I was recently tasked with working out the best options for hosting web applications and their data for a client. This was their foray into whether to throw all their stuff into the cloud or to build their own infrastructure to host everything on.
Hosting Options
There are a lot of options available now. Most of which are derivatives of either external cloud or internal (possibly cloud). All of which come with features and some price tags that need to be weighed up. I’ve been collecting resources of providers and their offerings (both cloud and in-house) for quite a while. So I didn’t have to go far to pull them together for comparison.
All sites and apps require a different amount of each resource type to be allocated to them. For example many web sites are still predominantly static, which require more network band-width than any other resource, some memory, a little processing power and provided they’re being cached on the server, not a lot else. These resources are very cheap.
If you’re running an e-commerce site, then you can potentially add more Disk I/O which is usually the first bottleneck, processing power and space for your data store. Add in redundancy, backups and administration of.
Fast disks (or lets just call it storage) are cheap. In fact most hardware is cheap.
Administration of redundancy, backups and staying on top of security starts to cost more. Although the “staying on top of security” will need to be done whether you’re on someone else’s hardware or on your own. It’s just that it’s a lot easier on your own because you’re in control and dictate the amount of visibility you have.
The Cloud
Pros
It’s out of your hands.
Indeed it is, in more ways than one. Your trust is going to have to be honouredĀ here (or not). Yes you have SLA’s, but what guarantee do the SLA’s give you that the people working on your system and data are not having a bad day. Maybe they’ve broken up with their girlfriend, or what ever. It takes very little to miss something that could drastically compromise your system and or data.
VPS’s can be spun up quickly, but remember, good things take time. Everything has a cost. Things are quick and easy for a reason. There is a cost to this, think about what those (often hidden) costs are.
In some cases it can be cheaper, but you get what you pay for.
Cons
Your are trusting others with your data. Even others that you are not aware of. In many cases, hosting providers can be (and in many cases are) forced by governments and other agencies to give up your secrets. This is very common place now and you may not even know it’s happened.
Your provider may go out of business.
There is an inherent lack of security in all the cloud providers I’ve looked at and worked with. They will tell you they take security seriously, but when someone that understands security inspects how they do things, the situation often looks like Swiss cheese.
In-House Cloud
Pros
You are in control of your data and your application, providing you or “your” staff:
- and/or external consultants are competent and haven’t made mistakes in setting up your infrastructure
- Are patching all software/firmware involved
- Are Fastidiously hardening your server/s (this is continuous. It doesn’t stop at the initial set-up)
- Have set-up the routes and firewall rules correctly
- Have the correct alerts set-up
- Have implemented Intrusion Detection and Prevention Systems (IDS’s/IPS’s)
- Have penetration tested the set-up and not just from a technical perspective. It’s often best to get pairs to do the reviews.
The list goes on. If you are at all in doubt, that’s where you consider the alternatives. In saying that, most hosting and cloud providers perform abysmally, despite their claims that your applications and data is safe with them.
It “can” cost less than entrusting your system and data to someone (or many someone’s) on the other side of the planet. Weigh up the costs. They will not always be what they appear at face value.
Hardware is very cheap.
Cons
Potential lack of in-house skills.
People with the right skills and attitudes are not cheap.
It may not be core business. You may not have the necessary capitols in-house to scope, architect, cost, set-up, administer. Potentially you could hire someone to do the initial work and the on going administration. The amount of on going administration will be partly determined by what your hosting. Generally speaking hosting company web sites, blogs etc, will require less work than systems with distributed components and redundancy.
Spinning up an instance to develop or prototype on, doesn’t have to be hard. In fact if you have some hardware, provisioning of VM images is usually quick and easy. There is actually a pro in this too… you decide how much security you want baked into these images and the processes taken to configure.
Consider download latencies from people you want to reach possibly in other countries.
In some cases it can be more expensive, but you get what you pay for.
Outcome
The decision for this client was made to self host. There will be a follow up post detailing some of the hardening process I took for one of their Debian web servers.
Tags: Architecture, Cloud, Networking, Security, Virtualisation, VPS, Web
Binarymist 
December 28, 2014 at 12:36 |
At Kademi we decided to self-host. The reason is that we’re providing a technology service to our customers and we need
– the ability to innovate without restrictions. AWS, GAE and others have infrastructure requirements that can limit innovation at the edges of what’s considered “normal”. Those limits are actually well hidden, most wont know about them until you’re well down the path of building your solution.
– compliance: large corporate customers often want guarantees about physical security. Cloud hosting services mean you cant answer some questions (eg “who can access the servers?”). We’ve found passing cloud provider audits much easier with a local hosting partner and self-owned servers
– its cheaper: counter intuitively, its much cheaper to self host if you have a fairly large requirement, and if you have in-house support. We need a bunch of grunty servers and the monthly cost with AWS would be at least double our co-location costs. That dynamic wont apply to everyone though.
We also use cloud hosting for a lot of purpose specific tasks (eg QA and a warm standby environment for disaster recovery), and its possible in future we’ll move some core services to the cloud
But right now self-hosting works for us. Bare metal FTW!
December 28, 2014 at 12:37 |
I have always been an advocate of self-hosting. I self-host. My clients all self-host, but do not have any IT staff of their own. It still works out better for them to keep it all on-premise. Of course the key thing is to spend the time on installation and configuration, so maintenance is largely automated. Also there are some small but important details that are important during the installation/configuration process. Not least of which being to set the Region and Language settings correctly during installation, not later on.
Brad’s point about being able to innovate is part of my personal motivation. My clients stick with me because their systems just work, but also because I provide various innovative solutions that are specifically designed for their business methods. When I am in control of their servers from the metal up, I can dream up any solution I want without limits, and can take more personal responsibility for what I do. Clients appreciate that!
January 7, 2015 at 10:16 |
Yeah, as you can see. Entrusting your information to cloud providers provides major security risks: https://www.indusface.com/blog/?p=769
January 29, 2015 at 08:39 |
I’ve had a number of clients move into the ‘self hosted’ model because they feel their data would be more secure on ‘their own servers’. While this is vaguely and relatively true in most respects they found themselves in a complete bind once the systems administrator they hired moved onto greener pastures.
January 29, 2015 at 09:11 |
Thanks Philip. In regards to being in a bind once the sysadmins moved on. As you say, it’s vital that the knowledge is shared. If the person responsible for doing the work can not be trusted to disseminate the information, then the person hiring the sysadmin needs to be. It’s their money, they need to be aware of what they are paying for. I’ve addressed that in the following section:
https://blog.binarymist.net/2014/02/22/automating-specification-by-example-for-net/#audience and probably lots of other places.
February 8, 2015 at 12:17 |
@Alan: So your clients hire you or other experts to secure/harden the systems? What about staying on top of security concerns, which is an ongoing endeavour that must be continuously worked on in order to have a system that is as secure as the domain requires, as that can’t be automated effectively?
February 8, 2015 at 12:19 |
@Kim – Security is always a concern! Whether hosted on-premise in a Private Cloud configuration or on a server hosted by a Public Cloud provider, security concerns are exactly the same, apart from the additional (and somewhat unknown) risks with Public Cloud. Either way, good security starts with user awareness – strong passwords, good practises and good communications if / when things go wrong, so that remedial action can be taken quickly. I view ALL updates as mandatory – immediately! You can’t assume anything security-wise, and zero-day exploits are a reality. I think the very rare event of an unwanted side-effect from an update is far preferable to a security breach. Work-arounds can almost always be figured out if there is some side-effect. I haven’t seen a “show-stopper” update for well over a decade.
When it comes to mail hosting, this is something I can see sense in using a public provider. But even here, I prefer to self-host, PROVIDING the installation has Trustwave Secure Email Gateway (SEG – formerly MailMarshal) to filter incoming messages. (Once properly configured, it REALLY works with very little ongoing attention!) Of course having SEG then allows some pretty fine-grained filtering including outgoing messages to ensure that business policies are adhered to. All sorts of other really useful message routing can also be done.
So by using certain software and the methods I have developed and refined over the last 20 years or so I still have a preference for self-hosting. It seems easier and better to me, using the somewhat formulaic approach I have now. (Actually I have been working with “Cloud” services a lot longer than 20 years – I was part of a team that developed and used messaging like e-mail from 1987 onwards – well before the internet and e-mail as we know it today.) I know many will disagree, but it works well for me and my clients.
March 31, 2018 at 09:01 |
Cloud Security chapter now available: https://f1.holisticinfosecforwebdevelopers.com/chap05.html#cloud from my second book: https://f1.holisticinfosecforwebdevelopers.com/toc.html in the series: https://holisticinfosecforwebdevelopers.com/