Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2FA Missing on Quarantine Website

We currently use SEA on-premise and restrict the quarantine site to local IPs. I tested the cloud version, but it does not have 2FA on the quarantine site. SSO does not count as 2FA. Both our government regulatory and cyber insurance company have said we cannot use the cloud version since 2FA is not implemented on the quarantine site. Does Sophos plan to put 2FA on the quarantine site? From a security perspective, I am surprised this is not in place. Also restricting login by IP would be great too.

Thank you,

John



This thread was automatically locked due to age.
Parents Reply
  • Tom,

    Thank you for the update. I am thinking about purchasing the advanced email filter for our XG and using it until MFA is ready. Unfortunately, the advanced is still less robust on email than the lower end SG. :/ 

    One more ask of the PM...IP restrict login for the quarantine site. Frankly, if it had that, we wouldn't need all the MFA business.

    John

Children
  • What’s the point of being a cloud system if users can’t access it from the cloud? You want users to have to vpn into a corporate network just to access a quarantine? I’m old school but the cloud is here! ZTNA and other controls protect resources. 

    I don’t control the XG products so not the expert on its capabilities. 

  • I hear ya, but our business model and clientele base require utmost security and privacy. When we go to a board meeting and first question asked if we are in the cloud and we say no...huge plus for us. Except for our backup with is encrypted by SafeGuard, also going away, and another FIPS 140-2 method, everything else is kept on site. The number of times that we hear people and businesses being hacked in the O365 Cloud, no way we could risk that. Plus cyber insurance is going to force everything out of the cloud or make it to painful to work in the cloud. So why go to the cloud. Sure, businesses that don't have a need for information security will be fine in the cloud, but those of us that require that, no way. A quarter of our clients are actively moving their data back to onsite. It 's a trade off of risk. The onsite known vs the cloud unknown. Plus...it many cases it is cheaper once all cost are considered.

  • Sounds like debates I had 7-10+ years ago lol...even the US Govt is moving to the cloud, GovCloud and other FedRAMP services. As for CyberInsurance we work with some Insurance companies. I wouldn't say being on premise prevents the business from being hacked and sure you wouldn't either. Mailbox compromise doesn't care where the server sits, cloud, premise. I've run corporate systems onsite and in the cloud and while companies may bring some services back in house they cannot sustain inhouse for all services, well unless they are not doing payroll, insurance, 401k, travel, salesforce etc.... thanks for the discussion...

  • We know we can be hacked on-site, but it is about a trade off of risk. Ultimately, we do what our clients want and our cyber security insurance policy prices the cloud out.

    Thank you for your comments too.