Considerations

We are acting as designers, developers and systems administrators.  By hosting a service – whether it is on the open internet, available to a select few, or only for your personal use – we must make sure we consider how well approach this software and it's hosting.

We will approach these considerations by asking ourselves three questions to ensure we know what we're doing going in.

Security vs convenience 

This is called threat modelling.

https://www.privacyguides.org/en/basics/threat-modeling/

How Large is Your Community?

• Bandwidth
• Internet and hardware (hard drive)
• Power and internet
• Scaling
• Adding more users bandwidth resources and hardware
• gdpr and legal requirements
• Is this a vulnerable community?

What is Your Attack Surface?

• What do you consider an attack?
  • Brute force
  • Malicious actors
  • bots and web crawlers
•  Encryption
  • https://en.wikipedia.org/wiki/Encryption
• Https enceyption and disk encryption
  • encryption at rest
    • https://en.wikipedia.org/wiki/Data_at_rest
  • encryption in transit
    • https://en.wikipedia.org/wiki/Data_in_transit
  • encryption in use
    • https://en.wikipedia.org/wiki/Data_in_use 
    • https://phoenixnap.com/blog/encryption-in-use
  • end to end encryption
    • using all three to ensure data is always encrypted.
• Security vs convenience
  • https://thecyberpatch.com/security-con-finding-the-right-balance/
• Security by obscurity
  • https://en.wikipedia.org/wiki/Security_through_obscurity
  • Security by obscurity alone is discouraged and not recommended by standards bodies.
  • This assumes that secrets will stay secret.
• Open security
  • https://en.wikipedia.org/wiki/Open_security
  • Open security is the use of open source philosophies and methodologies to approach computer security and other information security challenges.
  • Traditional application security is based on the premise that any application or service (whether it is malware or desirable) relies on security through obscurity.
• Vpn vs proxy
• LAN access vs server only access (127.0.0.1:80:80) vs 80:80
• limiting user access
• Docker vs vm vs bare metal 
  
• What is your attack surface, i.e. is it your local machine? a LAN? your entire home? data over the Internet? A worldwide enterprise? That determines how much you have to do
• intrusion protection services
  • Monitoring services
• kill switch
• fail2ban
• two factor
  • totp

What is The Value of Your Data?

• Data privacy
• How important is it to someone else, and how important is it to you, your security, identity and privacy?
• Should this data be accessible to the outside world, should it even be digitized?
• What is the value of the data? Does a hacker care about Joe Schmo? Probably not. But do you have confidential company data, or are you an important stakeholder? Well, now you've suddenly become a bigger target.
• Is this information about your personal media collection or is it access to all of your financial data?

How Much Effort Are You Willing to Spend?

• Documentation
• Resources
• Updates & Upgrades
• Hardware and software
• what you can handle yourself vs what you need a dedicated security professional for.
• How much time, money and effort are you willing to put into your security? Remember, there are entire companies dedicated to security, and entire SOC's whose sole job is monitoring for security incidents and even they don't catch everything. These organizations have multiple experts, layers of defense and constant monitoring, but the data they protect is worth it (see #2 above). How much effot you're willing to put in determines how many steps you need to take.