Difference between revisions of "Document Storage/Meeting Notes 2017-11-13"

From SOBAC Wiki
Jump to navigation Jump to search
(Format headers)
Line 85: Line 85:
 
** eg. [[Wikipedia:LUKS|LUKS]]
 
** eg. [[Wikipedia:LUKS|LUKS]]
 
*** See [http://bob.jonkman.ca/blogs/2017/10/09/how-to-create-an-encrypted-drive-in-a-file-container/ How To Create an Encrypted Drive in a File Container] by Bob Jonkman
 
*** See [http://bob.jonkman.ca/blogs/2017/10/09/how-to-create-an-encrypted-drive-in-a-file-container/ How To Create an Encrypted Drive in a File Container] by Bob Jonkman
** eg. [https://github.com/t-d-k/LibreCrypt LibreCrypt] provides OTFE (On-The-Fly-Encryption) for Windows that's LUKS compatible
+
** eg. FreeOTFE (obsolete) or [https://github.com/t-d-k/LibreCrypt LibreCrypt] provides OTFE (On-The-Fly-Encryption) for Windows that's LUKS compatible
 
* For any corporate encryption, Additional Decryption Keys are needed
 
* For any corporate encryption, Additional Decryption Keys are needed
 
** Any user-encrypted files or containers can be decrypted by the organization's ADK; ensures data is not lost when user forgets password or leaves the organization
 
** Any user-encrypted files or containers can be decrypted by the organization's ADK; ensures data is not lost when user forgets password or leaves the organization
Line 96: Line 96:
 
** Encrypted backups can become un-restorable with minor errors
 
** Encrypted backups can become un-restorable with minor errors
 
*** Bob recommends making unencrypted backups, then saving them in an encrypted container; even better to keep unencrypted backups physically secure
 
*** Bob recommends making unencrypted backups, then saving them in an encrypted container; even better to keep unencrypted backups physically secure
 
  
 
===== Sharing Files =====
 
===== Sharing Files =====

Revision as of 03:56, 14 November 2017

Document Storage

Date
Monday, 13 November 2017 from 7:00pm to 9:00pm
Meetup Event
https://www.meetup.com/NetSquared-Kitchener-Waterloo/events/243067519/
Location
Queen Street Commons Cafe, 43 Queen Street South, Kitchener, Ontario Map
Event Announcement
Document Storage/Announcement 2017-11-13

How do you store your documents? Where do you store them? What software creates your documents? What software stores it? What software retrieves it? What about document indexing and searching? How do you deal with non-textual documents? What document file format do you use? Is parchment and goose-quill still best?

This month there'll be a shooting match between the Well-Known Format SysAdmins and the OpenStandards SysAdmins. But it'll be a polite shooting match at our round table discussion, with SysAdmins relating their own practices, learning new ones, and telling tall tales.

--Bob Jonkman & Marc Paré

Resources

File Storage | TechSoup Canada

Nextcloud or ownCloud


Future Venues

  • Communitech has indicated we can no longer use the Jellybean Room on Mondays
    • but the room is available on Wednesdays
      • but it's only available until 8:00pm
      • do we want to switch meeting days?
    • Marc will check if there's any availability on Mondays
      • but the cost will probably be higher ($15/hr now)


  • We were contacted by Reg from One King North Map, a coworking space
    • Reg indicated that "Also it's complimentary, so you don't have to pay for using our space to hold meetups"
    • Marc followed up, was quoted £150 for using the space
      • Apparently, Reg was unclear in his communication


  • Other possible venues:
    • Old school board building (Marc has contacts, will investigate)
    • Downtown Community Centre Map
      • but they require all KWNPSA attendees to purchase memberships at $15/year
      • Paul Nijjar investigated for KWLUG; it was deemed unsuitable for a non-profit group
      • Bob's notes indicate there are also meeting room fees, insurance costs, and participants under 18 years old are not allowed.
    • Descendants Beer & Beverage Co. apparently has meeting facilities. Kirk will investigate. Map


Meeting Notes

Cloud Storage
  • Microsoft Office 365
    • Lots of KWNPSA members use Office 365
    • Default installation moves documents to US servers
    • Microsoft will move documents to Canadian servers on request
      • but this may take up to seven years
    • Microsoft OneDrive was automatically installed at one organization
    • Business version of Skype can't be turned off, once it's installed!
      • It is difficult to use Business Skype with non-business instances of Skype
      • But there is finally a good GNU/Linux client for Skype, works with multiple video streams


  • Google G Suite (Google Docs)
    • Used by political organizations
      • This seems like a bad idea; want to keep political affiliations and activity away from prying eyes
    • Google Drive storage
      • Some SysAdmins have seen identical filenames in folders
        • Perhaps the User Interface hides extensions or filename suffixes
      • Maybe Google Drive uses links or pointers?
        • People move files, but they still exist in orginal locations
        • Google Mail uses flat storage of all messages, tags on each message are displayed in UI as though it is a folder structure


  • Cloud horror stories:
    • Company advertising genetic testing services stored data in the cloud
      • then sold people's personal genetic data to a pharmaceutical or insurance company
    • Genealogy company acquired data stored "freely available" from individuals' web sites
      • Now sells this data, and it is not available to the original authors
      • Suggestion: "Poison the well" by creating a "Fake Uncle Ralph" to prove authorship (see Wikipedia:Trap street)


  • Security risks
    • Commercial cloud providers will hand over customer data to authorities
      • National Security Letters -- Cloud providers may be compelled to keep this data access from their customers
    • Ensure you have a contract with a Service Level Agreement (SLA) that specifies where servers are stored (Canada? US?), how data is routed
      • Even if source and destination are both in Canada, traffic may still be routed through US and subject to snooping; Canadian data has no protection when routed through US
    • Technical means: Source Routing can specify how a packet is sent through the network (Internet)


Encrypted File Storage
  • Use VPNs to keep remote sites within your own network
  • Encrypted tunnels, eg. Secure Shell (sshfs)
  • Encrypted file systems
    • eg. Nextcloud, ownCloud
    • Must ensure that encrypted file system is not mounted on remote, unsecured server
  • Encrypted containers
  • For any corporate encryption, Additional Decryption Keys are needed
    • Any user-encrypted files or containers can be decrypted by the organization's ADK; ensures data is not lost when user forgets password or leaves the organization
  • Office 365 encryption
    • The culture for Microsoft products is less concerned with encryption (poor adoption of encrypted technologies?)


  • Encrypted Backups?
    • For backups in the cloud, or on local storage
    • Encrypted backups can become un-restorable with minor errors
      • Bob recommends making unencrypted backups, then saving them in an encrypted container; even better to keep unencrypted backups physically secure
Sharing Files
  • File permissions
    • Staff doesn't know how to use filesystem permissions, makes all files globally read/writeable
  • Use a Document Management System to assign authorization to documents
    • Access control with a DMS can be more finely tuned
    • DMS also provides benefits such as metadata and search/indexing
    • but it needs the skills of a librarian to properly catalogue documents
    • and a DMS adds another layer of abstraction; more work for the SysAdmin, more to go wrong
  • Physical file systems (file cabinets, folders) were treated better by staff than digital file systems
  • Using Roaming Profiles for shared file access
    • SysAdmin can force desktop computers to put "My Documents", "My Pictures" &c. on the server for shared and secure storage
      • Doesn't work for Windows' "My Desktop"; that folder appears to have special privileges, but we don't know how
      • Can "My Desktop" or "My Documents" be made read-only to force staff to use server storage? Doubtful
    • Thin clients don't store data locally
    • Use the Browser Local Storage? (please, no)
    • "Libraries" feature in Windows can combine several folders (from different sources) into one
  • Commercial applications for managing roaming profiles: Micro Focus ZENworks (formerly NAL, Novell Application Launcer); Intel LANdesk Manager, Computer Associates
  • Staff gets easily confused with shared filesystems
    • Folder tree changes, filename and foldername changes


Storing Binary Files
  • Music Files, photos, video, CAD drawings, &c.
  • Using Google Drive is not efficient for binary files, better to keep on local (non-cloud) storage
    • Post-production for music can't be done online
  • Cloud services need cloud-based client software to manage binary files
    • Google Docs does not have a good music client to manage music file for an orchestra
    • But Google Docs has good photo apps


USB Sticks or Thumbdrives
  • How to prevent the use of USB drives?
    • Physically hotglue the USB ports on organizations' computers
    • Pop up a warning to the user when USB device is inserted
    • Lock the computer when a USB device is inserted
  • Worried about "Parking Lot USBs" (USB drives found in the parking lot, may contain malicious payload)
    • Physical attacks through high-voltage discharges (see https://usbkill.com/ )
    • The only protection against physical attacks is physical protection


Future Topics

  • Document Management: There are specialized software tools to manage your documents, provide version control, allow staff to checkout documents for exclusive access, and to provide indexing and search tools. What do you use?
  • Encrypted File Systems: How do they work? Demonstration/Workshop on creating encrypted file containers.
  • Microsoft Evening (do they still provide sponsorship? Marc will check with Eli)