As of our last all hands meeting we have moved our company to using NextCloud on a server in a German data center. This is the second major step in improving on our information hygiene in the company, after adopting RocketChat and leaving Slack.
I had created the cloud already last May, but we had not transitioned everyone in the company and all our work. That transition has now been made.
It allows us to avoid having to work with clients in cloud environments like Google Docs, it has OnlyOffice for online collaboration in documents, it allows to avoid file transfer services in favor of being able to provide (time limited, password protected) download links from our own server, and it has integrated STUN/TURN support so we can do (video)conference calls from within our own environment. It’s a managed server/service for a few hundred Euros per year. A key benefit is being able to nudge our clients to routines less exposed to the data hungry silos, and also to show compliance with (regularly inconsistent and differing) rules regarding which online services they do and don’t allow. Setting an example is in itself a benefit given our work on transparent data governance, data ethics and accountability.
In the coming weeks we’ll aim to get fully accustomed to our new working environment, but so far it has been pretty self-evident.
Screenshot from working with a colleague in OnlyOffice (content blurred obviously)
We are working our way through a list of things to improve our overall information hygiene, a discussion I started last spring. It involves changes at the company level (like Nextcloud and Rocketchat) and changes at the individual level (helping colleagues e.g. with password management. We moved all of us onto the same password manager, that also includes the option to share passwords from a company account). It focuses on tools and technological measures, as well as on behaviour and work routines. And it looks at both laptop and mobile devices. I’ve created a ‘information hygiene ladder’ on those three dimensions, with a different level of information security at each rung, that we can strive for. The upper end, the “I’m being targeted by a three letter agency”, we’ll never address I’m sure. But there is a wealth of opportunities to improve our information security level before that extreme stage.
Ton Zijlstra mentioned this article on zylstra.org.
@ton just FYI following 36c3 :In 9 days is OFFDEMhttps://socialhub.activitypub.rocks/t/socialhub-at-offdem/456and Fediverse Summer Conf is in September in Barclona, lleialtat.cat
SocialHub at OFFDEM
@tonInspiring. Thanks for this.Can you share ‘the information hygiene ladder’ you mentioned?
yes, at https://www.zylstra.org/blog/2019/05/increasing-information-security/, the linked to discussion in the blogpost, you see a rough ladder of 9 levels of intensity, and then there’s a few dimensions for each of those levels (individual or org level, technical or behaviour, and laptop or mobile) It’s just a structure as thinking aid, there’s no academic rigour involved in defining the levels/distinctions. For our org, only the first 5 or so levels are of interest, with 6 and 7 relevant for just a few of us.