Our previous cybersecurity post took a look at the basic security questions everyone needs to ask themselves. In that post, we mentioned two-factor authentication, shared files and cloud storage, security monitoring, and operating systems. This time around, Ben Reinken discussed how those things apply to Romega and our clients.
Ben and our CEO Braden have known each other for years. There are certain coworkers you never want to leave, and that’s very much their story. Their latest stop was at Appspace together, where Ben worked as a Cloud and DevOps Engineer. At Romega, Ben is in charge of development operations and handles everything infrastructure, with the exception of our WordPress hosting, which we’ll talk about later in this post. Notably, he manages infrastructure security.
“One of the basic things we do security-wise is ensuring https is on all sites,” Ben says. “We do this for free for all of our clients.”
Romega is a Google Cloud Partner. In the future, we are planning on utilizing more and more of their services including a cloud launcher platform, billing process, and more. For now, we’re focusing on our clients’ security, something that Google does really well.
“Most of our security for custom software projects is through Google Cloud,” Ben says. “Google controls access to servers, as well as how we access them. It manages our SSH keys — rather than relying on usernames and passwords — and it generates new keys regularly.”
SSH keys are a more secure alternative than usernames and passwords. They’re long and complex strings of letters and numbers which are nearly impossible to guess. (Hackers and malware could brute force their way past shorter usernames and passwords, especially when they are shared across servers.) Google Cloud creates keys for each user and manages them securely to avoid being locally stored on laptops.
Keeping Things Separate
“We’ve also broken out clients into separate platforms,” Ben says. “If we have a server we host, they are separated from our other clients’ data.”
This kind of organization is based on risk and how much risk there is.
“If you have one big project and, say 5 or 10 or 20 servers, if one of those is compromised then the other ones could be compromised as well since there are more points of entry when connected,” Ben says. “By separating them out, there’s only one way to any client’s data. That way, we could isolate and take care of a single compromised account quickly and safely. Ultimately, we’re minimizing risk.”
Romega evaluated several cloud server providers and found that many of their security standards just weren’t up to snuff. We chose Google Cloud because they do a great job with security precautions as well as general monitoring.
“As soon as Google knows about some issue, we know,” Ben says. “However, Google can more quickly apply more security patches without notifying us, and they don’t have to shut the server down to fix anything. There’s zero downtime maintenance. Also, having everything in the cloud makes things easier to migrate without sacrificing entry points.”
For our small business marketing customers whose websites run on WordPress, our partner WP Engine manages security for your websites, which helps keep your digital spaces at peak performance. Romega has used WordPress to build websites for a long time, including our own. It’s a great resource for us, and we like to provide the best for our customers as well.
Similarly to how Google Cloud protects our custom software clients, WP Engine offers dedicated environments for specific customers. Processing power, memory, disk space or other system resources like backups are stored separately (and are encrypted for further security measures). WP Engine also scans for vulnerabilities so they can be fixed quickly and efficiently. For penetration testing, WP contracts a third party vendor to perform routine checks. All physical computing equipment is located in a secure facility.
Security is a huge priority for us, and it’s on the tips of new clients’ tongues when they decide to work with us. If you have any more questions about our security practices and how they apply to your business, contact us. We’d be happy to address any concerns and assuage any fears.