With an increasing number of firms opting for cloud services, especially Microsoft’s Office 365, IT administrators often try to find creative ways to substitute on-prem functionality with cloud resources. They are paying for these services as part of their subscription, so why continue to invest in a duplicate solution?
Clients often ask if OneDrive for Business can replace their firms network file shares. The idea is that if each user gets unlimited OneDrive storage (Office 365 Enterprise E3 and E5 plans both give 5 TB of initial storage per user, with the ability to request more from Microsoft) why should I pay thousands of dollars to purchase and maintain a paltry 20 TB of SAN storage?
OneDrive is a fantastic resource. I can’t remember the last time I had to pull out my USB flash drive to transfer files from one computer to another, or had to scrutinize the email file attachment limits when sending large files to other people. OneDrive is a great tool for storing and sharing files that you want to keep so you don’t have to worry about a hardware failure or your computer getting infected with ransomware. So, it should be the perfect platform to offload my network file share to, right?
Not so fast…
In most cases, a typical network share consists of some unit of storage presented to the network and addressable by some unified name. The mechanism for sharing this to the network can vary (storage on one or more Windows servers shared via DFS, a CIFS share directly from a SAN or dedicate NAS device) but in either case, all end-users should be able to browse to a single namespace to access the file shares. All data that needs to be accessed by users will exist on that storage. An administrator can manage access to that data by setting granular permissions. For example, the HR department may have a share for which only users in the HR department will have access. There may also be a folder under that share that only HR Managers will have the ability to modify, while other users will only be able to read it. This access can be assigned individually to users’ accounts, or via membership in security groups that can be controlled and managed by the administrator. If access needs to be modified or removed for any reason, the administrator can do this by modifying the specific share, or removing the user from the group that has access. The point is that access to all firm data can be centrally controlled, through an IT administrator, by firm management. In this model, data is centrally stored, centrally accessed, and centrally managed.
With OneDrive for Business, an appropriately licensed user is allocated storage by Microsoft. This storage is allocated as part of a SharePoint Online MySite for each user, although a user need not go through SharePoint to access it. The storage is accessible via browser (where each user can sign into their own Office 365 portal), via mapped network drive, or with the OneDrive Sync client, which will sync content from OneDrive to your local workstation. Users can share content with others, but sharing via groups is more difficult. And when the user that is assigning access (or, in OneDrive parlance, “Sharing”) does not control group membership, that user cannot be sure who has access to the data at any given time. In contrast to the network share model described above, OneDrive is made up of distributed storage that is accessed by way of individual accounts and portals, and is managed by those users. While there is some level of control that can be applied through the back-end SharePoint Administration, there is no easy mechanism for information governance without centralized control over data.
Going back to our HR example, in the OneDrive-as-fileshare scenario, who has all of the HR documents? Do you set up a new account for HR and put all the files there? Who has access to that account to manage the access? Even if this were tenable for a single set of shares, as the number of shares (whether they be by department, physical office, client, matter, etc.) increases, management gets considerably more difficult.
Also, consider any applications that may integrate with network file shares. Can these applications properly integrate with OneDrive?
Although, on the surface, the goals and intended usage of these two platforms seem to be aligned, the management and security methodologies are in opposition.
Just because OneDrive does not provide an adequate replacement for classic network file shares doesn’t mean there are no other avenues to replace what you have on prem. Connecting your on-prem infrastructure to Microsoft Azure gives you the ability to offset any number of on-prem workloads to the cloud, one of the easiest being network shares. Using Azure storage and a couple of virtual machines, you can augment or replace most of your on-prem file shares. Using DFS to unify the namespace may give your on-prem applications the ability to access the shares in the cloud, though application compatibility should be verified and vetted.
If this doesn’t work for your organization, you may want to hold tight for a bit, as there may be a solution on the horizon. In the future, Microsoft Azure Files will likely be able to provide a replacement for on-prem file servers, but, at this time, there is no direct support for NTFS permissions.