Security: How secure is your own Cloud?
-
Steffi -
March 1, 2017 at 8:07 PM -
5,113 Views -
0 Comments -
12 Minutes
Hope, you planning is getting on and you know how your own cloud should look like.
I do not know if you are aware but yesterday, Amazon’s Cloud was down and loads of companies and private person were separated from their own data.Such a scenario can occur to any cloud but with your own cloud - located in your living room at home, you know where your data are! In the case your Internet broadband does not work you do not have to worry as you know once you are back home, all your data are there and you can access them by your local network.
One reason more to think about your own cloud and to realise it -
Own Your Own Cloud - Bring Your Data Home!
Security is the biggest aspect of all for running an own cloud
How secure your own cloud should be depends only on you and what you want! I will give just some suggestions.
How to get authorised to your own cloud?
Simple method:
The simplest is just to have a user name and a password.
The username should be different to the standard name such as Admin or Administrator. I use a username which I can remember - but with a tweak. I use some symbols as well -
aDm1n!
Passwords should be very complex and unique. They should contain loads of symbols, numbers etc. Sure, you will not remember them at all - nobody can but I recommend to use the password manager ENPASS, which is free for the desktop version and cost EUR 10 for the IOS version.
Enpass can sync with your own cloud by WebDav and therefore, it is an essential tool in your own cloud. Enpass you can get for almost any operating system such as Windows, Mac, Android or Linux.
The free desktop version you can find here..
As a partner of Apple you can purchase Enpass IOS here.
This link will lead you to the App Store for IOS. As mentioned before, if you like to buy use this link provided and all commission earned, will be used for raffles and my Specials - hence, it will come back to you.
Double security with OTP Auth
If you like to use double security feature you would need a code which represents user data, a secrete, time stamps and others and is six digit long.
You can easily scan this code as a barcode to your mobile. Every minute or so the code will change and a brand new key will be generated.
A nice app for IOS is OTP Auth and for Windows Duo mobile or Token2 Mobile OTP.
These apps are for free and they do not need any cloud connection. Hence, all data are stored locally on your mobile and you can protect the app itself by either using a password or your finger print.
If somebody like to access your own cloud, they would need a) username and password and b) this code generated by your mobile devise.
In the case that you are worried to leave your mobile somewhere or that it gets stolen:
Here is my tip
There are also one-off token which are generated by your NAS. You can print them or store them at a secure location. With this one-off token you will gain access to your own cloud in the case you have not your mobile.
Three-times authentication
If you like to get even more secure, when there is a possibility that your own cloud will send an email to you once you are trying to login. You have then to confirm the link on the email to get access to your NAS.
All of these methods to actually access your own cloud can be realised with Synology and QNAP.
Personally, I use the double method with really strange passwords and usernames.
A word to SSL
Well, I use HTTPS but for this the self-made certificate is good enough.
Having said that, if you access your own cloud with HTTPS and a self-made certificate, you will get a browser request asking you if you really want to continue as it could be dangerous.
[Blocked Image: https://www.steffiscloud.com/steffisInhaltz…1406_1280-2.jpg]
This is not an option if you have customers but for private usage - why not?
It can improve your security slightly as some people would not go forward with a browser message like that. It functioned as a mini-security-measure.
For business of course, you need a proper SSL certificate form an certified supplier.
Firewall
Your own cloud has a firewall built in to make it much harder for any villain snooping around and secure your data. An antivirus and anti-spam protection I would recommend too.
All three are very essential that important.
Best thing to do: Just check if your firewall is active and up-to-date!
Connect your own cloud to the Internet
Well, that is a topic where different people have different opinion about this.
My slogan is „To have as less as possible security hole or potential backdoors“.
I think that will be the biggest challenge for a new cloud owner because the Internet offers not only nice and good things….
Loads of „bad guys“ are around there and just waiting for hole or two in your setup.
Use your NAS manufacture to get into the Internet
All biggest NAS supplier, like Synology or QNAP, offers their customers to have a „quick“-connection to their own cloud using an account to get IP DNS services.
The setup as easy: Just choose a name, login with your credentials and that’s it.
Easier and quicker you cannot get connected with your own cloud to the Internet.
If your IP changes, the provider will be notified and your link will be updated, so you can find your own cloud in the Internet from anywhere.
Use a DNS provider
The setup is similar easy but there are services for free and some prepaid or postpaid services.
Some DNS providers are:
- DynDns.org
- Strato
- No-IP.com.
- British Telekom
3 disadvantages I see:
- Ports !!Ports are the access gateway to services provided by your own cloud such as for HTTP - Internet there are ports 80 and 8080, for HTTPS it is 443, SSH and Telnet use port 21 or 22. These ports do not change if you use services like that. If somebody has your IP - just a thought - they can easily try all the standard ports! Please do not use Telnet or SSH or let it open on your own cloud! There are just some case there you would need to access your cloud by SSH or Telnet.
- Services can get expensive:There are also subscription to DNS-Services and I think you can spent the money somewhere else.
- Internet:Your own cloud is directly connected to the Internet. Even if you use firewall, antivirus and anti-spam your own cloud could be exposed by people who do not want the good.
Get your IP by email and use VPN
Many routers can send you an email with your current IP and you can copy it in your apps or use a Virtual-Private-Network (VPN).
VPN will create a tunnel between your mobile and your own cloud.
All data needed, such as username, password, secret etc. can be provided by your router. You should keep an eye that username and password are really long.
Once connected, it is like being at home in your local network and all your apps and software will work perfectly.
Loads of smartphone are able to use VPN or it is already included.
<span style="color: #ff6600;"><strong>5 disadvantages I see:</strong></span><br><br>
- "German“ efficiency
- really it is not efficient to copy and paste every day your new IP into your apps - There is still the questions about the ports
- VPN can cost your data volume if you use your mobile
- Forget to turn off VPN or to turn it on all together can result in data loses or decreases your data volume on your mobile
- Your own cloud is still able to connect automatically to the Internet
How do I do all of that?
- it is permitted that my NAS goes into the Internet - that’s final
- Firewall, Antivirus, Anti-spam etc are turned on and allow only the local network
- all ports on my own cloud are changed, hence HTTP will be at 80 or 8080 but something else
- my router will be the „boss“ to allow or disallow my NAS into the Internet
- my router will just listen to specials ports which are different from the NAS ports. A routing to my own cloud will be done, once the router get the correct ports and connection syntax
- There are only two port redirections on my router and ports can can be named from 0 to 9999
- Firewall etc. are active on my router
- to err is human…. but my router allows only **two** and my NAS only **three** attempts to login
- any „bad guy“ trying to login with „Admin“ or „Administrator“ will be looked out and their IP will be blocked - I will get an email about this event
- once blocked I can only unblock them manually
[Blocked Image: https://www.steffiscloud.com/steffisInhaltz…9554_1280-2.jpg]
- DNS to my current IP - my router and its manufacture will do this. I have got a key string of 32 digits plus four for the ports and all connections are in HTTPS only. I can change the string anytime in the case the provider gets attacked
- All my apps on tablet, phone etc. using this string with a username and password
- I have got several user accounts with different email addresses for different tasks to be done ie a WebDav- user etc.
- Email addresses are easy to generate if your provider allows the alias function -meaning all alias - email - address get routed to your main email.
The latter point came from experience with Ebay! One of my articles got bought and I got an email asking some questions. I do not know how but they got my Ebay email address. At this time I just used one email address for everything. Once the bad ones got my address it was like a run with the villains who tried to hack all sorts of my accounts.
I have tried to change the email address on all of my accounts and for some I have got a message… „somebody tried to login….“
Well, that has changed my mind in email security altogether and therefore I have now several email accounts for different tasks i.e. shopping at Amazon, shopping Ebay etc. ….
My security plan and to setup everything took a while and you will not do that within minutes or a day and it needs planning.
Having said that, even if it takes longer than just connect somewhere, you will have the benefit soon…
On my whole network there is only one weak point and that is my router / the key string from it’s manufacture.
In the case I will hear from attacks on this provider, I can react very swiftly
Everybody knows, there will not be a 100% security but why not make it really hard for the „bad guys“ ?
Backup and Recovery
This is important too in order to get lost data recovered.
Backup is not backup … I will just show a few
Types of backups
- differential
All new or changed data will be included in a full backup. - incremental
Only data which changed or are new will be included in this backup. The disadvantage is that a backup contains several backups.
Principles
- Grandfather - father - son principle
There are three generations of a backup before a backup will be overwritten. - Mirroring
This is a kind of copy of the original data system. One of my familiar members got my backup NAS and a mirroring will be done every now and then to this location. In the case my local NAS will not work or something like that I can easily switch to the other.
How often should I do a backup?
Well, that depends on your data volume and usage but I think every two to three days a full backup should be done.
Which location should I take?
I mean the question is „what is secure today“?
Sure, there is a possibility that fire, floods etc could get into your home but how likely is that?
I do not know the answer, to be honest. That is also the reason I have got a mirroring at the other NAS just in case something like that would happen.
All backups can be automatically done using the functions of Synology and QNAP. After successful backup, you will get an email.
Here is a very practical tip for you:
<span style="color: #0000ff;">If you have done your first backup please try the other way around and do a recovery of this backup it will insure you that everything works well just in case of an emergency.</span><br><br>
Sharing your data
Sharing of photos, documents is just an every-day task today and it is important for many people.
It is so easy to share your folders, or one document with your loved ones using Synology or QNAP.
Just go to the file or folder - click share menu - enter all credentials and just send the link to the people who should get your data.
There are loads of possibilities for the setup of links to your own cloud which you can share per email or using your social media
My personal strategy on this is:
- share really quick something
I will setup the date and time when the link should be expired and if the person should only receive or get information (download and upload features can be chosen separately). - share permanently with customers or family and friends:
It depends on the content. - photos from the last holiday I will share with friends and family using a password for the link In the case there are customer requests or friends/family who likes to have permanent access I will add a proper user account with password and OTP access and they can then use all the apps available on their tablets or mobile too. Hence, I have got my data under my control and do not need to create links over and over.
How do you protect your own cloud?
I am looking forward to your comments, suggestions and tips and tricks.
If you have any questions - just use my contact form.
Regards,
Steffi
Comments
Newly created comments need to be manually approved before publication, other users cannot see this comment until it has been approved.
Newly created comments need to be manually approved before publication, other users cannot see this comment until it has been approved.