So this blog site is part of EXPLOINSIGHTS (EI) journey into a self-hosted IT infrastructure, caused by trying to navigate the seemingly conflicting information system requirements for complying with NIST-800-171 and ITAR. Maintaining an effective office document information system that works with your business model is not as easy as a small business would like. EI quickly concluded that achieving compliance is easier if you DON’T use the convenient services that we have all taken for granted. For EI’s journey, this meant moving away from the admittedly excellent Microsoft Office 365 product. But baby steps are needed, as Office 365 (and the Google Apps equivalent) is robust and capable. It’s not easy trying to match that. However, as of the date of this article, EI is now the owner-operator of a server that hosts:-
- A cloud file system using Nextcloud;
- Files shared with Customers are via a link to this secure site. Two factor authentication is enabled for all users and file shares. That’s already at least as good as Microsoft’s OneDrive service, but it’s self-hosted so data residency compliance at least is a non-issue.
- A WordPress blog site;
- If you’re reading this article, then the site works! Let me know how your experience is please. EI’s blog site is also self-hosted.
- A web site.
The web site was in fact established first (Exploinsights.com), but there’s actually nothing but a placeholder on it today, as it’s really just being used as a portal to the other two self-hosted services. That’s a work-in-progress.
The journey to get here started a long time ago, and it’s not been easy even though I used to consider myself to be reasonably tech-savvy (not anymore – Linux OS and command-line driven programs like Apache web-server have made me rethink how good my IT skills are).
This is still a beginning for EI. This self-hosting journey has more to go. Microsoft Office 365 is a low-cost small-office service that EI once used with confidence, but their privacy-mining practices are discomforting at best and more importantly, their data servers and thus your company and customer information are located in places we don’t really know or manage as well as we need to for maximum compliance . The solutions to these privacy and data-residency etc. problems using proprietary software from cloud-based organizations like Microsoft and Google are difficult on the best of days. So EI believes it has more to do in terms of self-hosting on company owned hardware. On the list of potential projects includes:
- Self-hosted email;
- Several options exist. “Open Source” is the only decision made so far. Watch this space!
- Self-hosted OnlyOffice file server –
- An Open Source but otherwise very Microsoft-format-compatible office suite (spreadsheets, documents and presentations);
- Desktop versions exist BUT sometimes you need to work on a secure web portal. A self-hosted option exists!
- Self-hosted Virtual Private Network (VPN).
- Open Source of course – do you see the trend?
And this has to be done all the while trying to keep up with the latest bad-guy malware and security threats; and keeping effective backups that can mitigate anything the bad guys can throw at us.
A few tips from EI for anyone who ventures down the self-hosting path:
1. Reconsider your Operating System
- Microsoft Windows is part of the problem for small businesses, not the solution. Proprietary software makes things worse from a compliance perspective.
- EI runs on Ubuntu 16.04. Linux rules when it comes to self-hosting options. Ubuntu does use some proprietary code, but most of it is based on Debian, which is…Open Source.
2. Use (Linux) Containers
- Using non-privileged containers is the way to go with Linux. Virtual Machine snapshots make backups a breeze AND they are so forgiving when you screw things up (just restore your prior snapshot). More importantly, they add an enterprise-level of defense against hackers. If one web-service is compromised, containers make it harder for them to spread, so damage can be minimized. Oh, and take snapshots often! EI runs on LXD containers, but you have other Virtual Machine options if you prefer something different.
3. End to end file-encryption is your inconvenient friend
- Cloud file servers are so useful, but if you use one, use client-side encryption. “Security is not convenient” (that phrase brazenly plagiarized from an EI customer) – but it is essential. Client-side encryption with strong keys and passwords WILL save your data from being exposed. It won’t stop you losing it, but it WILL stop it being used by someone else.
- EI employs Linux Encfs (Open Source) and Boxcryptor (Proprietary) for client-side file encryption. The next official release of Nextcloud has end-to-end encryption built in, so it might provide an even better option.
4. Check things THOROUGHLY before you go live
- Use online services to check and validate your security before
- you go live. These two helped me a lot, and there are multiple free web-server security checking sites:
- https://scan.nextcloud.com: