So we have been asked for more information about our Information System by small-business owners who are also coming to grips with ITAR, NIST-800-171 etc., and the need for a USABLE AND USEFUL ‘IT’ infrastructure.
Our methods might not suit all: our system is especially developed to suit a remote-access and remote-maintenance capability, as we are spending a LOT of time way from the corporate office (where we locate our servers), but in case it helps, here’s a snapshot of what we do, in a rather summary form (with hyperkinks added to most of the referenced software, so you can drill down in any item of interest):
Hardware: we use LAPTOPS to host our primary Linux servers. They are extremely capable for our small business needs AND they come with built-in battery back-up for the odd power-cut or so.
Software: we run ALL of our services in LXD containers, hosted on a single hardware server that runs Linux Ubuntu 16.04 as the host service. We make minimal changes to the real server; we deploy as much as we can via LXD (since it’s containers are, in our case, unprivileged and thus safe and secure de-facto).
We secure all of our hardware with Linux LUKS full disk encryption, which we can remotely reboot AND unlock via Dropbear SSH. #PrettyCool
ALL of our SSH (most of which are via OpenSSH, except for the DropBear disk decryption process after reboot) connections require public/private keys. Our port numbers are…unusual (we don’t exist at port 22, and we don’t make that search easy, but feel free to verify that). #SSH-somewhat-Hardened
We employ 2FA for all of our server SSH logins. That actually means we have TRIPLE factor authentication since our private SSH key needs a password too. #WayBetterThan-US-State-Department
We have THREE servers that mirror capabilities (so that as and when one dies, we can still be online. It works too, having tried it once already for real – yikes). It’s not as good as what a large corporation will do, but it’s better than nothing. #LiveBackupsAreEssential
Our LXD containers are all running on LUKS encrypted zfs drives. #VeryCool
We have already mentioned Ubuntu 16.04 server and LXD, but it’s so good it’s worth a re-mention. 🙂
We run Nextcloud server (latest version, or maybe latest-1 -we don’t enjoy being the first to field the latest version of this mission-critical software). This is the HEART of our Operations, as ALL of our CUI/ITAR documents are managed via the totally brilliant Nextcloud. All logins are via 2FA second-factor credentials. We also employ server-side encryption of Nextcloud; and…
We extensively use Cryptomator to provide END TO END encryption of ALL CUI/ITAR and other mission-critical data.
We use sftp via our strong SSH to access server files. This is via a Nautilus/Cryptomator (Linux) or Mountain Duck (Windows) interface.
We run an OnlyOffice server so we can remotely create/edit CUI (Word, Excel and PowerPoint formats) even when overseas. The free Desktop Apps are also used by us as part of our journey to move away from the expensive and metadata-mining Microsoft Office365 products (the only software subscription we have). Regrettably, DoD uses Microsoft so it’s hard to completely eliminate the Office365 products from our toolbox. One day, maybe…
We use WordPress for our web-site services (including for THIS POST).
We use haproxy as our front-end server just behind the router. Fast, reliable.
We run our own OpenVPN server and use it whenever we are in an un-trusted location. We don’t use this to hide our identity/location (like many privacy-minded people, and even some bad-guys do). Rather, we use it to prevent man-in-the-middle threats to our online data when at hotels etc. that meet our high-risk profile. It’s unwise to trust a free wifi hotspot. And even many paid-for services should be viewed with suspicion. That said, our connectivity to our servers is always via HTTPS via LetsEncrypt certificates, so the VPN server is arguably an overkill at times.
We use ‘andOTP‘ to manage our multiple 2FA credentials. This is better than the standard Google Authentication app.
We use android devices. We employ full disk encryption on our android devices.
We still use Microsoft Office 365 for our email. We constantly agonise over that, and maybe one day we will run our own mail server. But not today. We don’t use the Outlook app – we only access email via the web portal. We think it sucks, but email is so hard for small businesses: customers servers will likely reject self-hosted server emails as an anti-spam measure, so you may never know if some emails make it or not. We can’t operate with that risk. We think it’s important to have a reliable email service. Office 365 does that job nicely, as much as we hate to admit it… 🙂
We believe we are COMPLIANT with all the regulations that impact our primary business.
Overall, we are quite pleased at how well our integrated systems WORK TOGETHER. It’s proven to be reliable, usable and satisfactory for our business needs. How do you run YOUR small business IT?
Questions or comments as usual via email to: email@example.com
Or you can message us on LinkedIn or Twitter, which is probably faster (but not private).