When I use my own instance of EasyMorph to transform a client’s data, I was wondering what best practices can be followed to keep this data secure. For example, let’s say we periodically download a CSV file with sensitive data which we have to transform periodically. The client doesn’t have EasyMorph, and we’re offering this transformation as a service. So we’re download the file to the computer where we have EasyMorph Desktop installed, and then it gets imported into EasyMorph and transformed. This CSV has left the client’s secure server. So what would be the best practices to keep it safe, even though it has left the client’s environment?
If we’re working with EasyMorph Desktop, instead of installing EasyMorph on our own desktop computer, could we install it for example in Amazon Windows Server (instance of Windows hosted in Amazon - https://aws.amazon.com/windows/)? The CSV file could be placed first in a secure Amazon S3 Bucket, and from there, the EasyMorph Desktop running on Amazon Windows Server would retrieve the file bucket, transform it, and then upload it again to the secure bucket, where the client could download once again the modified file. This way, even though the file is not in the client’s environment, it’s in a secure area (with Amazon’s security measures in place) both in the bucket and in the desktop where EasyMorph desktop modifies it.
On the other hand, is it possible to import a CSV into EasyMorph without having it physically in the computer where EasyMorph is installed? Importing it directly from a bucket, without having to download it first into the computer, and then importing it in EasyMorph? Basically minimising the movements, uploads and downloads we have to do of the file.
I was also thinking about the role that EasyMorph Server could play here, but as EasyMorph Server would still be installed outside the client’s premises, we’re back in the same situation as with EasyMorph Desktop, right?
Which part of the workflow do you consider not secure? The computer where EasyMorph is installed or something else? If you consider the computer not secure than it doesn’t matter how exactly you secure the data if it gets transformed in an unsafe computer that can be compromised. Also, why do you think it would be more secure if you replace a local computer with an Amazon EC2 instance?
If the computer is secure, and you’re only concerned about not leaving a disk footprint on the local computer and keeping data always in memory, then why would you be concerned about this if the computer is secure?
Anyway, CSV is not a good format for sensitive data. The first step should be securing the data. A few ideas for a CSV file replacement:
Upload the CSV data to a cloud data provider such as Google Sheets, or a cloud database, or Google BigQuery from which it can be queried/imported by EasyMorph. In either case the client can use the free edition of EasyMorph.
Use encryption in DSET files (will be available in v4.6). This will leave a disk footprint but at least it will be encrypted. This would require using the free edition on the client’s end as well.
Put the CSV file into an Amazon S3 bucket, install an ODBC driver for Amazon Athena, and try querying it in EasyMorph as if it was an SQL database using the “Generic ANSI SQL” dialect. I didn’t test this suggestion. Also, not sure if it’s possible to export it back to Athena in a similar way.
Thanks very much for your reply. I see you have differentiated two topics here: securing the actual data, and securing the computer.
As you say the first step would be securing the data, and replacing CSV files. I will explore these options, and I thought about an additional one - if the platform from where the CSV files are generated, also allows a secure API connection to upload/download the data, this could be a good option right? And there would be no files, as the data would come straight from the API into EasyMorph, and then uploaded again through the API. And more convenient, as EasyMorph Desktop wouldn’t have to be installed in the client’s side.
Regarding securing the computer: yes, one part of the workflow that I considered not secure was downloading the data into a regular desktop computer. This computer could be reinforced with antivirus, firewall, etc. but I was thinking about Amazon EC2 because it is hosted in Amazon and provides different tools to secure the instances, such as security groups (would be like a firewall): https://docs.amazonaws.cn/en_us/AWSEC2/latest/WindowsGuide/ec2-security-groups.html Do you think that a desktop computer with security measures such as antivirus and firewall can be equivalent to an Amazon EC2 instance with the security tools in place?