Looking for hosting advice

Hello everyone,

I’ve got a Rails app that’s going to replace an in-house application,
where the customers are used to having to deal with maintaining their
own servers and data. As these are non-IT customers, maintaining
servers and data is a long way from their core business and thus quite
costly for them. I’m hoping to slice their costs by removing the
requirement for them to maintain their own systems, by hosting it on a
Web server somewhere and having someone else deal with the operational
aspects.

The app needs to be hosted with the following characteristics:

  • data security is very important to these customers, with all
    database content being encrypted and all traffic between browser and
    Web server encrypted. A big concern is operator access to stored
    data; this has to be minimised
  • backup/restore has to be reliable; it’s not a big deal to lose (say)
    the last day’s data, but it would be a huge disaster to lose
    significantly more than that because of bad backups or operator error
  • downtime / restore time is a big concern; the app has to be highly
    available. We’re not talking 5 9’s uptime, but something like 99.9%
    with a guarantee is what I’m after
  • cost will be an issue

Not having great experience with hosting providers, I’m not really
sure how vendors such as Dreamhost would fit these requirements. How
reliable are their backups? What security arrangements are there
around online and backed up data ? What do they offer in terms of
uptime guarantees? Do they provide failover hardware as part of their
“regular” offerings, or is that available as an option? Do they have
some sort of ISO or other accreditation saying that their processes
are documented/reliable/…?

I’ve tried to find this info at the Web sites of several companies,
but their information tends to be long on terms like “minimal
downtime” and “hassle-free nightly backups” and short on terms like
“99.9% uptime guaranteed”. There’s no visibility of e.g. how their
backups are stored - whether they’re offsite at a secured facility
somewhere, or a bunch of discs bouncing around in an operator’s car
every night. At this point, my impression is that hosting companies
in general are focused on reducing costs as far as possible and
catering to the lowest common denominator customer base, whereas I’m
looking to pay a bit more and get some solid service guarantees for my
money.

As cost will be a factor, I’d ideally like to start with a low cost
solution and then be able to scale up if/when the application usage
grows to justify the additional expense. I know this is vague, but
what I’m after is some sort of sliding scale of service level vs. cost
that I could move up/down to different levels based on my changing
requirements.

Is it actually feasible to expect all this from a hosting company, or
should I just be biting the bullet and putting dedicated host/s on the
floor somewhere and building in security and redundancy myself? I
know the type of service guarantees I’m after have traditionally been
the domain of the likes of IBM Global Services and EDS; do any hosting
providers work in the same space in terms of their offerings, or are
they all focused on making things as cheap as possible? I’ve got a
lot of operations experience, and I know how to do this stuff
properly, but in this case I’d prefer someone else did it if I was
comfortable they knew what they were doing. I know this isn’t a
“yes/no” question, and that there will be degrees of
security/failover/etc. provided by all hosting companies, but I can’t
see how you can compare hosting companies’ offerings on these terms
based on the lack of information they each make available.

Thanks in advance for any advice or suggestions

Dave M.

David M. wrote:

Hello everyone,

Dave M.

Dave-

First of all, Dreamhost is NOT what you’re after. I gave them a shot
for the last few weeks on a not-critical-at-all website and it’s been
horrible. I’m not impressed. They’re slow, unreliable, and just
economy all the way.

I’ve only been with TextDrive (after reading all the hype around Rails
folks) for about 2 months now, but have been thoroughly impressed.
Great server speed. Great access. I’ve been moving my sites to them
and dropping other hosting (including Dreamhost and Sonataweb). While I
don’t know if TextDrive can provide everything you’re looking for, I
think they’re a fantastic start.

You’ll hear a lot of lip-service paid to TextDrive around here. So far,
in my opinion, it is well-deserved. I gladly pay their price premium
for what they offer.

I’d like to know, though – how are you encrypting everything going into
the database?

Jake

David M. wrote:

Hello everyone,

  • backup/restore has to be reliable; it’s not a big deal to lose (say)
    the last day’s data, but it would be a huge disaster to lose
    significantly more than that because of bad backups or operator error

One note on this one. I think most folks will recommend that you backup
your database yourself (in addition to the host-provided nightly
backups), and save the backup at your end if possible.

This provides another layer of backup and at least keeps your data safe.

I’m doing nightly (cron/mysqldump) backups of my database at the moment.
I don’t yet shovel that backup to another machine.

Jake

On 09/02/06, Jake J. [email protected] wrote:

for the last few weeks on a not-critical-at-all website and it’s been
You’ll hear a lot of lip-service paid to TextDrive around here. So far,
in my opinion, it is well-deserved. I gladly pay their price premium
for what they offer.

I’d like to know, though – how are you encrypting everything going into
the database?

Jake

Thanks Jake,

I’m encrypting sensitive stuff in the database by using an encryption
key in the Rails app. Nothing complex, but it means that a bad guy
would need to probe through the Rails code to track down the
encryption key and then apply it to all the data for the data to have
any value. Just having a SQL dump of the database wouldn’t be worth
anything.

This is one of those requirements that the customers stated must
exist, but which is somewhat unrealistic to do in a more in-depth
manner without increasing the cost significantly.

Does Textdrive offer quantifiable service-level guarantees, or is it
simply that they’re “better” in terms of Dreamhost having lots of
downtime in your experience?

Regards

Dave M.

Hello everyone,

I’ve had a bunch of replies on this - both via the list and privately

  • but most seem to be missing my main point. I probably should’ve
    spelled it out more clearly…

I’m after a hosting service that offers an uptime guarantee. I’m not
after “minimal downtime” and “best effort support 24x7”; I want a
hosting service that will offer me e.g. a weekly 99.9% uptime
guaranteed (i.e. my site can only be down 10.08 minutes of the 10080
minutes in each week), with the guarantee involving some sort of
(presumably financial) penalty on their part if they don’t meet the
agreed requirement. If my site goes off the air, I want it to be
their problem and I want them to be falling over themselves to fix
it; I don’t want to be trying to diagnose e.g. misconfigurations of
DNS servers at the hosting provider which have brought my site down.

I also don’t want someone else’s app on a shared box going haywire and
bringing my site off the air (this can be managed on shared Unix/Linux
boxes by people who know how to do it). I can and have built systems
to similar specs in the past, but I’m not interested in doing it any
more and I’d be surprised if it’s only the big outsourcers offering
such a service these days.

If e.g. a server needs to be replaced, I want plenty of prior
notification and a scheduled outage period when the change will occur.
That gives me the chance to schedule downtime with my customers, who
will be fine with that provided they’re given sufficient notice. If
not, well, my 99.9% uptime guarantee will kick in at some point to
protect me.

I also (potentially) need a similar guarantee covering data security.
If my customer’s senstive data starts floating around due to lax
business practices at a hosting company, I’m going to get sued; in
that case, I want my customers to be suing the hosting company instead
of me, or (more likely) for me to have a fairly watertight agreement
in place that lets me on-sue the hosting company if I get sued due to
their security process problems.

As far as I know, TextDrive, DreamHost etc. don’t offer this type of
service at all. Many colo providers won’t guarantee data security,
presumably because they aren’t willing to guarantee their night
operators won’t do anything naughty with backups.

I’ve heard of one provider that is currently considering offering a
service that’s broadly along these lines for Rails, but it’s not
available yet.

I need that guarantee from a hosting service, as I’ll be expected to
provide a similar guarantee to my customers. I can’t give a guarantee
to my customers, without getting a suitable guarantee from a hosting
provider. My customers won’t accept explanations like “well, you
know, sometimes you just have to reboot to fix problems”; they want
the app up for a guaranteed percentage of time.

Does anyone offer a service like this for Rails?

Regards

Dave M.

Hi David,

Blackacid, a security based hosting company, offers a private commercial
hosting system for people that don’t want to host with the big boys and
have exactly the same offerings. You get your own ip(s), as many as you
need, a full jail, and a guarantee that we won’t be taking any of your
services down. How do we do this? Basically, we run a very stable
operating system, FreeBSD. We give our customers the luxury of having a
full system(that includes root access) so that they can do multi-user
based services. You can provide yourself mail, dns, apache, j2ee if you
wanted too, etc. I can guarantee that anything on the jail will never
be seen by any of our operators because they manage exclusively only
customers jails who want our managed services. In terms of security,
they do not have access to the main system nor does the main system have
any external access provided other than our sshd. We do not provide a
site as it takes away an extra limb to distract away from non-legitimate
customers who cause more security nightmares than profits. If you would
like to try us out, we can set you up with a free month trial, a full
system jail, and can go from there.

Honestly, what you are looking for is to hold the host liable for
anything that isn’t related to your actions to cause downtime. I can
guarantee that no one will touch your account, your ips, your dns, your
apache configuration, etc., unless you ask us to first. We get notices
2-4 weeks from our provider before down time occurs and notify our users
when we get them. Without any extra services we will be held
accountable for downtime beyond ten minutes and depending on the amount
incurred of calculated losses of your businesses, we will credit your
account.

Our pricing is based on how much bandwidth you need, we can guarantee
you 1.5mbps of sustained pipe for example.
Secondly, backups are up to you unless otherwise stated that you would
like us to do them.

If you have any questions, feel free to email me and we can answer your
questions right away. Please do not spread word about this service as
we tend to only find customers with specific security needs. Having
just any customer is not just a liability to us, its a liability to our
customers as well. Take care!

Woops, cats out of the bag. Try not to bombard me, I’ll try and take
anyones requests if need be =)

So much for me keeping it under wraps.

If a data center won’t guarantee your data, hang-up the phone or walk
out
the door and find someone else. You probably aren’t going to find a
Rails
specific provider to meet your needs but if you are willing to pay for
it,
give Planet ARGON a call and they may be able to work something out with
you. Got a bunch of Ruby/Rails guys in house so they will have the
knowledge
to maintain a stable Rails environment.

Sounds like for your requirements, you will need to find a dedicated
hosting
solution with a major provider who offers SLA’s that will meet your
specifications and maintain your own Rails environment. As my Dad would
always say, “If you want something done right, you gotta do it
yourself.”
But he was an asshole so make your own decision.

Bob S.
http://www.railtie.net/

Please do not spread word about this service

Anyone else find this ironic on a mailing list? Sorry Adam, couldn’t
resist.

Bob S.
http://www.railtie.net/

On Thu, Feb 09, 2006 at 09:12:27AM -0700, Adam B. wrote:

customers jails who want our managed services. In terms of security,
they do not have access to the main system nor does the main system have
any external access provided other than our sshd. We do not provide a
site as it takes away an extra limb to distract away from non-legitimate
customers who cause more security nightmares than profits. If you would
like to try us out, we can set you up with a free month trial, a full
system jail, and can go from there.

It sounded like David was asking about managed services, not blank
slate vps hosting.

Do you have an option preconfigured with rails?

Also, what distinguishes your service from any of the other VPS/jail
hosting providers that claim the same thing?


- Adam

** Expert Technical Project and Business Management
**** System Performance Analysis and Architecture
****** [ http://www.everylastounce.com ]

[ Adam Fields (weblog) - - entertaining hundreds of millions of eyeball atoms every day ] … Blog
[ Adam Fields Resume ]… Experience
[ Adam Fields | Flickr ] … Photos
[ http://www.aquicki.com/wiki ]…Wiki
[ http://del.icio.us/fields ] … Links