planned strategy.
Absolutely, while AVD could provide a solution, the setup and configuration might extend your timeline significantly. They need this up and running immediately, so consider simpler alternatives for now.