I have not worked for a company before to see how they do it, and I can't seem to find much info online regarding the topic.<p>How (exactly) do you host sensitive/private data for your company like source code, financial docs, or even the private company intranet?<p>I always assumed that these were just hosted on some non public facing box on the LAN or something, but then I realized that it is probably more likely that the data is on either a box in some data center that you colocate at or some VPS service that you use alongside your public facing services. But I suspect most companies have issues storing sensitive data on any kind of hosted box or cloud store.
I guess it depends how private the data needs to be. My view is that for stuff that's even vaguely sensitive, it would be nuts not to use TLS/SSL for data in motion. But you also need to think about whether it's acceptable for the data to reside with whoever will be on the receiving end.<p>At my day job, the intranet is hosted internally on servers within the premises, but this is more for historical reasons than security concerns. There are a number of other file servers etc. that are kept in-house for historical reasons and because they contain sensitive information. satellite offices are connected to the main office by a VPN.<p>Our public websites are hosted external to the office network on a VPS. I tend to be a little obsessive about making sure that all possibly sensitive traffic that goes between our local network and our VPS is encrypted (admin interface over https, SSH sessions, FTPS etc.) and because there's really nothing on the public websites that shouldn't be public anyway, I'm happy to trust the hosting provider with that data.<p>We're thinking of giving Yammer a go for adding to internal communications and I will of course be recommending that we use TLS/SSL with Yammer should the idea go ahead. There's so many of these hosted services these days, it would seem like shame to dismiss them all just because they're hosted and you need to travel across the Internet to get to them. I prefer to look at things on more of a case by case basis and weigh the pros and cons.<p>To oversimplify a complex issue: encrypt data in motion across untrusted networks, make sure you trust where the data is ending up (whether you're encrypting it at rest as well or not). Or host it internally and make sure your own network is secure and reliable.<p>So in my experience from the places I've worked, I guess you could say it's usually a little from column A and a little from column B. Larger organisations seem to be warming to the idea of taking advantage of the cloud more and more these days when previously they would more likely opt to host stuff in-house.