Getting Cloudy

In 2018 I decided to stop worrying and embrace the cloud. Here’s how.

Throughout the process, my focus was on low cost and simplicity, and I must say, this was a truly valuable experience.

Getting a domain

First stop was buying my domain. I opted to buy from Namecheap thanks to the student deals they have.

Next stop was moving the domain somewhere better. Not to insult Namecheap, they’re a decent registrar. But given the choice I would much rather have my DNS hosted somewhere that’s really good at DNS.

Luckily, CloudFlare has a wonderful free tier that really is free. After setting the nameservers and giving the zone time to transfer, it was time to move to the next phase.

The dreaded email question

This was the hardest choice. The options I evaluated were:

• G Suite
• Office 365
• ProtonMail

It was a tough choice. Ultimately I decided on Office 365 Business Essentials. Here’s why:

1. Integration with Windows. With the basic subscription you get an Azure AD domain, which is kind of huge. By enforcing multi-factor authentication I can turn on some neat stuff like Windows Hello for Business and in the future get support for FIDO2 security keys for both local login and RDP as well as single sign-on for webapps.
2. Exchange Online Protection. At first I was skeptical, but after some research my mind was changed. EOL is a neat feature where all attachments are run through a live virtual environment and tested with heuristic analysis for malware behaviour. Obviously it’s not a ‘layer-8 firewall’ but it sure is nice.
3. Bitlocker recovery key backups. Strangely this was one of the biggest factors. I have a strict principal of running full disk encryption on the primary drive of any computer that leaves the locked door of my apartment. Having a secure offsite method to automatically backup the recovery keys is very nice.

That’s not to say it didn’t have downsides. Here are the ways I considered the other options superior:

• Gsuite undeniably has better third party integrations
• ProtonMail is far better for privacy, providing end-to-end encryption on all messages, and server side encryption so it’s practically impossible for anybody but me to read my emails.
• Gsuite also currently has better support for physical security tokens. That may change soon, when FIDO2 rolls out for all Azure AD organizations.

A few months in, I’m happy with my choice. Of course, that may change, and I will need to always have a plan to switch if it does.

Okay, not all cloudy

There are a few things I will keep on site. For example, this website is being hosted on a VM that lives in my own living room. You could say that it’s a private cloud, but only by the strictest definition.

My virtual firewall has a Dynamic DNS agent that regularly updates CloudFlare with my current public IP. This was the most important part of moving to CloudFlare, having a simple and secure API to update the A records for my domain.

Another crucial element of this is having HTTPS on as many components as possible. Thanks to LetsEncrypt, I have a free TLS cert on my sites! Of course, this means having more moving parts on the web server to update the cert every couple weeks. Overall, I’m quite satisfied with this as well.

But wait, there’s more!

I also host my own NextCloud server for secure storage and file sharing. Though I get 1TB in OneDrive, I get about 12TB that belongs to me! Data ownership is important to me, so I do appreciate having a private file repository based on free software, and running on a hardened system that I have complete control over. In the future, I plan on integrating this with AzureAD, and adding some multi-factor authentication to the system.

This site itself is build using Hugo, a system written in Golang for rendering Markdown files into a static website. This was important for me, as exposing a public website based on something like WordPress that requires constant maintenance and upkeep is no bueno. The ability to quickly add content and copy the new site bundle to the server with SCP and not have to worry about another MySQL system is wonderful! It means having few moving parts, few ‘hackable’ elements, and much simpler site migrations in the future as I scale out.

That’s it for now

Hope this read as as interesting for you as was to write. I will likely update and add content as I grow and scale my system. For now, I’m happy with what I’ve built in a few short weekends and nights of research and testing.