Protecting Your Code & Data from a Web Host

This thread came about from another thread of mine discussing switching from GoDaddy to another domain and hosting provider.

Here I would like to know: How can you protect your websites code and your client’s customer data from the web host??

This may sound funny, but if you think about it, a web host could be the biggest threat to your website and customers, because you are giving the host full access to everything!! (At least hackers have to work a little to get to your precious data!!)

So, while I don’t like lots of things GoDaddy has done, ironically, I think I trust them more with protecting application code and data.

How so?

Well, my thinking is that GoDaddy is big enough that they have a lot of eyes on them including regulators. So, I am sure their legal department has stressed to their executives how prone GoDaddy could be to lawsuits, and therefore I am sure the executive team has put into place lots of policies and procedures that limit the chance that a GoDaddy tech could walk off with your application code or data.

By contrast, if I choose some smaller, less known web-host for my client, what is to prevent some tech from copying all of my code to his thumbdrive or even peaking around in my client’s database and stealing customer info?

Whether it is a Shared Server or a Virtual Private Server (VPS), you are giving the host nearly complete access, right?

And if the employees of your web-host are snooping around your website and log files and database and e-mail server, how would you ever know???

I am a company of one who is struggling to learn web development. Having a client that expects me to get his site up on a web host and then manage it is already pushing my knowledge. And now I lie awake at night worrying that I’ll get sued when some 18-year-old punk working at “Bob’s Discount Tires and Web Hosting” walks off with all of my client’s code and data!!

I’m sure a lot of you are laughing thinking I wear a tin hat, but I think my fears are legitimate considering that Home Depot and Target can’t even secure their customers data!

In the end, I just don’t see how you would even know if your web host is screwing with your code or data.

And while I hate GoDaddy on many fronts, I think they are much less likely to ever do that versus a smaller host.

GoDaddy has too much to lose if one of their employees ever looked where he/she shouldn’t. But a smaller host could do that and go undetected, and you’d never know it.

How do you guys protect your application code and customer’s data when you host a website?

GoDaddy is basically a domain registrar who offer hosting on the side. As a side business hosting is far less important to them than it is to a business that operates entirely or primarily as a hosting provider. Hosting providers are far more likely to look after your hosting properly than a domain registrar is since that’s the business they are in.

All servers used for hosting are in data centres. The biggest hosting companies may have their own data centres but most hosting companies have their servers in a data centre that they share with other hosting providers. Physical access to the servers is only possible to those with access to the data centre and since the job of the people located there is to maintain the hardware it would soon be obvious to the others working there if someone started stealing the data.

That leaves remote access to the server and that means that what is being done would in most cases be logged making it possible to confirm whether or bot a breach occurred.

Next, there is so much data being stored that simply grabbing data at random would likely mean that the data stolen would be meaningless and useless to any would be thief. Only by targetting specific types of data can they obtain anything useful. Credit card numbers are not allowed to be stored on computers that can be accessed from the internet and so you will not have any stored on your hosting for anyone to steal. Passwords should all be hashed using an appropriate hashing algorithm so that stealing them is impossible (those sites having passwords stolen have failed to implement this simple security measure). While it is not possible to protect the rest of the data there is not a huge amount that can be done with it. The most useful information that could be stolen is names, addresses and phone numbers or email addresses. As it is to the hosting companies benefit to have policies in place to make stealing data by their employees grounds for dismissal their staff are very unlikely to attempt such theft.

Having someone totally unrelated to the hosting company managing to break into your account and steal the data is a far more likely possibility than someone at the hosting company being responsible - after all they are being paid to protect your data.

Nice write up, @felgall. Nonetheless, I am still worried.

Maybe my fear is due to ignorance?

It just seems to me that if someone had access to a server, then it would be extremely easy to have access to my client’s website code and data. For example, I am on a Mac and using MAMP. if you had access to my Mac (e.g. I didn’t log out when going to lunch), you could gain access to and copy all of my code and data from MySQL in a matter of minutes. (Maybe that is a downside to using something like MySQL vs Oracle? AFAIK, there is no protection to MySQL if you have access to the server it sits on. It isn’t like you have to log in to gain access to the tables.)

Would a VPS be more secure? If we ordered a VPS, then would only we have access to what is on the share? Or could anyone on the host team access it?

For shared hosting, I believe everything is out in the open for anyone with server access to see. In fact, that is why I believe people say not to use shared hosting - because someone else on the same shared server could afairly easily hop the fence and be looking at your “share”!

That makes remote access to your data easier - it all depends on how effective the barriers that the hosting provider builds between the accounts.

The type of hosting has no impact on access by staff at the hosting provider and staff at the data centre as they have access to all of the servers. There isn’t anything you can do about the security that these groups have in place to prevent their staff stealing content but then their staff are very unlikely to do so as doing so could end their career. About the only thing you can do regarding the hosting provider is to consider their reputation before taking out hosting with them. Each hosting provider I have used has been personally recommended to me by people I know who are using that provider.

It is far more likely that the attack will come from an unrelated party where it doesn’t matter who your hosting provider is.

Can anyone here - with first-hand knowledge - recommend a web-host located in the U.S. which offers VPS hosting and does a great job?

Not interested in GoDaddy, 1&1, or HostGator type companies.

Am thinking that a medium-sized company might be best.

Take a look at http://www.webhostingbuzz.com/

I currently have a shared account with them (expecting to upgrade to VPS later this year). DKLynn (who used to be the hosting team leader here a few years ago) recommended it to me - I believe he has two dedicated hosting accounts with them.

• Digital Ocean - $5/mo cheapest - Haven’t used them, but have heard nothing but good things. They offer 1-click installs. Semi-large company, but respectable.
• RamNode - $5/mo cheapest - I use them and you can this affiliate link instead (get 512mb or above, don’t bother with 128mb/256mb options)
• OVH - $15/mo cheapest - if you need extremely high bandwidth (you probably don’t)

uhhh, set up your own server?
Based on what you said about your experience/capabilities, that may be out of your league?

The other option is to select a hosting provider that you trust. I can well understand your concern regarding hosting providers. It took me w-a-y too much time to find one I felt comfortable with and whom I trusted (not so much that I feared they’d steal data; but rather, I wanted a host that knew what they were doing on the UNIX/LINUX backend). There are so many hosting sellers/resellers and the reviews jury-rigged by the people that are writing “reviews” to get the referral fee.

I’m betting Go-Daddy has not the slightest clue whether their employees are stealing your data. That is not how “big” companies operate. They hire somebody and make them sit through some corporate training. …most of it is probably geared towards how to call Mawburn a dude or dude-ette or some other politically-incorrect garbage.

That’s the most expensive option. By the time you get the server, the UPS, the fast internet connection and 24/7 support staff you are looking at a huge cost - probably well over $100000 a year.

I’m not sure what to look for as far as features from a web-host. Guess I need to figure that out before comparing them…

I looked at a few featured web hosts on this page that Hawk posted…

This one looks like it might be pretty good… InMotionHosting

I also like this reference from @Felgall, just not the name… WebHostingBuzz

m_w,

Unless you want to get into the overcrowded hosting market, give up NOW on getting your own server (I did LONG AGO).

Steve (@felgall) recommended WebHostingBuzz because it’s got an account with them … on my recommendation. I HAD three accounts with them, a shared, a specialized (Drupal) account (that client moved to another host) and a dedicated server. I moved from WebHostingZoom which I had considered good but WHB, IMHO, is simply OUTSTANDING. They seem to be right in there with the lesser cost hosts yet they utilize the latest hardware and software on their servers (in multiple data centers including one in the UK for our “POMEy” friends - to me, no downtime in several years). As great as that is, I’m exceedingly impressed with the friendly, expeditious and capabile support staff (I continually recommend sending a technical enquiry to a prospective host and evaluating the speed and quality of the response before deciding). IMHO, you can’t beat the combination at WHB: Exceptional Support, Leading (NOT bleeding) Edge Hardware and Software at a Great Price!

Regards,

DK

@dklynn, thanks for the personal recommendation.

I called InMotion on Friday. The tech was friendly, but came across as a stoned surfer. LOL Didn’t leave me feeling really confident. I also don’t like how InMotion seems to do “smoke and mirrors”. For example, their website is plastered with pictures of their “offices” in Los Angeles, but it turns out the support staff is in Virginia Beach. I also don’t like how they adverse one package with “4GB of RAM” but if you read the 6-point font in the footer it is only 1GB of RAM with 4GB of “Burst”. Misleading at best…

I called WebHostingBuzz this weekend. The tech seemed to answer all of my questions and basically told me what I wanted to hear.

I’m still nervous about this whole hosting thing, but at some point I guess I just have to take a leap of faith.

One way of looking at it is that the hosting company support staff basically work for you in keeping your site up and running. You are employing them to help you and so interviewing them in order to pick ones that you are comfortable to have working for you is an important step as they will be helping you to keep your site safe and secure from external threats. For them to do this job for you properly they need a fairly high level of access to your data (eg. to be able to backup everything and restore it to a different hard drive when the original hard drive fails).

Valid point, however, I am more worried about negligence with old hard-drives versus a tech stealing data off my running VPS.

From SlashDot…

[quote]
CNet is reporting that Bank of America lost 1.2 million customer records
when some backup tapes went missing while being shipped to a backup
center. The lost records mainly effect U.S. government employees
involved in the SmartPay program. From the article: ‘The acknowledgment
comes as several other cases of businesses losing consumer information
have come to light.’[/quote]

m_w,

A “stoner” at InMotion? That’s NOT a good sign.

I wish you had included the name of the techie at WHB. I have dealt with many there over the past several years and they’ve all be great. The dedi staff, though, are the cream of the crop.

Nervous or wary. Remember, there’s no rest for the wary … but that’s a good thing as you should be a better coder for it. The old “ounce of prevention is worth a pound of cure” is a gross understatement when it comes to websites as so much damage can be done by hackers (to the website as well as your reputation as a webmaster). In other words, be VERY WARY and you’ll be fine.

You’ve learned something along the way, too: Contact a prospective host with a good, technical question and evaluate the response you get. Absolutely invaluable (it’s shown you to AVOID InMotion and that the folks at WHB are a savvy bunch (not so much on a sample of one but, in conjunction with a pair of recommendations, it’s a pretty good bet).

Oh, WHB can assist you in moving your domains, too, so be sure to ask. After all, they need something to do when this dedi client isn’t causing problems or asking silly questions (I’m NOT too old to learn new things about servers).

Regards,

DK

Didn’t mean to sound mean or prejudice, but just being honest.

What caught my attention was that InMotion seems to market HEAVILY on how they are this cool, sleek California web-hosting company in Southern California - it sucked me in - and here I was talking to this kid that brought images of some teen that sounded like he was out of “Fast Times at Ridgemont High” - one of Spicolli’s buds!

More ironic was that he was in Virginia Beach, VA!

(I am more interested where the people I interact with at the web host or domain registrar are located versus where their over-paid bosses sit!)

He was friendly, but honestly sounded like he was stoned - very subdued. “Yeah man… We got that…”

How big is their company? Is it small enough that you know most people there?

Not sure if I am weary, wary or leery! LOL

More like stressed.

This is a lot of new responsibility for me that I am not used to.

Not sure if I will be fine, but I am definitely trying to do my research and ask for advice from experts like you guys…

Yep, I wasn’t impressed after speaking with that kid - even if he was trying to help.

You have a point there.

Thanks for all of the help!!

m_w,

Okay, maybe not a “stoner” but sounded like it? That’s STILL not the type of person I’d want to rely upon for ANYTHING. Whatever the reason, you’ve established a first impression and it’s generally good to go by those (unless you want to waste a LOT of time to overcome this type of first impression - IMHO, not worth the effort).

How big? I certainly don’t know but they do appear to be a moderate-sized company. To me, though, the difference is that every individual I’ve communicated with has been polite, knowledgeable and had either resolved my problem or passed me on to the person who can … quickly! I don’t have to wait long for a reply/resolution for anything which is VERY important to me!

Stressed is part of life but don’t allow it to overwhelm you. Wary is good, weary means that you need more rest (for a clearer head) and leery just means that you have a suspicious nature (a good thing when dealing with the “cowboys” in the hosting business).

Ask away! Read books on hardening your code. Take courses on hardening your code. There are a lot of simple little things which should become second nature but MUST be on the IMMEDIATE TO LEARN list of every newbie.

I can’t pan InMotion as I don’t have any experience with them so, based on your experience with them (sample of one is generally dangerous), I would avoid them. Your other sample of one was a follow-up to a pair of sterling recommendations and can be considered validated.

You’re very welcome. While my time here was initially to help me learn PHP, I’ve spent the bulk of my years helping members in the Hosting (hosting, security and server) boards. If you’re like me, though, stick around and “share the knowledge” with others and help them LEARN.

Regards,

DK

Thanks, DK!!

Just want to confirm my experience with Inmotion. They bought me with their very friendly behavior, but after, it turned out that they are selling 256MB!!! as 4GB of RAM. Because of that my sites were not working and I was so much more looking my site through www.websitedown.info that the site is down, rather then through my own domain address. Although their support was convincing me that the problem is with my code, when I changed to an other hosting provider it is now working without any problem. So please avoid their hosting.
As for the data protecting, it is always a good thing to have a password protected database file.

that will not protect the data from anyone with actual access to the server as they can see where the password is stored. It does help protect against remote access though.