Protecting Your Organizational Identity Online

From DevSummit
Jump to: navigation, search

Facilitated by Allen Gunn, Aspiration

Session Description

As nonprofits move increasingly to "the cloud", with hosted applications and online services playing a central role in their program and operations, a new category of risk exposures has emerged. From proper domain registration to ownership and management of hosted data to control of social media accounts, many organizations fail to consider the long term when they set up online presences and increase their dependency on online tools. This session will provide practical steps organizations can take to take full control of their online identity and long-term destiny.

Session Notes

protecting your org identity online

processes need to be braindead simple to be

adopted nonprofits don't have a list of their accounts

first step: spreadsheet with acct name, url,

but not password

second step: good password protocol


primary asset is the data. most orgs think

only of software and hardware costs

have inventory of where your data lives and

how often it is backed up


recommendations for tracking all accounts

- spreadsheets
 - google - but hosting critical org data 

there has privacy tradeoffs

contact info on accounts isn't systematic.

- recommendation. 
  - orgs should use cpanel hosting as easy 

way to manage systems easily thru graphical

interface

  - create email alias/forwarder that is 

accountname@ domain.

  - every forwarder goes to 2 people. primary 

account user and ops manager.

   - redundancy. 1 of 2 people will be 

available at any time

   - forwarder allows rerouting of the emails 

when people change roles/depart the org

   - helps to track who is sharing your info 

with spammers

contact info for an account can't be personal

email/address. worst practice

plesk

- a variant of cpanel

software registrations too. not just web

registrations


domain registration

- scumbag registrars. godaddy = super 

rightwing + bad site design ++++ hostage taker

registrar (very difficult to move to new

registrar)

- registrar.com - bad
- domain registry of america. flaming 

scumbags!!!!

- network solutions. hostage takers. 

CIA-affiliation.

- joker.com. recommended by bruce. can be a 

reseller.

- domainsite.com/name.com = 

gunner-recommended. excellent admin tools.

only tech support on weekdays.

when domains get taken

- if someone registers your brand, there's a 

grievance process.

- but if the domain gets grabbed, you're 

screwed.


best practice

- register com/net/org combo when possible. 
- your opponent will buy them
  - they'll use seo to drive people away from 

your org, mislead people.

- don't rely on registrar to alert you about 

renewal

- make sure contact info is updated and 

consistent across your domains

- autorenew is good if you're comfortable 

having credit card info in a hackable

database. paypal is an option

- multiyear renewal is good.
- NEVER LET AN EXTERNAL PARTY REG DOMAINS FOR 

YOU

- written down explicit org process for 

domain reg

  - who is empowered 
  - how. step by step.
- put all domains in one registrar you trust
  - unless you're controversial and need to 

keep domain with non-US registrar (ghandi.net)

    - california green party does this

cybersquatter solution

- have whitehat squatters make domains 

available to causes for short-term campaigns

tangent: china rerouted 15% of web traffic for

20 minutes earlier in 2010 and saved all the

info. proof of concept.

web hosting

- never ever ever do web hosting with your 

registrar. leads to hostage situation.

  - if hosting is separate from registration, 

you can solve the hosting hten move the

domain. much harder to divorce if everything

is in the same place.

- archive your cpanel settings. monthly. 

domains, subdomains, email accounts,

forwarders.

- when you create a hosted account, see if 

access to the acct can be through a subdomain

or directory of your domain name. ex. you

could pay wordpress to direct

aspirationtech.wordpress.com to

aspirationtech.org/blog - local backup copies of databases. amazon s3

account. rochen.com hosting


email

- never give out anything but @yourdomain, 

even if you route it through another service

(gmail)

- good options. cpanel hosting account. don't 

use imap. use pop and local mail clients for

orgs who want to make it more difficult for

the gov't to take hte data. use an open source

mail client (squirrelmail, etc.)

- electric embers.org. npogroups.org. open 

source webmail service

- FORBID YOUR STAFF FROM DOING ORG 

COMMUNICATION THROUGH PERSONAL EMAIL ADDRESSES

 - branding. you look amateurish.
 - staff is building address book of org 

contacts. staff is aggregating org knowledge

into gmail folders that are outside the org's

control. if there's an ideological schism,

angry staff member quits and spam entire

address book with grievances.

 - also think about volunteers/contractors 

who do any external communications. set up an

org address for them.

- NO NON-WORK COMMUNICATIONS WITH ORG EMAIL 

ADDRESS

 - hard to monitor but train employees on the 

policy and why we have it

 - policy: the aggregate email info stays on 

org hardware. pull data only onto org

machines.


one solution: install your own email client

(like open source Zimbra). daily snapshots of

data. can recover deleted emails.


version control and open source software

- your website is dependent on compatibility 

with the version of software (wordpress) it is

running on.

- code escrow. recommended contractual item 

with developers. code is staged out to the

escrow location every X days. protects against

schisms btw you and developer. run svn server

on local server (most orgs don't have

expertise/resources for this).


control of online real estate

- facebook/twitter. get on them and lock down 

the userid/facebook url for your org. same

username on as your domain name if possible.

same for any other significant online outposts

- log in every 90 days to keep the acct
- get a page for your org on wikipedia and 

make sure it says what you want it to say. get

the rss feed and monitor

- have an org tag and monitor it on 

deliciious, flickr, twitter.

- SEO. know what keywords you care about even 

if you're not optimizing. google for them

occasionally to make sure your opponents

haven't optimized for them better.

- social media listening. netvibes is a good 

service. no good open source solution yet.

"for a corporation, they're not that bad."


backups

- do them. do them more often.
- all org data on all hard drives. 
- back up offsite. protects against disaster 

or data grab.

- backups behind a locked door..
- partner with other org to back up each 

other. both behind locked door. complying with

each others' privacy policy.

- ED or trusted employee taking backups home 

isn't a bad option. Sending a physical copy of

your data thru Fedex to offsite location (like

board chair).

- all backups need to be encrypted.
- recommended encrypted services  
  - recommend services that accept 

responsibility for data (s3) vs. services that

disclaim liability (dropbox, etc.)


SSL

- for collecting donations. protecting donor 

info. make sure your have an SSL certificate.

- encrypting entire website (https) can be a

good idea, protect against sniffing/injection

- there are good tutorials (EFF white paper 

on https and links to resources being released

soon. https anywhere firefox plugin.

aspiration paper: protecting your identity

online.

best practices: see if vendor's align with

nonprofit values - different from having a

nonprofit pricing plan.


key takeaway: open source hosting hires child

meth addicts as sysadmins


1. have organizational standards for website

logins and domain registrations. clear

separation of personal and organizational

communications

2. separate hosting and registration.

3. grab org usernames and urls on significant

social media sites and monitor how your org

name is being used.