![]() Every connection requires a strong public/private key combination, and every key itself is further password protected and, each SSH connection ALSO requires a second-factor (2FA) code. We believe ours are configured properly and hardened, not least because NONE of our SSH connections work with a username/password login. If configured correctly, they are very reliable. SSH is an established, reliable secure service used globally to securely connect to servers. 2FA Authentication credential management apps.OpenSSH – for Secure Shell connectivity.It’s not efficient, not pretty, not fast (actually really slow) and sometimes it just doesn’t work.īut thankfully we now have a much faster, reliable, efficient, effective yet totally compliant way of addressing the problem of keeping files end-to-end encrypted yet still be able to work on them ONE AT A TIME even when you are in a location that can otherwise bring data residency issues.įor us, this requires several systems that have to work together, but they are built (mostly) on Open Source software that has, in some cases, been tried and tested for many years so is probably as good as you can get today: We have used webdavs connected to our cloud servers and tried to selectively sync folder(s). Obviously, this “convenience v security” issue is one we have spent a lot of time looking at. This is more secure, as you only have one decrypted file on your device (the one you are working on in your word processor etc), but how can that be done and be done CONVENIENTLY? Believe us, we know, as we have had to do this, but we now have a better way.Ī more secure but LESS CONVENIENT way is to somehow only download the files you need as you need them, and decrypt and work on them etc. Then when you get to a secure location again, you have to repeat this entire process for working on your files again. again to a location where data residency becomes an issue. And worse still, in that situation, even when you are done, you have to delete (or even ERASE) files on your PC if you are going back on travel etc. ![]() Customers don’t really like the delays this can cause them, and we don’t blame them. You have to wait until you can get back to a right location before you can work. This is fine when you are in your office, but what about when you are on the road (as we often are)?ĭata residency and security issues can arise with this method of working when on travel, so you can’t download files en-mass to your device and decrypt them all when you are in the “wrong place”. You have to physically download your encrypted file(s) (say using the webdav sync software platform, like the great one provided by Nextcloud) and store them locally on your device, then decrypt them locally, on your device, so you can work on them. Of course, one of the things that makes this system “inconvenient” is that it’s hard to access end-to-end cloud-encrypted files quickly. So our data are end-to-end encrypted with Cryptomator – an open source, AES encryption software package, with apps for Linux, Windows and Android (we use all three) – and even apps for IOS for those that like their Apples too (we don’t). Server-side encryption does help us with sharing of files to customers, but because the decryption key is stored on the server, we don’t like to rely solely on that for protecting our important data. And we have server-side encryption enabled in Nextcloud, which provides an additional layer of security – not even the SysAdmin can read the client data on the server. So we try to make it secure.įirstly, our cloud server can only be accessed by HTTPS (SSL/TLS). Our cloud server, based at our office HQ in Tennessee, is where we store all of our important data. It’s no secret, we are great fans of Nextcloud – we self-host our cloud server, and because we use that to host our data, we use several different security layers to help thwart accidental and malicious exposure. So, why is PERFORMANCE being addressed under compliance? Well, simply, because if you make a compliant system easier to use, users are more likely to use them, and thus be more compliant. We have had a productive few days improving the PERFORMANCE of our systems by using better-integrated software. For us, data residency (location) and digital “state” (encryption status) is very important. So like all SysAdmins, we have a lot to worry about in order to continually meet the burdens of compliance.
0 Comments
Leave a Reply. |