Thread

Hi,
  I’m writing an application using codeigniter(LAMP), and I must say, it’s been really really pleasant experience with codeigniter. I thank the community for this.
  I’m now planning to host the application on cloud, and the service providers say they provide “scalable cloud servers”, with autoscaling that provide virtual instances.
This would be my first experience with cloud hosting. I’m wondering what are all the things I should consider regarding safety and security before I say “YES”.

Thank you

I can’t give you any first hand experience with cloud hosting for web-apps since I only use cloud servers for my content distribution.
But there is a post on net.tutsplus which covers how to deploy your page and has some more background info. And it’s written by @philsturgeon
click me to read more

But in general I think it’s as secure and safe as running a non cloud-base web page on e.g. a virtual private server. Maybe even a little more secure since you don’t have to take care of the machine itself and ddos-attacks and can concentrate on your webapp itself.

First of all, welcome to the forums.

Of all these PAAS I’ve tried PHPfog, Pagodabox and Zend cloud (stil in beta). I haven’t used Orchestra.io, since their offer is quite confused and Zend hasn’t divulged their pricing yet, I can’t really make a fair comparison of the latter two.

If you’re used to shared hosting both safety and performance are better by an order of magnitude. You are expected to know and use version control system (you ought to, anyway) as the deployment is based on post-update hooks from your commits, Heroku style. In other words, you have to know the basics of Git or it’s a no go.

As for value for price I have to recommend PHPfog. For 29$/month you get an infrastructure for 10 apps. This, I believe, is the price you cannot beat with PAAS providers. I’ve had experience with them and it all worked seamlessly, so I can’t testify on their CRM skills. They had and early security breach but have since improved on it.

On the other hand Pagodabox started with deployment exclusively from Github in beta, so I found it useless. I’ve tried it twice since they started running their own Git server and it is a very nice environment (about which you can read extensively in Phil’s tuts+ article, though it describes FuelPHP install). They definitely seem the most polished of the bunch and most active, since the focus of PHPfog has moved to Appfog. You just need to make sure you’re in the budget for the expenses that might occur. This one can get quite pricey later on, but if you create some kind of revenue stream out of it, you ought to be fine.

Security-wise, you have to realize that in the final instance you are handing these companies control over functioning of your application and all associated risks that come with it. You present a lot bigger target (similar to using a WP blog as opposed to making your own) but it’s also more likely that a vulnerability will be noticed and fixed. The fact is that you’re handing your data into the hands of these people (as well as Amazon, because both of them are AWS based, I believe). If you can live with that kind of potential exposure, you should be fine. For most people this is much safer then their alternatives, but don’t mention this kind of hosting to IT audit & governance people, because they freak out at the mention of PAAS.

In other words you are unable to guarantee you clients their data will be handled according to your expectations. if I’m informed correctly (I could be wrong), any law enforcement institution in USA can get hold of your data based on nothing more than official request. This situation is virtually the same as with SWIFT transaction data (if you’re from EU) and is the sad truth of the world we live in. You cannot expect these small firms to be able to resist those kind of requests and Amazon complies quite eagerly as well. They also need to comply to a US court order as well as the court order of any other country your files might be hosted in.

This pertains to all cloud hosting solutions and is the reason why it’s potentially a poor decision to base you application exclusively upon cloud based solutions. The regulation in my country stipulate that I have to be able to provide some (for ex. accounting) data upon court order. Having it stored in foreign country can impede on my court’s ability to gain those records and I might be held accountable for it. It can also mean a breach of your clients’ expectations (or requirements or maybe even legal provisions) for the data to be safe form scrutiny of all but your own government. This is probably true for most accounting data, so in that case some sort of hybrid setup is needed. It’s partially so with any hosting, but if I hosted locally I could assure I was able to comply and I couldn’t be held responsible.

Other things you should consider safety and security-wise are pretty much normal PHP stuff - sanitize input, use CSRF protection where needed, correct password handing and session handling. In my own opinion, if you have the experience to manage your own servers, nothing mentioned above comes close to EC2 (performance, configurability or price-wise). But for someone who isn’t willing to spend (a lot) of time, learning those intricacies. I might have misunderstood what you meant by security and safety, so feel free to ask additional questions. Congratulations of your patience If you managed to read this wall of text 😉

I’m not really sure what exactly to call it- PaaS or something else,
But what they’re providing is-
A virtual instance of CentOS machine, with php and mysql installed. And I can get as many instances as I need. And I’ll get root access.
I feel it’s not what “pagoda box” looks like.

Just to quote Philip Sturgeon, “I spot a developer battling to defend his server from some group of hackers or script kiddies, getting port flooded, having trouble getting some random security patch working, struggling to migrate to larger more powerful servers”.

Will I have to do these myself?

The sales dept of that company tell me they’ll do security patch update, install php and other stuff like that for me. But I want to ensure they do it right

So to put it more specifically
1. What are things I should look for, in their service to satisfy myself that their systems are secure, in the sense- their security patches are up-to-date, ports are safe etc..   
2. What are the measures I should take to secure my systems- I know this is very big topic worth writing books, but I am just looking at a “Check List” that an experienced developer will refer to

3. Are there any specific security measures I must take to protect my data in a cloud environment, where the instances are virtual machines - (analogy of threat I’m thinking is- if you’re in shared hosting, your data is not as private as you think)

4. Is there a way to know if they’ll have full access to my source codes/ database credentials etc? If so can I do something to prevent it?

I’m trying out not-so-famous provider outside US.

@PhilTem, Thanks for your link. It helped me to understand my problem.. 😊

@Coccodrillo, Thank you so much, for taking time and sharing your experience. I’m not familiar with Git or any other version control for that matter. I just wrote the application, with CI, and as I’ll be having full root access, I think I can move my php files to document root and host it. (That’s what I plan to do). 

Also, thanks for all the “wall of text ” and legal issues, not just did I read it till end,  I read it couple of times. :coolsmile:
 
 

1. If they provide you with an up-to date version of PHP, MySQL and configure a webserver for you (either Apache or Nginx), secure your server so only the ports needed are open (usually 80 for web requests and 22 for ssh), you’re as secure as you’re going to get.

2. This one is very simple. You needn’t know anything about it. If you have to worry about it and don’t know how, just use PaaS for a while, see how it fits. Both of discussed providers have some sorts of trial accounts, make use of it.

3. You need to address your normal vulnerability list (SQL inj, csrf, XSS, brute force password cracking…) Other than that there isn’t something special you can do, it’s just a server. If they have some kind of vulnerability it’s beyond your means to detect and fix it, so you might as well not worry about it.

4. There is no way around it. They have control of the underlying infrastructure and consequentially access to your source and db data. This was true even if you’re on bare-metal servers.

Two additional I would like answered in your shoes:

5. How is your backup going to be performed and how are you going to be able to restore it if something goes wrong?

6. If you expect this application to be popular enough so you need multiple instances, you also need to check how load balancing works. Especially as multiple Mysql instances are only realistically done via sharding and this is something that you have to take into account when designing your app.

Thanks for the detailed response. Normal vulnerability list (SQL inj, csrf, XSS, brute force password cracking…) I’m taking care of.
Additional two points you’ve raised are very important, and I’ll address those issues.One good thing is they’ve some disaster recovery support, which I’d not paid much attention to,but will do it now. Also, thanks for database suggestion.

Have a nice day.. 😊