I recently spent the weekend in Brighton, at the first PC and Indie Games Conference, Rezzed. During the weekend, I went to various developer sessions where games developers talked about the processes they used to develop their games, the next titles they were working on, or how their latest game was born.
As an information security professional, and avid gamer, I sat there, listening to various independent developers, and watching them demonstrate their work (which has taken a considerable amount of time, effort and skill to produce) and I began to wonder: are they ensuring that the source code for their games is securely stored and backed up, and have they made sure that the computers they use are free of any malicious software that may not have been noticed by their anti virus software?
This blog post is my attempt to provide advice to the indie games development community about methods that they can use to ensure that the most important parts of their games (the source code, graphics assets, etc.) are protected from both intentional, and accidental corruption, deletion or theft, but it can apply equally to anyone.
Secure Backup of Data
Ensuring your code and other valuable data is backed up off-site in a secure location is vital to any business, but even more so when that accessing that data is the only hurdle preventing your competitors from stealing your idea and launching it as their own.
You have several options for off-site backup of your data. By far the cheapest is Amazon's Simple Storage Service (also known as Amazon S3), which charges you very low fees for the data you store in 'buckets', which can be encrypted and the contents protected from public access.
There are several tools for uploading your data into Amazon S3, even down to a command-line tool, s3cmd, for use on your servers, to enable you to automate the process. Many FTP clients, such as Transmit on OS X, also allow you to connect to an S3 bucket and then copy files over to it just as you would a normal FTP/SFTP server.
If you feel that you don't want your sensitive data travelling across the Internet to a storage server, you can always perform backups to external drives locally and then task someone in your company with the responsibility of taking them home at night, and bringing it back in the morning.
This process ensures that, should anything happen at the office, and your computers are either stolen or destroyed, you still have a copy of the projects you were working on, that you can use to re-build.
User Access Control
Equally (although some would argue more) important to safeguarding your business-critical data is the process of Access Control, that is ensuring that only users who need access have it, and making sure that only the ones who really need to edit/delete files can.
At it's most basic level, Access Control basically means ensuring that only people with a valid account on your computers can access the files on them. Expanding this idea slightly are file permissions, present in most modern operating systems, which define what individual users can and can't do to a specific file/directory.
You can use file permissions to give other members of your development team read-only access to the files you are working on, ensuring that, unless they compromise your user account, they can't make any changes to your files.
By default, Windows grants read access to most files created by users to the special Everyone group, which, yes you've guessed it, means that anyone else with an account on your computer (or domain) can read the files on your computer. If those files are the source code to your latest project, you probably don't want this to happen!
Network Access Control
It wouldn't do much good to implement the best User Access Control scheme you can think of, only to discover that, thanks to your un-encrypted wireless network set up to allow visitors to your office to get online easily, all the files you transfer between your servers and the computer can literally be 'plucked' right out of the air and re-assembled. This is where Network Access Control comes in.
Network Access Control is the process of authenticating devices (and sometimes users) that wish to connect to your actual network, ensuring that only devices and users you know about can connect, and blocking and actively alerting you to unauthorised access attempts.
Many systems exist to assist you in implementing Network Access Control, and a full discussion of how they work is outside the scope of this post, if you would like more information, please contact me using the contact form on the site.
More to Come
This has turned out to be a longer post than I originally thought, and there are still quite a few things to cover, including Wireless Network Security, Removal Storage Policies, and quite a few others, so I'm expanding this into a 2-part series, the second part will be posted next week.