elepil
asked on
Need recommendations for PHP web host technical support that support shell access
I currently have a Java web hosting account, and their technical support people are really good, all well-versed with managing a web site entire through a Linux shell.
Lately, I have been looking for a PHP-based web hosting account. I inquired into several companies like GoDaddy and iPage by calling up their technical support to see if they were even familiar with very basic Linux commands, and it sounded like they don't know the first thing about it; they only know web host management via some graphic interface like cPanel.
I am looking for PHP web host recommendations where their technical support people are good with Linux shell access. Yesterday, I signed up with GoDaddy and was able to access a shell. One of the first things I did was do a 'pg' on the default home page, and to my dismay, I got a message saying "--bash pg not found". ??? 'pg' is a very basic Unix/Linux command available for decades. When I called up their technical support, I received long pauses of silence; clearly, none of their technical support is familiar with Linux. Then I did a "ls -l" in my shell and was surprised to see .htaccess!? That's supposed to be a hidden file, why did it show with ls -l? It's supposed to show only with ls -al that would show hidden files. When I called Godaddy tech support, nobody knew! Then today, I called up the tech support of iPage and got the same awkward long pauses. I just called Justhost.com, same thing!? What the heck is going on?? Not everyone wants to manage their web site using GUI interfaces like cPanel!
I will call up the technical support department of any web host recommendations I get, so please, anyone who gives recommendations, make sure you're doing so from first-hand experience and not some google search.
Thanks.
Lately, I have been looking for a PHP-based web hosting account. I inquired into several companies like GoDaddy and iPage by calling up their technical support to see if they were even familiar with very basic Linux commands, and it sounded like they don't know the first thing about it; they only know web host management via some graphic interface like cPanel.
I am looking for PHP web host recommendations where their technical support people are good with Linux shell access. Yesterday, I signed up with GoDaddy and was able to access a shell. One of the first things I did was do a 'pg' on the default home page, and to my dismay, I got a message saying "--bash pg not found". ??? 'pg' is a very basic Unix/Linux command available for decades. When I called up their technical support, I received long pauses of silence; clearly, none of their technical support is familiar with Linux. Then I did a "ls -l" in my shell and was surprised to see .htaccess!? That's supposed to be a hidden file, why did it show with ls -l? It's supposed to show only with ls -al that would show hidden files. When I called Godaddy tech support, nobody knew! Then today, I called up the tech support of iPage and got the same awkward long pauses. I just called Justhost.com, same thing!? What the heck is going on?? Not everyone wants to manage their web site using GUI interfaces like cPanel!
I will call up the technical support department of any web host recommendations I get, so please, anyone who gives recommendations, make sure you're doing so from first-hand experience and not some google search.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gary, thanks for responding.
No, this is not a VPS, no money to pay for a dedicated server unless it's justified :) So I'm talking about just a shared web host account, the cheapy type. I have an account with www.Kattare.com, and it does support both Java and PHP, and those guys are good! They live in Linux. I just assumed all web hosts had tech support people equally capable.
But I'm looking for another web host because Kattare's features are not the best. For example, web hosts nowadays offer unlimited disk space and bandwidth, but Kattare gives you like a measly 1gig with very limited bandwidth, and they charge $10 to $30 a month for that. So I'm looking for a cheapy web host that at least have decent tech support people who are familiar with the very operating system they're running on.
No, this is not a VPS, no money to pay for a dedicated server unless it's justified :) So I'm talking about just a shared web host account, the cheapy type. I have an account with www.Kattare.com, and it does support both Java and PHP, and those guys are good! They live in Linux. I just assumed all web hosts had tech support people equally capable.
But I'm looking for another web host because Kattare's features are not the best. For example, web hosts nowadays offer unlimited disk space and bandwidth, but Kattare gives you like a measly 1gig with very limited bandwidth, and they charge $10 to $30 a month for that. So I'm looking for a cheapy web host that at least have decent tech support people who are familiar with the very operating system they're running on.
ASKER
Ray, yes you did talk about GoDaddy, and I remember. But I am not an inexperienced web host user, and I didn't think I'd need much technical support (which was your main beef with GoDaddy). The problem is when even basic commands like 'pg' are not available, or hidden files that are supposed to be hidden are showing up, it's a cause for alarm and I had to call up their tech support.
I will look into Rackspace and LiquidWeb and will get back to you on this.
I will look into Rackspace and LiquidWeb and will get back to you on this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gary, it's a shared account, costs me $6.99 a month (although I closed it on the same day because of my disappointment).
I hope recommendations you gave are web hosts you have confirmed? Because I did try to get in touch with HostGator, and they had a long long wait for tech support. I don't want to call them, wait that long, only to find out their tech support is also inept?
I hope recommendations you gave are web hosts you have confirmed? Because I did try to get in touch with HostGator, and they had a long long wait for tech support. I don't want to call them, wait that long, only to find out their tech support is also inept?
ASKER
Gary, why do you say unlimited diskspace and bandwidth doesn't exist? A lot of web hosts advertise that.
First, you're unlikely to find a good web host that offers cheap shared hosting with Linux shell access, much less one that will help you with shell problems.
First, PHP isn't typically a shell-driven language. Sure, you can have PHP execute shell commands, or even call PHP from the shell, but those situations aren't common for most PHP sites, so most shared hosting providers don't bother with the shell side of things.
Second, providing shell access on a shared server is a very risky scenario, which is another reason why you won't find it to be a common feature. Done improperly, another user on the server might be able to access YOUR files without anyone knowing! Usually you have to enforce a jail / chroot to enforce filesystem limits, but then you run into questions about shared resources (e.g. allowing everyone to access "gzip" or something). At this point, most providers will just say, "Screw this" and switch over to a VPS offering, since that takes care of all the details and it looks more attractive to users.
Third, you get what you pay for. If you want "cheapy" solutions, you HAVE to sacrifice something somewhere. It costs a web hosting company to have really experienced, knowledgeable people on staff, so they're going to increase the cost of their product to offset those wages. It also costs them to provide more features, and it costs to have high availability for tech support so that you get quick answers.
If you come across a really cheap solution that offers everything, chances are that it might be someone that isn't paying attention to their server. They probably set up a web hosting solution and then go back to whatever game they were playing, and then just rake in the monthly hosting fees. If the server completely goes down, they might respond, but they're probably not going to pay a lot of good, fast attention to your support tickets.
It's just the way things are.
To be honest, if you're looking for cheap shared web hosting, go with one of the popular big ones (1&1, HostGator, LiquidWeb, etc...). They might not be -AS- cheap as another host, but chances are that they have enough customer volume that they can still make a profit while providing adequate support and decent features. You won't get shell access, but you probably won't need it, either.
If you REALLY REALLY want shell access at a low price, you can try out VPS and do the whole do-it-yourself scenario, but don't expect a ton of support. With VPS, they expect you to know what you're doing (which you really should, if you're logged into a shell account - you can do some serious damage if you're not careful).
First, PHP isn't typically a shell-driven language. Sure, you can have PHP execute shell commands, or even call PHP from the shell, but those situations aren't common for most PHP sites, so most shared hosting providers don't bother with the shell side of things.
Second, providing shell access on a shared server is a very risky scenario, which is another reason why you won't find it to be a common feature. Done improperly, another user on the server might be able to access YOUR files without anyone knowing! Usually you have to enforce a jail / chroot to enforce filesystem limits, but then you run into questions about shared resources (e.g. allowing everyone to access "gzip" or something). At this point, most providers will just say, "Screw this" and switch over to a VPS offering, since that takes care of all the details and it looks more attractive to users.
Third, you get what you pay for. If you want "cheapy" solutions, you HAVE to sacrifice something somewhere. It costs a web hosting company to have really experienced, knowledgeable people on staff, so they're going to increase the cost of their product to offset those wages. It also costs them to provide more features, and it costs to have high availability for tech support so that you get quick answers.
If you come across a really cheap solution that offers everything, chances are that it might be someone that isn't paying attention to their server. They probably set up a web hosting solution and then go back to whatever game they were playing, and then just rake in the monthly hosting fees. If the server completely goes down, they might respond, but they're probably not going to pay a lot of good, fast attention to your support tickets.
It's just the way things are.
To be honest, if you're looking for cheap shared web hosting, go with one of the popular big ones (1&1, HostGator, LiquidWeb, etc...). They might not be -AS- cheap as another host, but chances are that they have enough customer volume that they can still make a profit while providing adequate support and decent features. You won't get shell access, but you probably won't need it, either.
If you REALLY REALLY want shell access at a low price, you can try out VPS and do the whole do-it-yourself scenario, but don't expect a ton of support. With VPS, they expect you to know what you're doing (which you really should, if you're logged into a shell account - you can do some serious damage if you're not careful).
Because no one has invented an HDD that never gets full or found a way to use bandwidth and never get charged for it.
If you suddenly used 1TB of bandwidth you can be pretty sure your account gets locked. So always check their T&C
And in answer to your other question, gr8gonzo has answered it quite succintly
If you suddenly used 1TB of bandwidth you can be pretty sure your account gets locked. So always check their T&C
And in answer to your other question, gr8gonzo has answered it quite succintly
ASKER
Gary, it sounds like you haven't shopped for a web host in a while. Just google search PHP web host accounts and you'll see review sites that provide links to web hosts that advertise unlimited disk space and bandwidth. I understand what you're saying, but if they have the nerve to advertise, they better live up to it.
ASKER
Ray, I just called Rackspace, they're high-end. They don't provide shared web hosting, only dedicated Cloud Servers meant for people to pay $150/month so they can resell it.
Web hosts have been advertising it for decades - and it still doesn't exist
Hostgator 24 min wait - but for $4 a month what do you expect...?
they better live up to itThat's why they have the T&C that says fair usage blah blah if you use more than 100Gb we charge you blah blah
Hostgator 24 min wait - but for $4 a month what do you expect...?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ray, LiquidWeb is the same thing, it's not a shared web hosting account provider.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you want to have a bit of fun with a shared web hosting company that advertises unlimited disk space, read their terms, then create a web script that simply uploads a ton of trash HTML files 24/7. I guarantee you that by the time you hit about 1-2 gigabytes, your account will send up a red flag and you'll have someone in tech support checking out what you're doing.
Keep going, and they'll probably start figuring out a way to stop you via legal terms. If you're somehow not in violation of any terms, they probably have a clause that allows them the right to terminate your account at any time for ANY reason, and they'll probably invoke that clause before your account starts impacting their bottom line.
Keep going, and they'll probably start figuring out a way to stop you via legal terms. If you're somehow not in violation of any terms, they probably have a clause that allows them the right to terminate your account at any time for ANY reason, and they'll probably invoke that clause before your account starts impacting their bottom line.
ASKER
gr8gonzo,
I have to beg to differ on that. As I said, I currently have an account at Kattare.com. It's inexpensive. Also, all the potential web hosts I've looked into have shell access. ALL. You can access it through their cPanel, create an FtP account, and then use any SSH FTP client and get a shell. Now whether or not they can support you is the question.
That's irrelevant. A shell is merely a window into the operating system. You can copy files, move files, delete files, hide files, etc. These are file system operations independent of what kind of web host account you're using. It's just a preference for me to use a shell rather than deal with a GUI interface because I can get things done faster.
you're unlikely to find a good web host that offers cheap shared hosting with Linux shell access
I have to beg to differ on that. As I said, I currently have an account at Kattare.com. It's inexpensive. Also, all the potential web hosts I've looked into have shell access. ALL. You can access it through their cPanel, create an FtP account, and then use any SSH FTP client and get a shell. Now whether or not they can support you is the question.
PHP isn't typically a shell-driven language
That's irrelevant. A shell is merely a window into the operating system. You can copy files, move files, delete files, hide files, etc. These are file system operations independent of what kind of web host account you're using. It's just a preference for me to use a shell rather than deal with a GUI interface because I can get things done faster.
As an example...
I have a Linux VPS with 40GB HDD (more than enough for most people), Bandwidth 1.95TB, Memory 1.5GB and quad core processor
This is unmanaged and cost about $15 a month
So to think you can get unlimited everything and top notch support for around $5 is living in cloud cuckoo land
I have a Linux VPS with 40GB HDD (more than enough for most people), Bandwidth 1.95TB, Memory 1.5GB and quad core processor
This is unmanaged and cost about $15 a month
So to think you can get unlimited everything and top notch support for around $5 is living in cloud cuckoo land
LiquidWeb -is- a shared hosting provider, but they STRONGLY advertise their VPS, dedicated, and cloud offerings. You can still find their shared hosting here:
https://www.liquidweb.com/web-hosting/
Some of the other suggestions are probably more cost-effective, though. yoder and Gary have suggested at least 4 other providers that focus on shared hosting.
https://www.liquidweb.com/web-hosting/
Some of the other suggestions are probably more cost-effective, though. yoder and Gary have suggested at least 4 other providers that focus on shared hosting.
BTW,
Most host reviews are written by people paid to favor whomever is paying them. The review sites generally have referr links to the hosts being reviewed and get a commission for all referrals from their reviews. So the rankings general work like paid search the top position goes to the host paying the highest commission.
Cd&
Most host reviews are written by people paid to favor whomever is paying them. The review sites generally have referr links to the hosts being reviewed and get a commission for all referrals from their reviews. So the rankings general work like paid search the top position goes to the host paying the highest commission.
Cd&
SSH FTP client - that's not a real shell and makes sense now what you were talking about earlier - you wouldn't have access to shell commands (bar what you could do in any FTP program) or the rights to do anything bar mess around with your own site files. (and that is why you can see your .htaccess when doing a list)
ASKER
COBOLdinosaur -- point taken.
Alright, to all of you telling me "unlimited disk space and bandwidth" is a lie/myth/non-existent, fine. I probably won't use that much disk space anyway, but I do have a client who'd want her clients to be able to upload scanned tax documents to her website, and at least I won't get the web host complaining to me right away that I'm using too much disk space since we'll be using up only about 10 gigs anyway, especially when they're advertising unlimited disk space. And since uploading does take up some bandwidth, it's not going to be a YouTube site that requires enormous bandwidth, but at least I feel comfortable I won't hear the web host complaining anytime soon either.
Alright, to all of you telling me "unlimited disk space and bandwidth" is a lie/myth/non-existent, fine. I probably won't use that much disk space anyway, but I do have a client who'd want her clients to be able to upload scanned tax documents to her website, and at least I won't get the web host complaining to me right away that I'm using too much disk space since we'll be using up only about 10 gigs anyway, especially when they're advertising unlimited disk space. And since uploading does take up some bandwidth, it's not going to be a YouTube site that requires enormous bandwidth, but at least I feel comfortable I won't hear the web host complaining anytime soon either.
@elepil
I think you might be confusing some terminology here. What you described (setting up FTP account, using an SSH FTP client) is called SFTP. That is NOT shell access. SFTP is a subsystem that runs on top of SSH, but they are VERY different things.
Shell access is having the access to actually run non-filesystem-related commands on your own via an actual shell like bash. For example, you could use gcc to compile an application through shell. You cannot do that via SFTP. SFTP is restricted to file management only.
As far as support goes, the "quality" also may mean different things to different people, so you might have different opinions on tech support quality. How about posting some sample questions that you would expect tech support to answer? I'm sure most of us that have experiences with different hosts have probably asked similar questions and could tell you if they answer them or not.
I think you might be confusing some terminology here. What you described (setting up FTP account, using an SSH FTP client) is called SFTP. That is NOT shell access. SFTP is a subsystem that runs on top of SSH, but they are VERY different things.
Shell access is having the access to actually run non-filesystem-related commands on your own via an actual shell like bash. For example, you could use gcc to compile an application through shell. You cannot do that via SFTP. SFTP is restricted to file management only.
As far as support goes, the "quality" also may mean different things to different people, so you might have different opinions on tech support quality. How about posting some sample questions that you would expect tech support to answer? I'm sure most of us that have experiences with different hosts have probably asked similar questions and could tell you if they answer them or not.
Tax documents?!
That is a huge red flag.
I would NOT recommend using shared hosting services to hold ANY sensitive data. Typically they are not going to cover you in terms of compliance standards. Tax documents (or ANY documents that refer to someone's financial data) need to be stored on storage devices that are handled with specific compliance standards (e.g. encrypted at rest, access restrictions, backup compliance, etc).
If the host gets hacked and someone gets a hold of those documents, chances are that your client might get in some serious trouble and subsequently might sue you. I kid you not. Compliance is not something to treat lightly - you could literally lose every penny you have if you go down this path.
That is a huge red flag.
I would NOT recommend using shared hosting services to hold ANY sensitive data. Typically they are not going to cover you in terms of compliance standards. Tax documents (or ANY documents that refer to someone's financial data) need to be stored on storage devices that are handled with specific compliance standards (e.g. encrypted at rest, access restrictions, backup compliance, etc).
If the host gets hacked and someone gets a hold of those documents, chances are that your client might get in some serious trouble and subsequently might sue you. I kid you not. Compliance is not something to treat lightly - you could literally lose every penny you have if you go down this path.
If you're working with financial documents, I would suggest going with an Amazon-hosted solution (AWS). They have hosting solutions that have the compliance and security aspects covered:
http://aws.amazon.com/security/
Again, you get what you pay for, and it'll probably be a little more than other shared hosting providers, but at least you will not be facing bankruptcy and/or prison time if your hosting provider gets hacked.
http://aws.amazon.com/security/
Again, you get what you pay for, and it'll probably be a little more than other shared hosting providers, but at least you will not be facing bankruptcy and/or prison time if your hosting provider gets hacked.
ASKER
gr8gonzo, my client is currently using eFax to receive scanned documents, and she retrieves it via email; that should make you faint. So uploading directly to her server is I think an improvement, security-wise. But you are right, it would still not be secure. But she's also cheap. Given her budget, I can only do so much. But I am still vigilant in finding better solutions for her though. Security has become such a big pain nowadays.
And you're right, I am using SFTP. And I do not compile any code, I only use it for file management.
And you're right, I am using SFTP. And I do not compile any code, I only use it for file management.
If these are only her tax documents and not any other party's tax documents, it's merely foolish to put them on a shared server, because she might lose control of them if (for example) a backup was stolen by a disgruntled employee. If it's any other party's tax documents you would be on really thin ice if you put them on a shared server. The liability is just too great. Use a dedicated host, full stop.
Also, CobolDinosaur is exactly right about hosting review web sites. They are all BS. You're much better off asking your questions about hosting here at E-E.
Also, CobolDinosaur is exactly right about hosting review web sites. They are all BS. You're much better off asking your questions about hosting here at E-E.
ASKER
Yodercm was the only one who really addressed my problem. His recommendation of www.pair.com was actually on the mark. I called them up, the tech support guy sounded helpful, and although clearly not a guru, he wasn't clueless, and that was good enough for me.
As for the rest of the responders, it's a TY for responding, even though I didn't really get any viable web host recommendations.
As for the rest of the responders, it's a TY for responding, even though I didn't really get any viable web host recommendations.
"But she's also cheap."
If she wants to do the eFax and email route by herself, then she's going to be the only one liable. At the point that YOU become involved in the handling of those documents, it should not matter how cheap she is. If something goes wrong, she will pass the blame on to you, and if you are the one that recommended a specific setup, then "she's cheap" is not going to save your butt.
Imagine if you were having a house built and a contractor said they could build it for $50,000 less than the average contractor. A year later, the house collapses because the contractor used toothpicks instead of wooden beams. Even if the contractor informed the client ahead of time that they'd be using toothpicks, and even if the client said, "Yeah, that's fine," - the contractor would still be in deep trouble because at a basic level, the contractor ignored the basic legal requirements that dictate how a house can be built.
You are in that same boat. If you are contracted to build out a solution for someone, it is your legal responsibility to understand the legal requirements associated with that solution - processes, data storage, etc... If you build something that ignores those legal requirements, it won't matter what your client says or accepts - YOU will be at fault and you will be facing huge fines and/or prison time, depending on what goes wrong. Remember, you're dealing with OTHER people's financial data - your client is not legally able to override and ignore the restrictions that accompany that kind of data.
It is your responsibility to educate your client if she is suggesting or even explicitly asking that you ignore these legal requirements. If you need a bigger budget in order to stay within the confines of those requirements, then you need to inform her of that so you can get a bigger budget. But whatever you do, don't just throw caution to the wind here.
I wouldn't even say that uploading to her server is a security improvement, if you're uploading to a shared server. At least with eFax and email, there's a single path with possible levels of encryption during transmission (TLS). If your host doesn't enforce a jail / chroot in PHP, anyone else on that server will likely be able to read and copy those documents (PHP can access the filesystem outside of your home dir). Or like Ray said, a disgruntled employee might steal a hard drive, or sell off access to an illegal party. Or her next contractor might come along and want to get you in trouble so he/she can take over the entire contract. There are lots of things that can go wrong, so it's in YOUR best interest to do things right.
Yes, security can be a pain, but it's a necessary one. Just look at the trend in the HUGE data breaches in the past year alone. Home Depot, Target, JP Morgan Chase, P.F. Changs, Jimmy Johns, Neiman Marcus, Michaels have all gotten hit this past year (just a few of the 580 breaches or so this year)- there's nearly a 30% increase in breaches since last year alone. The attacks are increasing, as are the automated robots that go out and try to blindly search for vulnerable sites. On top of that, data breaches are a huge blame game, so you can bet you will receive blame if something goes wrong. All the more reason to cover your own butt when dealing with cheap clients. Security isn't cheap.
If she wants to do the eFax and email route by herself, then she's going to be the only one liable. At the point that YOU become involved in the handling of those documents, it should not matter how cheap she is. If something goes wrong, she will pass the blame on to you, and if you are the one that recommended a specific setup, then "she's cheap" is not going to save your butt.
Imagine if you were having a house built and a contractor said they could build it for $50,000 less than the average contractor. A year later, the house collapses because the contractor used toothpicks instead of wooden beams. Even if the contractor informed the client ahead of time that they'd be using toothpicks, and even if the client said, "Yeah, that's fine," - the contractor would still be in deep trouble because at a basic level, the contractor ignored the basic legal requirements that dictate how a house can be built.
You are in that same boat. If you are contracted to build out a solution for someone, it is your legal responsibility to understand the legal requirements associated with that solution - processes, data storage, etc... If you build something that ignores those legal requirements, it won't matter what your client says or accepts - YOU will be at fault and you will be facing huge fines and/or prison time, depending on what goes wrong. Remember, you're dealing with OTHER people's financial data - your client is not legally able to override and ignore the restrictions that accompany that kind of data.
It is your responsibility to educate your client if she is suggesting or even explicitly asking that you ignore these legal requirements. If you need a bigger budget in order to stay within the confines of those requirements, then you need to inform her of that so you can get a bigger budget. But whatever you do, don't just throw caution to the wind here.
I wouldn't even say that uploading to her server is a security improvement, if you're uploading to a shared server. At least with eFax and email, there's a single path with possible levels of encryption during transmission (TLS). If your host doesn't enforce a jail / chroot in PHP, anyone else on that server will likely be able to read and copy those documents (PHP can access the filesystem outside of your home dir). Or like Ray said, a disgruntled employee might steal a hard drive, or sell off access to an illegal party. Or her next contractor might come along and want to get you in trouble so he/she can take over the entire contract. There are lots of things that can go wrong, so it's in YOUR best interest to do things right.
Yes, security can be a pain, but it's a necessary one. Just look at the trend in the HUGE data breaches in the past year alone. Home Depot, Target, JP Morgan Chase, P.F. Changs, Jimmy Johns, Neiman Marcus, Michaels have all gotten hit this past year (just a few of the 580 breaches or so this year)- there's nearly a 30% increase in breaches since last year alone. The attacks are increasing, as are the automated robots that go out and try to blindly search for vulnerable sites. On top of that, data breaches are a huge blame game, so you can bet you will receive blame if something goes wrong. All the more reason to cover your own butt when dealing with cheap clients. Security isn't cheap.
A footnote to the idea of putting tax documents on a shared server:
http://en.wikipedia.org/wiki/Res_ipsa_loquitur
http://en.wikipedia.org/wiki/Res_ipsa_loquitur
ASKER
gr8gonzo, there's no such a thing as 100% foolproof security. One of my past questions involved wanting to hide my PHP database username and password hardcoded in my PHP page. When I asked that question, I was more concerned of breach by people working for that web hosting company than outsiders. So how do I guard against disgruntled employees stealing a hard drive?
It's easy to be Paul Revere on security issues, but what solution do you have that is foolproof and won't cost an exorbitant amount of money? She's only a small office with like 8 to 9 employees, and being in the tax business, the bulk of her revenues is seasonal. In other words, she doesn't make a whole lot of money.
So given the limitations of the circumstances, what would you do? Instead of heralding weaknesses, how about giving me practical and viable solutions given the financial limitations of my client?
It's easy to be Paul Revere on security issues, but what solution do you have that is foolproof and won't cost an exorbitant amount of money? She's only a small office with like 8 to 9 employees, and being in the tax business, the bulk of her revenues is seasonal. In other words, she doesn't make a whole lot of money.
So given the limitations of the circumstances, what would you do? Instead of heralding weaknesses, how about giving me practical and viable solutions given the financial limitations of my client?
I agree, there's no such thing as foolproof security, but there is such a thing as covering your bases. I did give you a viable solution - I suggested two very essential things:
1. I suggested using AWS for hosting (or at least including security compliance in your search). I even linked to the AWS page.
2. I suggested going back to your client and asking for a bigger budget if that is what you need in order to use a more secure hosting platform.
"How do I guard against a disgruntled employee stealing a hard drive?"
You don't. That is the point - it's not in your control. That's part of what you're getting when you go with a solution that has security as part of its main feature set.
Let's take that question as a simple example. A security-minded hosting provider who follows certain compliance standards will have measures to prevent this type of thing from happening and lessen the impact if it does happen:
1. Employees who work on secure servers typically have to pass background checks and go through more restrictive access measures, making it difficult for them to just pop in, grab a hard drive, and run. Usually they need to log and provide reasons for accessing the servers. If they get fired, there are usually HR routines for disabling access immediately and escorting the person off-premises.
2. Secure servers are usually in a monitored and guarded facility, so if someone is in the data center, they usually have eyes on them.
3. Secure servers usually encrypt data at rest, meaning that there is a software layer and key that is necessary in order to make use of any data on the hard drive. So if someone grabbed the hard drive and ran, they wouldn't be able to steal anything off of it unless they plugged it back into a device that was already configured with the same software layer and decryption key.
These aren't the only measures, but let's say they were. Is it absolutely impossible to get past all these measures? No. Like you said, nothing's 100% foolproof, but it'd be a LOT harder to pull off. You'd probably need a full team of people in on the job, not just a single disgruntled employee.
"It's easy to be Paul Revere..."
Wow. Really? Paul Revere yelled four word warnings. In this entire thread, I've gone through:
1. Recommendations on HOW to pick a hosting provider
2. Support for other people's recommendations on providers, including a link to the LiquidWeb one that Ray suggested.
3. Explanations on the "unlimited disk space and bandwidth"
4. Corrections on terminology regarding shell access
5. Warnings about sensitive document types and HOW to store them.
6. Suggestions on what to do with a cheap client.
7. At least one recommendation on secure hosting.
8. Now a response on the "hard drive stealing" question and how secure storage helps address that.
And you're suggesting that I'm simply throwing out quick, simple warnings and not providing any additional helpful information?
I never talked about secure hosting costing an "exorbitant" amount of money. Yes, good, secure hosting will cost MORE than cheap shared hosting, but it doesn't need to be an exorbitant amount, and it costs more for good reason. Yes, I know that tax consultants have seasonal revenues, but I wouldn't suggest that "she doesn't make a whole lot of money" unless you've actually looked at her P&L sheets. That's probably a false assumption (and if she told you that, it's probably a little white lie to keep costs to a minimum).
Your client spent a lot of money to go to school to become a CPA (assuming that's what she is) and to engage in this business. She probably regularly sees what it costs other people to run a business, and she likely knows how to expense everything you are going to charge her. However, none of that is actually your concern. You need to be able to be a hard-ass to your clients and draw the line and tell them what it's really going to take to build and maintain their project(s). Being a nice guy or a low-bidder will cost you AND her in the long run.
Believe me, having to pay another $100 - $200 ANNUALLY to have the right kind of security for their storage is not going to faze your client unless they think you're trying to scam them (you need to be able to explain the need to them, so read up). Lots of businesses spend that kind of money monthly on far less important things. That's why you also put THEM in charge of billing for their own hosting - so they can see what it actually costs and that you are not profiting from any increase in that area.
1. I suggested using AWS for hosting (or at least including security compliance in your search). I even linked to the AWS page.
2. I suggested going back to your client and asking for a bigger budget if that is what you need in order to use a more secure hosting platform.
"How do I guard against a disgruntled employee stealing a hard drive?"
You don't. That is the point - it's not in your control. That's part of what you're getting when you go with a solution that has security as part of its main feature set.
Let's take that question as a simple example. A security-minded hosting provider who follows certain compliance standards will have measures to prevent this type of thing from happening and lessen the impact if it does happen:
1. Employees who work on secure servers typically have to pass background checks and go through more restrictive access measures, making it difficult for them to just pop in, grab a hard drive, and run. Usually they need to log and provide reasons for accessing the servers. If they get fired, there are usually HR routines for disabling access immediately and escorting the person off-premises.
2. Secure servers are usually in a monitored and guarded facility, so if someone is in the data center, they usually have eyes on them.
3. Secure servers usually encrypt data at rest, meaning that there is a software layer and key that is necessary in order to make use of any data on the hard drive. So if someone grabbed the hard drive and ran, they wouldn't be able to steal anything off of it unless they plugged it back into a device that was already configured with the same software layer and decryption key.
These aren't the only measures, but let's say they were. Is it absolutely impossible to get past all these measures? No. Like you said, nothing's 100% foolproof, but it'd be a LOT harder to pull off. You'd probably need a full team of people in on the job, not just a single disgruntled employee.
"It's easy to be Paul Revere..."
Wow. Really? Paul Revere yelled four word warnings. In this entire thread, I've gone through:
1. Recommendations on HOW to pick a hosting provider
2. Support for other people's recommendations on providers, including a link to the LiquidWeb one that Ray suggested.
3. Explanations on the "unlimited disk space and bandwidth"
4. Corrections on terminology regarding shell access
5. Warnings about sensitive document types and HOW to store them.
6. Suggestions on what to do with a cheap client.
7. At least one recommendation on secure hosting.
8. Now a response on the "hard drive stealing" question and how secure storage helps address that.
And you're suggesting that I'm simply throwing out quick, simple warnings and not providing any additional helpful information?
I never talked about secure hosting costing an "exorbitant" amount of money. Yes, good, secure hosting will cost MORE than cheap shared hosting, but it doesn't need to be an exorbitant amount, and it costs more for good reason. Yes, I know that tax consultants have seasonal revenues, but I wouldn't suggest that "she doesn't make a whole lot of money" unless you've actually looked at her P&L sheets. That's probably a false assumption (and if she told you that, it's probably a little white lie to keep costs to a minimum).
Your client spent a lot of money to go to school to become a CPA (assuming that's what she is) and to engage in this business. She probably regularly sees what it costs other people to run a business, and she likely knows how to expense everything you are going to charge her. However, none of that is actually your concern. You need to be able to be a hard-ass to your clients and draw the line and tell them what it's really going to take to build and maintain their project(s). Being a nice guy or a low-bidder will cost you AND her in the long run.
Believe me, having to pay another $100 - $200 ANNUALLY to have the right kind of security for their storage is not going to faze your client unless they think you're trying to scam them (you need to be able to explain the need to them, so read up). Lots of businesses spend that kind of money monthly on far less important things. That's why you also put THEM in charge of billing for their own hosting - so they can see what it actually costs and that you are not profiting from any increase in that area.
Good luck, elepil. I'm sure you'll like pair.com. And by the way, I'm "she". :)
ASKER
Yodercm, ah sorry, Yodercm doesn't exactly steer my mind to a gender. :) Thanks for your help, I am trying to sign up with pair.com.
ASKER
gr8gonzo, I checked out AWS. It always worries me when it's difficult to find their pricing plans, as it invariably means it's going to cost a lot. I think they're still a work in progress because I was getting 404 Page Not Found errors when I was clicking the links below like "PHP on AWS".
I think you're making big assumptions. For instance, you said:
It's a small business. There is no budget for background checks. The style of management is nepotism. If I weren't someone she has known for many years, she wouldn't have hired me. And it's actually wrong for me to say she hired me, because after seeing the appalling mess on how her business was being run, I had to cajole her into doing something about this. Before I automated and streamlined their process, customer folders were scattered all over the place. It would take them however long it takes to find the folder to finally get the phone number of the customer they needed to call. I'm not going to elaborate further on this, but just take it as a given that it was a BIG mess. Don't assume any semblance of a corporate or professional environment here. But when all has been said and done, the business does manage to plod along, and she is making a profit.
When I used the Paul Revere metaphor, I wasn't referring to the brevity of your message, I said that because you were giving numerous cautionary anecdotes with seemingly perfunctory solutions. But your latest post showed a bit more specificity, which I appreciate.
I appreciate all your efforts, but you really have to know who I'm dealing with to understand. And since you don't know her and probably never will, you will have to defer judgment to me. I consider it a HUGE accomplishment on my part to have even succeeded in coaxing her to automate, and even then, she agreed only because I told her all it would cost her is $30 a month (for web hosting) and whatever I charge her (which was a very discounted rate since I've known her a long time).
I've reiterated this and I'll say this again, she's a small business. Hackers don't go after small businesses, so I think she's safe from being a contemplated target. Also, I made sure no social security numbers or credit card info is in the database. So the worst thing people can get is her customers' names, address, phone numbers, and email address. That'll do great with direct mail, but not for identity theft.
Now I still haven't decided how to handle her customers' scanned documents, and she's still using eFax with email retrieval as I speak. I will look into AWS though, because I do like the features. But as I said, I couldn't find the pricing plans, which is a major factor with my client.
Thanks though for bringing up AWS, I do trust Amazon, and I will look into it to see if it will be financially acceptable to my client.
I think you're making big assumptions. For instance, you said:
Employees who work on secure servers typically have to pass background checks and ...
It's a small business. There is no budget for background checks. The style of management is nepotism. If I weren't someone she has known for many years, she wouldn't have hired me. And it's actually wrong for me to say she hired me, because after seeing the appalling mess on how her business was being run, I had to cajole her into doing something about this. Before I automated and streamlined their process, customer folders were scattered all over the place. It would take them however long it takes to find the folder to finally get the phone number of the customer they needed to call. I'm not going to elaborate further on this, but just take it as a given that it was a BIG mess. Don't assume any semblance of a corporate or professional environment here. But when all has been said and done, the business does manage to plod along, and she is making a profit.
but I wouldn't suggest that "she doesn't make a whole lot of money" unless you've actually looked at her P&L sheets.I am not crossing that line.
When I used the Paul Revere metaphor, I wasn't referring to the brevity of your message, I said that because you were giving numerous cautionary anecdotes with seemingly perfunctory solutions. But your latest post showed a bit more specificity, which I appreciate.
Your client spent a lot of money to go to school to become a CPA (assuming that's what she is)Sorry, she's not a CPA. She's a tax preparer, no CPA degree required. She's like an H&R Block.
I appreciate all your efforts, but you really have to know who I'm dealing with to understand. And since you don't know her and probably never will, you will have to defer judgment to me. I consider it a HUGE accomplishment on my part to have even succeeded in coaxing her to automate, and even then, she agreed only because I told her all it would cost her is $30 a month (for web hosting) and whatever I charge her (which was a very discounted rate since I've known her a long time).
I've reiterated this and I'll say this again, she's a small business. Hackers don't go after small businesses, so I think she's safe from being a contemplated target. Also, I made sure no social security numbers or credit card info is in the database. So the worst thing people can get is her customers' names, address, phone numbers, and email address. That'll do great with direct mail, but not for identity theft.
Now I still haven't decided how to handle her customers' scanned documents, and she's still using eFax with email retrieval as I speak. I will look into AWS though, because I do like the features. But as I said, I couldn't find the pricing plans, which is a major factor with my client.
Thanks though for bringing up AWS, I do trust Amazon, and I will look into it to see if it will be financially acceptable to my client.
The background checks are performed by the hosting provider on their own employees. Again, the point of secure hosting is that the hosting provider takes care of covering their own compliance requirements so you can rely on their security.
I'm not suggesting you see her P&L - only saying that you don't really know how much room she has for a budget.
"Hackers don't go after small businesses..."
-shaking head-
A tax preparer is... actually, you know what? Never mind. I'm done with this question.
I'm not suggesting you see her P&L - only saying that you don't really know how much room she has for a budget.
"Hackers don't go after small businesses..."
-shaking head-
A tax preparer is... actually, you know what? Never mind. I'm done with this question.
Is this a dedicated server or a VPS? What kind of specs? Budget?
Is this a fully managed server you want? Sounds more like you don't want managed or maybe semi managed?
Probably can't help with US based hosts, but the questions are relevant