Online security threats are some of the largest threats your family faces today. You may have ensured that you live in a safe area, invested in a security system for your home, and take good precautions when going out, but you probably aren't nearly as prepared for the rapidly evolving online threats that plague the modern internet.

As it relates to cloud services, the main security concern is data breaches. Data breaches are a common occurrence, and hackers are often getting away with truckloads of data. It is almost certain, if you have a typical number of online accounts, that some of your information has been involved in a breach. The hackers may hold the data for ransom, sell it on the black market, or use it to pivot and get access to more data. For example, if an attacker gets a plaintext username and password combination, they will try using it to login to hundreds of other sites in case the account owner re-used the same username and password for multiple sites. If they did, this can quickly cascade to the hacker taking over most or all of someone's accounts, especially if they can get access to an email account and then run password resets against other accounts tied to that email. The result may be that your data is deleted, or your identity is stolen, or private information is published against your will.

One way to defend yourselves against data breaches is to start using a password manager, and generating a unique password for every account you make. A unique username or email is also useful, but not strictly necessary. However, this only protects you from one breach cascading into more, and does little to prevent a company from getting breached in the first place. A more sure way to defend against data breaches is to self-host your own services and take responsibility for your own security, which is our recommended approach at OYCS. That way, it doesn't matter how many companies get breached, as they won't have your information in the first place.

It is true that if you are self-hosting, your self-hosted services could themselves get breached. However, the probability of that is significantly lower for several reasons. The primary reason is due to a concept that those in the security community call **attack surface**. A system's attack surface is the amount of potential entry points exposed to an attacker. The larger the attack surface, the more potential an attacker has every finding just one one that has been left open or vulnerable; and they only need one.

Companies often have a rather large attack surface, because they provide a variety of services to many different users. An attacker could find an old vulnerable web server that the company forgot about and left running, send an email to a less technical user in an HR department and trick them to download malware that then spreads throughout the company, or find an open remote connection service with default credentials that was hastily installed when everyone went remote during COVID lockdowns. Companies are large, rapidly changing, and often can't keep on top of keeping all possible entry points closed or properly restricted.

Your self-hosted server, on the other hand, has a comparatively small attack surface. You may have one exposed web server, that only allows traffic to a small set of services that you opt-in to allow everyone to access, and a VPN server that only allows pre-authenticated users to connect. As long as those two stay up to date, there is little an attacker could do to get in. They may attempt to get to your data by sending you malware in a phishing email, but that risk is the same regardless of where your data is hosted, as they could always get to it through your computer if you let them. Of course, the common advise applies here: inspect unexpected emails carefully, and go directly to websites instead of following links from emails.

On top of the innate security that comes with self-hosting, if you are running our OYCS Iolite software as the core of your self-hosted server, you will also benefit from the following security measures:

1. Each minerapp is isolated and has a service specific firewall. That means if you opt to expose a service to the internet, for example a forum for a community group, and it is compromised, the attackers will be unable to access any other services. They can only see the files and databases allocated to that service, and their network access is restricted to the minimal amount needed for that service to run.
2. Most minerapps are denied internet access by default. That means that you can be certain that even if the app is itself malicious and wants to steal your data and send it back to the attacker, it will be unable to. All it is allowed to do is respond to requests from your devices. Minerapps that do have internet access are only allowed to access the specific websites needed for their operation, which is only a concern if the app is itself a trojan, and the organization that made it just a front for hackers. At OYCS, we do our best to ensure that this is not the case for any app that we list.
3. If enabled, encrypted backups will be kept for all of your data for 90 days, and you can restore a minerapp back to the exact state it was in at the time of the backup, as long as you have the decryption key. This protects against any sort of ransomware attack.

As you can probably tell, Iolite employs a **defense in depth** approach, which means adding in security at all possible layers so that even if a single layer fails, the damage is contained. We are constantly working to make our entire ecosystem more secure by building security into the design, following the default-deny principle, and making the most secure option the default one so that you stay safe without having to worry about complex configuration.