

Ask HN: How do you host private data? - johnsto19

I have not worked for a company before to see how they do it, and I can't seem to find much info online regarding the topic.<p>How (exactly) do you host sensitive/private data for your company like source code, financial docs, or even the private company intranet?<p>I always assumed that these were just hosted on some non public facing box on the LAN or something, but then I realized that it is probably more likely that the data is on either a box in some data center that you colocate at or some VPS service that you use alongside your public facing services. But I suspect most companies have issues storing sensitive data on any kind of hosted box or cloud store.
======
gaelian
I guess it depends how private the data needs to be. My view is that for stuff
that's even vaguely sensitive, it would be nuts not to use TLS/SSL for data in
motion. But you also need to think about whether it's acceptable for the data
to reside with whoever will be on the receiving end.

At my day job, the intranet is hosted internally on servers within the
premises, but this is more for historical reasons than security concerns.
There are a number of other file servers etc. that are kept in-house for
historical reasons and because they contain sensitive information. satellite
offices are connected to the main office by a VPN.

Our public websites are hosted external to the office network on a VPS. I tend
to be a little obsessive about making sure that all possibly sensitive traffic
that goes between our local network and our VPS is encrypted (admin interface
over https, SSH sessions, FTPS etc.) and because there's really nothing on the
public websites that shouldn't be public anyway, I'm happy to trust the
hosting provider with that data.

We're thinking of giving Yammer a go for adding to internal communications and
I will of course be recommending that we use TLS/SSL with Yammer should the
idea go ahead. There's so many of these hosted services these days, it would
seem like shame to dismiss them all just because they're hosted and you need
to travel across the Internet to get to them. I prefer to look at things on
more of a case by case basis and weigh the pros and cons.

To oversimplify a complex issue: encrypt data in motion across untrusted
networks, make sure you trust where the data is ending up (whether you're
encrypting it at rest as well or not). Or host it internally and make sure
your own network is secure and reliable.

So in my experience from the places I've worked, I guess you could say it's
usually a little from column A and a little from column B. Larger
organisations seem to be warming to the idea of taking advantage of the cloud
more and more these days when previously they would more likely opt to host
stuff in-house.

