2

I need to host a sensitive financial software somewhere. Given that I don't have the resource to locally host the software locally, I'm oriented toward a VPS or Dedicated server.

How can I be sure that the hosting company doesn't steal my SSH password with a Man In the Middle or 0day attack?

Is there any solution to guarantee integrity of your data in a third party hosted service?

Maybe I can host the machine locally, and buy a public proxy with DDOS protection and network monitoring?

Mascarpone
  • 882

2 Answers2

7

There is no solution to guarantee the security of data physically outside your control.

  • A VPS can be mirrored by your provider.
    They don't need your SSH keys: They can slurp the data right off the image.

  • A physical server can have its disks ripped out and cloned.
    If it's a RAID you wouldn't see downtime, and even if you got an alarm the data's already taken.

  • If you lock the machine up physically it can be taken from the rack.
    Yeah, you'll notice it went away, but the data is gone.

  • Are your backups encrypted?
    Stealing a tape is a favorite way of getting data.
    If you back up over the network can I sniff the traffic and get it all in cleartext?

Having outlined the nightmare scenario, I can make the following recommendations:

  • Worry about the most likely attack vectors.
  • Generate SSH keys before you deploy the server.
  • Check the fingerprint when you connect. Don't connect if it changed.
  • Make sure backups are encrypted BEFORE they leave the machine
    • Don't store the backup keys on the machine. Preferably keep 'em off the network.
  • Make sure all other connections are encrypted appropriately.
  • Review The PCI standards, especially the PCI-DSS, and make sure you implement the parts that make sense.
voretaq7
  • 80,749
5

If you aren't in direct physical control of a machine, then there's no way that you can ever be 100% sure.

MDMarra
  • 101,323