Most "secure" setup?
Some clients of mine just landed a contract with a high profile company that's very secretive with their data. They need to make sure the data pertaining to this company is handed with maximum security. Currently they do everything in DropBox, but are concerned if someone's computer gets stolen or whatever that the data could be accessed and they would be at risk for litigation from the company.
My thoughts were the following:
- set them up with a NAS so the data lives physically in their possession on a server, and not on the public cloud or in folders on people's machines
- following that, suggestions for the right NAS? They have a very small amount of data that's sensitive, but since I'm familiar with Synology I'd tend to go that direction. Is the encryption engine on the 218+in line with our needs here? It's marketed as being the best thing to protect your data.
- They want to be able to access their network from the outside so they can work on this remotely, so I'll need to set them up with a reliable way to VPN in to their network. I've seen talk of Log Me In Hamachi being good for this.
- should I also set them up with more advanced networking equipment? Right now they are just using WiFi off an AT&T modem, so maybe going Unifi with a Unifi Security Gateway would also protect them from attacks from the outside world better? Or following the VPN question above, perhaps a Synology Router would offer this more easily?
Your thoughts are appreciated as always!
Just a little reminder that whatever solution you pick, if the person has access physically to the machine (the laptop) and can login, you're pretty much screwed with anything that syncs like Dropbox, Synology Drive, Microsoft Drive etc,... Unless you put the data on an encrypted sparse image. But you know, if the laptop is encrypted with FileVault, a password is set on the laptop and activated as soon as the owner is not working on it, then the thief would have 3 layer of protection to get to the data.
Like Dave always says, you have to choose where you want to be on the line between convenience vs protection.
Your argument for a NAS is not valid since if their computer is stolen, it would mean the same thing as if they were using Dropbox. They could use an encrypted image disk on dropbox, provided that only one person works on it, if not, it will become very dangerous of overwriting data accidentally.
If they were using a VPN to connect to a NAS, and work directly on the NAS with a high speed internet connection, then it would be secure. But working on anything other than small file is not advisable. I work in InDesign and big images files and I sync with Synology Drive to work "locally" for that reason. You have to ask anyone in the company if you can work on the file before though, same as with dropbox shared folder since it makes a copy of the document locally and resend it to the server every time you save it.
As for accessing the network, using a VPN would be as if they were physically there so no need for any other software like Hamachi, just a VPN client (I use Viscosity for this). If you need to administer Macs remotely, check out Apple Remote Desktop. Coupled with the VPN, its the most robust if you need to copy files and take control of their screens.
If you use a Synology NAS, you don't need a special modem to handle a VPN server since there is one in DSM included already.
Private cloud on a NAS should reduce the number of attack vectors. As Jeff has mentioned using off-site, via VPN, file servers is likely to have performance issues.
All devices that have access to the data must have full disk/storage encryption ("at rest" encryption). Note that this needs to include ALL backups.
All devices with access to the data, or holding the data, must have strong password policies.
All access should also be encrypted ("in transit" encryption) eg. with SSL or TLS.
All PEOPLE with access must be made aware of strict security protocols. eg. no copying documents to USB, no emailing documents, no sharing via other services.
If you are concerned about wifi penetration then possibly running RADIUS (user account) authentication will mitigate concerns. (But attacks via wifi, where physical proximity is required, would seem less likely than network penetration attempts.)