2

If we buy a VPS, the admin of the enclosing server can always steal our data, right?

Is using a dedicated server a solution? (We can't afford our own datacenter in any case.) But it seems that stealing from a dedicated server is harder, as one needs to plug into it physically.

If nevertheless using a VPS, does ordering it from a big company help our security? (The company would be on our side against the black hat admin, because for a big company their reputation is more valuable than our data.)

porton
  • 185
  • 7
  • 'Dedicated servers' are not physical if hosted. Plus, the hoster would be physically connected anyway. – schroeder Dec 26 '16 at 22:27
  • As a general rule physical access to a machine will trump all other security controls since physical access gives you the ability to circumvent them. Likewise, root or administrative access to a machine trumps application level controls since root or administrative access sits above the application. – user34445 Dec 26 '16 at 22:28

2 Answers2

2

When ordering cheap VPS's this is certainly true.

However, the largest cloud service providers are a different matter. If this is a genuine risk, you should look at the likes of Azure and AWS which have very significant certifications for security.

Azure, for example, can offer customer lock keys and provide very significant process security that greatly limits admin access to customer data even without the use of customer keys.

Actually, stealing from a physical server is often easier than the best cloud services. Again using Azure for reference as I am most familiar with that. Azure generally splits customer data across multiple physical storage arrays and even across multiple compute VM's so that physical access to the data centre would not enable access to your data.

Again, though, this is very different to buying a VPS which will be a logical slice of a physical server. In that case, the vendor's admins will have full access to your data whether you like it or not.

All of this comes down to managing risk. What data are you storing? Are you working in a regulated industry (e.g. Finance or Health)? How many records? If you are running a business from a VPS, what insurance do you have? How are you managing your liabilities to your customers?

Julian Knight
  • 7,092
  • 17
  • 23
1

Dedicated or virtual, when you lease a server from a third party, you're trusting that provider to not monkey with your business. Colocation (particularly if they give you a locked cabinet) gets you a bit more privacy, but you're still implicitly trusting the the people who run the facility to keep their hands to themselves.

With computer, physical possession is ownership - end of story.

So your best bet is to go with a company that has the appropriate internal controls to prevent rogue employees from behaving badly. So Amazon, Google, Microsoft, and IBM are all going to be reasonably safe places for you to put your data; they have the resources to invest millions of dollars on internal security in order to avoid an unwanted incident. The colo down the street is a bit more of a gamble, and some random company on the Internet even more so.

tylerl
  • 82,225
  • 25
  • 148
  • 226