Tagged with Cloud x

Disc encryption

Encryption is the process of protecting data with a complex cipher, scrambling it so that it can only be accessed (decrypted) with a password or key, sometimes requiring an additional authentication factor, e.g. a digital certificate  . Encrypting hard drives and removable devices, such as USB drives, is especially recommended for people working with confidential information, primarily journalists and human rights activists.

VeraCrypt is a multi-platform (Windows, Linux, MacOS X) free and open source  disk encryption software with advanced capabilities. It can be used to encrypt only specific files, whole hard disk partitions, removable drives, as well as a partition or drive where Windows is installed (pre-boot authentication).

Cryptomator enables you to encrypt your cloud storage files for services such as Dropbox or Google Drive. Files are encrypted within a secure vault which is then stored with cloud service providers, which cannot access the data. Cryptomator is open source and available for Windows, Linux, MacOS X and mobile platforms (iOS, Android).

Digital hygiene Apps Encryption Data leaks Cloud

Data center and cloud

Decentralisation of the system, as a measure of physical protection, is set as a key condition for its security. It is recommended that the data is not stored on the same machine from which it is sent to the network or on which it is processed. There are several ways to store large amounts of data. The simplest way is to store data on an external hard drive. External hard drives with relatively good performance are affordable, but this type of computer hardware does not have a built-in duplication mechanism. This means that in the event of a failure, most of the data on that disk would be lost forever. On the other hand, external drives do not have direct access to the internet and are active only when connected to a computer, so they can be said to be relatively secure. Storing data on an external hard drive means that the data remains in the organisation's physical headquarters.

From a data loss risk perspective, renting storage space on a cloud server is a much better way to store important data. Cloud computing is an internet technology based on the remote use of resources (data flow, storage space, working memory, etc) and their exchange between multiple applications and users. The cloud can be private, public or hybrid. Cloud services use RAID technology (Redundant Array of Independent Disks) based on the model of comparative use of multiple disks for data storage, where each data is located in at least two locations, which significantly reduces the risk in case of failure. Some cloud storage solutions are Google Drive, Dropbox, OneDrive, SpiderOak, Tresorit, etc. However, if it is sensitive data, storage on other people's devices is not recommended, despite the fact that all cloud services include encryption .

The third way of storing data is to form your own mini data center  in which all data of importance to the organisation will be stored. Equipment for this purpose depends on the needs. There are a number of ready-made solutions that are cheaper and can permanently solve this issue. Thus, the data will remain within the physical space of the organisation, and the application of RAID technology will reduce the risk of data loss and theft. One of the ready-made data center solutions is Drobo.

Server Apps Cloud

Mail server

Emails are considered sensitive data in any organisation. For security reasons, each organisation should have a dedicated email server . In this way, it protects itself from attacks and other malicious activities. 

In addition to the content of email, the importance of data from everyday communication is the so-called metadata - information that is generated and exchanged by software and devices used for sending and receiving emails. For attackers, metadata is often more important than the content of the letter itself, because it carries accurate information about the digital context of communication. Metadata is stored on the mail server, so its protection is specific. The basic step in this direction is to block all protocols (for example, FTP or HTTP) that the server does not need to perform its primary function, i.e. receiving and sending emails. A dedicated server can be rented as part of a hosting  package or other services, or an organisation can purchase a server with special software. An example of such software is iRedMail.

Alternatively, non-profit organisations can opt to use G Suite, i.e. Google’s productivity package which includes several popular tools and products (Gmail, Google Drive, Google Calendar, etc.). However, it should be noted that Google’s business model is based on user profiling and analysis of personal data collected from its users.  

Server Data leaks Cloud

General infrastructure protection

Here are some general recommendations on infrastructure protection:

  • Routers  can be configured to refuse automated collection of information about the system via the so-called footprinting method. This method involves creating a sketch of the network based on the fingerprints generated by sending digital signals. It should also be noted that the routing of data takes place according to different protocols, because they can be the main source of information for attackers. Mapping of routes through which data is transmitted (tracerouting), detection of active devices on the network  (ping) and similar methods can reveal to the attacker the entire infrastructure, i.e. the number and type of routers, computers and the way they are connected. Good practice dictates that ICMP requests be enabled for the web server, while the configuration for other servers and the internal network is set so that these requests are rejected;
  • Unnecessary server protocols should also be disabled. For example, everything can be blocked on the mail server except the protocols used for email (IMAP, POP, etc.) while web servers can be structurally configured so that access is provided only to public resources. Access to other folders and files, as well as the administrator part of the portal, should be disabled to avoid unauthorized access and data leakage;
  • Close unnecessary ports that no application on the server uses, with the appropriate configuration of network barriers (firewall).
  • By using intrusion detection systems, suspicious traffic is identified and rejected and footprinting attempts are registered;
  • Using anonymous registration services, information about the domain registrant can be hidden. However, it should be borne in mind that the reputation of a credible organisation is built through transparency, and this technique is not recommended in every situation.
Server Data leaks Hosting Cloud

Domain and hosting

Very important aspects of organisational infrastructure management are domain name and hosting , i.e. on which server are the organisational websites hosted and which registrar they registered the domain name with.

There are numerous choices when registering a domain name (e.g. and it can be done relatively cheaply and easily online, depending on the needs of the organisation. Domain names are usually registered on a yearly basis and registration must be regularly renewed. 

Organisations can opt for different types of top level domains, i.e. the ending part of the URL, and most common are: 

  • Country code (ccTLD), which are associated with a specific country, region or territory: .de, .br, .ca;
  • Generic (gTLD), related to general notions: .com, .net, .org;
  • Sponsored (sTLD), reserved for specific types of registrants, such as government bodies or international organisations: .gov, .int, .aero.

When registering a domain, there is also the option of Whois domain protection, so that the registrant’s information (name, address, contacts...) wouldn’t be visible in Whois lookup searches. However, for organisations such as media, domain transparency is recommended.  

Websites can be hosted domestically, i.e. in the country where the organisation operates, or internationally. Both options are equally viable, but have some specifics to them:

  • Domestic hosting
    • You can directly inspect the quality and security of the providers’ server halls;
    • Better availability of technical support that does not depend only on reporting and online communication;
    • Liquidity and reputation of hosting providers can be checked in the local community;
    • There is no application of legal provisions pertaining to international personal data transfers;
    • If a site targeting domestic audiences is under DDoS [DDoS] attack from abroad (which is usually the case) it can remain stable and accessible to domestic users by temporarily blocking foreign IP addresses  .
  • Foreign hosting
    • The server where the site is hosted is outside the jurisdiction of state authorities in the organisation’s country;
    • Domestic legislation does not apply to hosting, so legal and administrative procedures related to the hosted content can be complicated and uncertain.

In terms of technical aspects of hosting, there are four types:

  • Shared hosting is hosting based on the principle of sharing resources. Different sites on a shared server share the processor, bandwidth, disk space, and so on. This means that if one of the sites on shared hosting has an increased number of access requests, the performance of other sites on the same server will be affected;
  • Virtual Private Server (VPS) is hosting where everyone has their own resources. Technically, multiple virtual servers are set up on one physical server and each of them has certain resources that it does not share with others. Also, if one of the virtual servers is attacked, the integrity of others is not compromised;
  • Dedicated server is a type of hosting where the user is assigned the exclusive right to access the machine and use it for any purpose. On the dedicated server, virtual machines can be set up and used for different purposes, such as web hosting, email, data storage;
  • Cloud hosting is hosting on multiple servers connected to function as one, which contributes to the decentralisation of the system, and thus has better integrity. In case of a failure on one of the servers, the others take over its role, so the problem will not affect the operation of the site.

Shared hosting is not recommended in cases when the site consists of active content that changes relatively often and when the number of visitors varies. Dedicated hosting and cloud hosting are better solutions, but their price is a bit higher. Finally, the choice of option depends on the needs of the organisation. 

Technical support is one of the most important segments of the hosting service, because in case something goes wrong, this service is a contact point that must be fully cooperative to solve the problem as soon as possible. It is advisable to choose a company whose technical support service is operational 24/7. 

Although all the content and traffic on the internet is practically virtual, good old machines are still the basis of it all. That is why it is important to check what kind of hardware the hosting company is using. 

Finally, the technical specifications of the hosting package are the most important feature and it is desirable that they are scalable, i.e. that they can be adapted and upgraded in accordance with the changing needs of the organisation. 

Good hosting also implies decentralisation. It is not recommended that the same server is used to host the site and as a mail server or data center. The web server must be accessible from the public internet, while access to the data center from the public internet would be a serious security issue. If there is a need to access the data stored in the data center  remotely, it is best to use VPN  services.

Server Site Hosting Cloud

Restore backup

Depending on which data you cannot access, you should try to restore your files from a backup . Make sure your files are backed up regularly and that you can access the backups in case they are kept on some cloud-based service (e.g. Google Drive, Dropbox, OneDrive).

In case the operating system  of your device suffered serious damage affecting its performance, it is advisable to restore it to the last configuration when it was fully functional. Windows has the System Restore option, MacOS can use the Time Machine, while for Linux systems there are many available restore backup tools

Data backup Access recovery Cloud System restore