Page 1 of 1

Cloud security - is there any?

Posted: Fri Mar 31, 2017 11:36 am
by Castaway
I am considering rolling-out Cmaps across a small enterprise. Our corporate website and user forum, not dissimilar to this, has just been the victim of a concerted hacking attempt of the MySQL database. It's caused chaos.

Much though I like Cmap, I'm mandated to be absolutely sure that every possible step has been taken by IHMC to protect user cloud data. Furthermore, what steps are regularly taken to back-up user cloud data (if any) by yourselves and also what steps are taken to protect user log-in passwords. How is Google prevented from gathering data by trawling through the cloud site?

I realise that as a practically free service the user cannot expect too much, but an understanding of the risks would be most welcome. It might encourage users to pay for an enhanced level of security, such as encryption, which I understand you considered a couple of years ago but do not seem to have proceeded with. The alternative in many ways to Cmaps is Microsoft OneNote, which is inexpensive (or on cloud, free) and has significant security through the Sharepoint system.

Data theft is headline news these days. We all have to assume that it will happen and plan to minimise the damage.

Re: Cloud security - is there any?

Posted: Fri Mar 31, 2017 12:09 pm
by cmapadmin
Hi.

We are still considering a paid option with enhanced security. In fact, we have a design where we could have a CmapServer wth the resources hosted in the user's premises, behind their firewall, so that their data never leave the premises. But funding has prevented us from moving as fast a we would like. The Cmap Cloud uses the CmapServer as its back-end for storing resources.

Backups are taken constantly, although not immediately after a resource is saved (we use Crashplan for backups, and its permanently backup up new or changed resources). Login passwords are stored encrypted in an LDAP server, which is not accesible from outside (its IP address is not public), only from the CmapServer. So a user cannot get directly to the machine where the passwords are stored.

Currently Google is not crawling the Cmap Cloud as it is blocked at the root of the resource hierarchy, and you can prevent Google from getting directly to your resources by creating a folder and changing the permissions on it (the Home Folder has general read permissions --- one of the options we want to provide in the paid version would be allowing users to change this. But for now, users can change the permissions on any folders they create. Accessing the Cmap Cloud from the CmapTools desktop client provides better control over permissions). Permissions in the CmapServer are handled at the folder level, and if you change the permissions for a folder there is no way Google or any user can get through it (unless you have a subfolder with weaker permissions and you provide a link to it directly). Changing the permissions is important since, even though Google cannot get to the resources, the CmapServer's indexer does, and you can search from the CmapTools client.

We don't currently provide the option to encrypt the Cmaps and resources stored in the CmapServers.

Hope this helps.