Data and information security

Tags (All):
blog-image

Security in the digital space is important. We can only sleep well at night if we know our data and secrets are safe. But what exactly does “security” mean in this context and how can I myself help to ensure that my data is safe? Let’s first dare to define security as we understand and implement it at ViOffice and furthermore clarify the question of what is good and actual security on the one hand and what only gives the appearance of security on the other hand.

Security of Data and Data Streams

First and foremost, security for us always means data security. This can be, for example, actually stored files to which unauthorized persons should not have access. This is probably the most common understanding of data security that most people have in mind. However, there is not only this kind of data. Because the security of history logs (e.g. chat histories) and meta-information also falls into this category, such as the information about which end device I use, when I last accessed or changed my data, and with whom I share it.

It should already be clear that data security goes hand in hand with privacy. Even if the files I store do not contain any personal information, meta-data can be used to determine who or where I am at any given time, what topics I am dealing with, what my interests are, and with whom I communicate and about what. Knowledge about social communication networking is particularly precarious here, because it can possibly reveal more about us than our actual data.

There are many different approaches to preserving privacy and ensuring data security, often via legal obligations, promises and assurances. However, it turns out that only two methods are actually effective and verifiable by users: A minimum amount of stored information and strong encryption methods.

Data Minimalism

It is hardly surprising that information can only be evaluated and potentially misused if it also exists in the data stock or can be inferred. For this very reason, it is extremely regrettable that many companies and also political actors confuse perfect security with perfect information, when the exact opposite is often the case. This is the reason why most companies try to collect as much information as possible without considering in advance whether this data is really necessary for the project or whether it could even be detrimental and have the opposite effect.

In contrast to this is the concept of data economy or data minimalism. Instead of collecting as much information as possible and then looking for a use for the available data, it is determined a priori which information is needed for which purposes. This is usually done by constantly weighing the benefits against the associated privacy intrusions.

Transparent Encryption

Although minimizing the amount of data and data streams collected and stored is an important first step in protecting users' information from unauthorized access, there is still data that must be technically or legally available, such as files that users store on their own. In order to keep these secure, strong and robust encryption algorithms are required that can be used equally easily (sometimes disparagingly referred to as “foolproof”) by users without technical understanding.

When it comes to concrete security measures for technical systems in companies or administrations, the information statement is usually rejected with reference to (supposed) security. However, the initially logical idea behind this, that secrecy of the security measures and algorithms used automatically results in increased security, is a fallacy. As already explained in the context of Free Software, real security is only possible if it can be verified and validated. Several thousand people may be working on Free Software at once. These are enthusiastic entry-level and hobby programmers, but also experts in the fields of software, cryptography and general software security.

Especially in the case of encryption algorithms, it has been shown that a constant public audit of the underlying mechanisms and techniques, even in the context of scientific papers, increases the robustness many times over compared to “secret” algorithms. In order for a generally comprehensible encryption algorithm to nevertheless produce results that are difficult or, in the best case, practically impossible to decrypt, they cannot be based on secret processes, but rather rely on the use of personal key pairs that are known only to a select group of people (usually only one person) and through which the transparent algorithm can produce a unique and unambiguous result. In modern cryptography, especially in academic circles, this so-called “full disclosure” principle is the established gold standard, but unfortunately it is still not used in all areas of IT security (especially often not by companies that develop proprietary software).

Data Access Security

However, the storage and retention of data and information is only one step. Furthermore, data access and access authorizations are relevant, whereby many different systems and actors must interact.

On the one hand, it is particularly important in collaboration systems such as ViOffice that files and information can be shared as simply and clearly as possible for the relevant period with a precisely specified group of people and granularly determinable access rights (e.g. read, write or both). It should also be as easy as possible to subsequently moderate information access and to revoke it in case of doubt.

On the other hand, a secure transport path for data must be established. From the side of a service such as ViOffice, this can be done through encrypted channels, as is now the case when accessing web services that use the https protocol instead of the http protocol. However, the end device of the users also plays a decisive role here. In particular, they should be up to date and have all security-relevant updates installed - this is especially important for smartphones. In addition, a trustworthy web browser should be used, for example Mozilla Firefox, which is free software, or the open-source variant of Google Chrome: Chromium.

Another important aspect, which is beneficial for the security of data access, is of course secure passwords. These are often the weakest link in a chain of security measures and the most frequent attack vector from outside. A method that is now being used more and more frequently to make data and system access significantly more secure is two-factor authentication (2FA). Here, in addition to the usual login data (factor #1: something you know), for example, a confirmation request is sent to your own smartphone (factor #2: something you own). Data can only be accessed if both factors allow this (e.g. if the login password is correct and you confirm this login via smartphone).

Security against Data Loss

Ultimately, security against information loss is also one of the overriding issues described here. Of course, the reliability of the software and services is a central point of view. In addition, the versioning of files, i.e. the periodic backup with the possibility of restoring an old status, can be a good means of counteracting the accidental deletion or overwriting of information.

This can be particularly helpful for those who fall victim to malware attacks, as has been seen several times in recent years, for example, under the names Petya/NotPetya, Locky or even WannaCry.

Beyond that, however, regular and complete data backups are always indispensable. This can and should be done by the respective software services

  • in compliance with the necessary encryption standards - but should also always be done by users themselves. Data backups are the simplest and still the safest way to protect yourself and others from information loss.

Security in ViOffice

Security is also a central aspect of action in ViOffice. The overall concept and respective implementations are always weighed against privacy and security viewpoints.

For example, ViOffice follows the data minimalism approach already mentioned. The ViOffice services collect and store only the information that is absolutely necessary for use, such as the data that users themselves upload to the cloud and information that is legally necessary for the operation of ViOffice. For example, information and time logs on file accesses, conversation histories and corresponding meta data are expressly not stored. This is also done as far as possible by client-side encryption (i.e. locally on the end devices of the users), even before it reaches our servers.

Transparent, established encryption is the second pillar of data security and privacy in ViOffice. As described in our help center, information is encrypted at least on the server side by the user’s password. This ensures that the respective information can only be decrypted with knowledge of these passwords. The data traffic between users and ViOffice always takes place via TLS-secured channels (https), so that third parties have no access to the data transmission. As far as technically possible, we go one step further and use real end-to-end encryption (E2EE), for example in ViOffice Talk or optionally selectable in ViOffice Conference. Teaser: In early 2021, it will also be possible to secure files stored in ViOffice Cloud via E2EE.

We also attach great importance to the simple handling of access rights for files, contacts, calendar entries and much more. These can be easily shared in ViOffice and offer the respective users granular settings for the time period and group of people, as well as the read and write rights of the respective files. These can also be shared externally with persons without a ViOffice account and optionally provided with a password. More information about this can be found in the respective section of our Help Center.

When choosing passwords, we also force the choice of secure passphrases and advise our customers to use automatically generated passwords and in this context also password managers. Furthermore, we would like to point out that ViOffice supports a variety of two-factor authentication methods, such as the simple TAN procedure, 2FA via e-mail, U2F and TOTP. More information on this can be found in the “Security” section of our Help Center.

We address the risk of data loss with regular and complete backups of our systems and cloud data. Like all our data, these backups are of course secured using state-of-the-art encryption methods. At the same time, we sensitize users to make their own backups of data stored in ViOffice. The easiest way to do this is to use synchronization programs for the PC or smartphone that are compatible with ViOffice.

File versioning in ViOffice also ensures that users can always restore older versions of a file. This feature is especially important when collaborating with many different actors.

The security measures in ViOffice also include protection against malware, in that ViOffice Cloud automatically detects when files are encrypted or damaged externally and stops file synchronization with the affected end device as a precaution. Already damaged files can then be easily restored using versioning.

More information about the security measures we take in ViOffice can be found in our Help Center.