Tag Archives: server

Finding the Right Server Solution for Your Enterprise

Enterprises looking to leverage technology to help stay ahead of the game have turned to secure cloud solutions for both convenience and cost savings. Cloud services can offer public hosting or private servers, depending on the particular needs of an enterprise, but each method of cloud deployment has its benefits and drawbacks. To fully capitalize on the cloud, enterprises must decide which method of hosting makes the most sense for their needs and budget.

Server solutions

Photo courtesy of CloudAve.com

Essentially, public hosting is like sharing an apartment complex with many residents. With public shared hosting, all accounts utilize the same resources like disk space, CPU time, and memory, and any available resources are shared. Public storage servers are very cost effective and diminish the need for a large IT staff. Maintenance and monitoring are handled by third party cloud service providers, which usually provide tech support as well. And enterprises can save even more money by not having to purchase, maintain, and upgrade servers onsite. Such on premise solutions require special attention, security, and expertise that many enterprises would rather outsource. And servers generally take up quite a bit of much needed office space.

Deployment Plans

Image courtesy of BlackIronData.com

But public servers have their downsides as well. Recently, a massive storm took out servers resulting in downed sites for major companies like Netflix, Instagram, and Pinterest. While unpredictable weather can strike onsite servers as well, this example just illustrates the fact that outsourced servers means a degree of outsourced security. One way enterprises can protect themselves while using a public server is by enacting better practices like requiring server administrators to login exclusively onsite. If logging in locally is impractical, procedures should be established that limit access to approved IPs and accounts, and security tokens should be used whenever practical. And of course, tunneling and encryption should be standard security protocols.

Enterprises must decide for themselves whether they would have more convenience and cost savings or more control. As Kelly Clay at Forbes writes, “It’s easy to blame AWS and public cloud services in general for the downtime we occasionally see, but even traditional infrastructures fail. Maybe instead it’s time to think differently about the interconnected nature of the services we rely on. Everything is intertwined.” This intertwining means that enterprises can’t skirt cost and security, and must choose between less costs and more convenience through public servers or more control through an onsite server.

For enterprises looking to retain full control of their data by keeping servers in house, dedicated or onsite hosting is the solution. Such servers don’t share space or resources with anyone else and give enterprises root access to their environments. This way, IT teams don’t have to rely on third party tech support for upgrades and internal tweaks. While onsite servers take up much more space and require dedicated staff for maintenance, upgrade, and security, they also grant enterprises greater flexibility. Many third party cloud services do not support multiple platforms, so enterprises that want to switch platforms or even build their own environments through Linux, might be stuck with one particular platform until the third party service adds cross-platform functionality. Having a private server onsite helps to sidestep these potential issues.

Onsite or public servers?

Image courtesy of tps.unh.edu

As with any deployment option, data security is of primary importance. Data drives most enterprises, so a single security breach could potentially ruin an entire brand. Trusting a third party cloud to secure your data should only be done if the cloud is fully private, otherwise the cloud service’s employees could have access to your enterprise’s valuable data. This is where having an onsite server can bring peace of mind, especially if your third party cloud server doesn’t provide “zero-knowledge” data privacy. Such onsite private servers put security ownership and control back into the hands of IT staff. Ultimately, enterprises must take full ownership of their data security, deciding which method of cloud deployment makes the most sense for their needs and concerns.

SpiderOak Blue

For enterprises looking to the cloud, SpiderOak Blue offers fully private “public” and onsite server options for full flexibility. Choosing the right third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. But SpiderOak sets itself apart from the rest of the market by providing a fully private cloud service featuring all of the benefits of cloud storage along with 100% data anonymity.

SpiderOak protects sensitive enterprise data through 256-bit AES encryption so that files and passwords stay private. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts plaintext data). SpiderOak Blue’s private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, making this one of the only flexible cross-platform solutions on the market.

Screen Shot 2013-06-17 at 5.28.13 PM

Securing Your Mail From Site to Site

Many of you know how to secure your email between your mail client and your computer. But if you run your own mail server, did you know you can secure email between servers? Many servers support TLS encryption for outgoing connections, which will protect your mail between your server and the next one. For my favorite mail server, Postfix, add this to your main.cf:

smtp_tls_security_level = may

This will enable “opportunistic” TLS for outbound connections, meaning it will use encryption if the remote server supports it, otherwise it will transmit it unencrypted. If you’re really paranoid and don’t want to talk to servers that don’t support encryption, you can change may to verify or secure to ensure that the remote end uses encryption.

To ensure that your server listens for TLS requests, add this:

smtpd_tls_security_level = may
smtpd_tls_cert_file = ...
smtpd_tls_key_file = ...

Note the small difference between smtp_... and smtpd_. The cert and key parameters configure your SSL certificate. You can also use encrypt here instead of may to force encryption for clients, but this isn’t recommended for a public Internet server.

By default, if Exim is compiled with TLS support, it will attempt TLS for outbound connections. If you want it to accept TLS, though, you’ll have to set:

tls_advertise_hosts = *
tls_certificate = ...
tls_privatekey = ...

It’s important to note that even with these configurations, you can’t guarantee that your mail is completely encrypted in transit, since your mail could be transmitted between several servers. It also doesn’t prevent eavesdropping on the servers themselves. If you want to ensure that only the recipient can read your mail, you should use something like PGP.

I’ll leave other mail servers as an exercise to the reader. Feel free to post further configuration or notes in the comments!

Notes from the Dungeon

Hi, I’m Chip, SpiderOak’s semi-resident sysadmin. I’m the guy in the picture
below who looks like he’s up to no good. }:-> Mostly, I’m in charge of
keeping the beasts in the server room well-fed and happy, which, like most
admin work, involves generous helpings of my sanity. It’s a job that requires
me to be available around the clock — especially during inopportune times
like weekends and holidays. Nearly every day I’m asked to do something I
haven’t done before. Sometimes it’s fun, but many times it’s not.

But you know what? I love it.

And it’s not just because most days I can wake up at noon and work in the
wee hours of the morning, or that if I need a break I can pop into the other
room and play some Portal (Ah, GLaDOS, an admin after my own heart). I work
with a great bunch of people, and despite the fact that we’re many states and
time zones away from each other, the whole group meshes into a team that I’m
proud to be a part of. (My absence in the group picture below
notwithstanding…)

What exactly goes on behind the scenes at SpiderOak? It’s a really sim…

Gruuuuuuuuuuu…

Whoops, looks like I’ll have to explain later. Duty calls. :)