The why and how of ensuring Intellectual Property is stored securely on your systems
Recent developments in the software sphere demonstrate how your organisation’s intellectual property is undermined through the use of SaaS solutions such as GitHub.
This piece by FOSSA explores how the GitHub Co-Pilot development tools are able to draw on your own projects to ‘share’ the expertise with other GitHub customers.
This demonstrates the need for secure storage for commercially sensitive data to be stored on your own systems, be they Private, Public or Hybrid Clouds. For many of our clients the bespoke software they develop is both commercially sensitive and the literal future of their business.
A look at licensing
Regardless of the license of your code, in storing the code on a plethora of systems such as GitHub you are in fact using a Software as a Service (SaaS) solution – meaning the code you put on the platform is fair game for the vendor.
This is not unlike how professional photographs stored on digital platforms such as Facebook are ‘owned’ by the platform, meaning they can freely sell it to others to make postcards, for example. You put in the effort, they reserve the right to sell the results.
Your the team that you have trained and retained, and pay, work incredibly hard to make the software that puts your organisation at the cutting-edge and ahead of the competition. But what if your competition own the platform you store your code on?
It’s incredibly important to review the way you store bespoke productivity tools that your organisation have designed, for your exclusive use. This could be a game engine or game-assets, it could likewise be a new machine-learning algorithm that your studio has developed to provide a uniquely immersive experience.
If you are a law firm it could be the additions you make to your practice management system, automation scripts that relate to your infrastructure or yet again – unique tools that you develop to provide smoother services to clients.
Git is an incredibly powerful language, and is open by default – you don’t need to put your intellectual property at risk on account of a perceived convenience.
We strongly recommend using systems such as GitTea in order to host your own code on your own systems. Without solid commercial agreements to restrict the distribution of your software a supply chain can readily find themselves storing code excerpts on platforms you do not deem as secure.
Outsourcing development requires a keen eye for secure storage and agreements on transfer, SaaS by its nature has restriction on your freedom as a customer to engage with the platform and in fact often lack enforceable contracts (in the UK) because you cannot actually negotiate them.
To put it another way, to store your most sensitive source-code on a platform that doesn’t even give you (the buyer) opportunities to negotiate storage and data transfer is rather strange.
Storing Intellectual Property on a Secure Cloud
Firstly, never use a Cloud which isn’t Secure. When we refer to Cloud at Hayachi Services treat that as (Secure) Cloud – please never forget that the attack surface of a hosted solution will always be greater than a privately/internally hosted one.
We have established the real concerns of storing the fruit of your labour, and significant investments, on somebody else’s Cloud. You have no oversight of the platforms and operating systems that it runs off (and we have seen rather old systems at big-name hosting providers) which is a risk in itself.
So what are your options on secure storage when you have to share the code with external parties?
The use of an Air-Gapped network allows for systems to not be publicly accessible through the world wide web, network segmentation is often a quick and easy way to help secure your cloud. You can still make this data easily accessible if you wish to through certain software solutions.
We only recommend Opswat for Air-Gapped networks because they are the security experts that maintain this on the most critical systems on the planet. That is to say, they work with Governments, Infrastructure Providers and Professional Services firms to remain completely secure and vendor-neutral to remain at the cutting-edge.
- Through hosting your source-code internally through platforms such as GitTea on a Private Cloud you limit the external access and transfer of your intellectual property by default.
- You can store data on Infrastructure as a Service (IaaS) platforms which is the equivalent of renting a vendor’s physical hardware exclusively.
- Using a Public Cloud (such as Dell Cloud, AWS, etc) you can carve your own space on a system that you retain total control over, less the hardware itself.
- Never share sensitive information with parties you haven’t made formal agreements with.
- Always make sure you can audit at any time the state of the systems your information is being stored on so that other parties’ do not cut corners storing your source-code.
- Your next step is to ensure you can securely transfer information using an antimalware file transfer solution such as Opswat File Transfer. This is important as otherwise you may ‘import’ malware from other parties.
A Private Cloud is still a Cloud, it is still convenient for your organisation to use. A Public Cloud is hosted by someone else on your behalf, you are simply renting it (and many sensitive systems benefit from these e.g. datarooms).
Putting the most sensitive information that your firm may well have invested several years online, only for it to be breached or willingly pilfered by the SaaS vendor is not what we would recommend to our clients who run or build bespoke systems.
The safest place to store your intellectual property is in hearth and home – on a Cloud that you manage rather than in a SaaS solution where there is no control and no accountability in data transfer.