Hello everyone, I've got a Rails app that's going to replace an in-house application, where the customers are used to having to deal with maintaining their own servers and data. As these are non-IT customers, maintaining servers and data is a long way from their core business and thus quite costly for them. I'm hoping to slice their costs by removing the requirement for them to maintain their own systems, by hosting it on a Web server somewhere and having someone else deal with the operational aspects. The app needs to be hosted with the following characteristics: - data security is very important to these customers, with all database content being encrypted and all traffic between browser and Web server encrypted. A big concern is operator access to stored data; this has to be minimised - backup/restore has to be reliable; it's not a big deal to lose (say) the last day's data, but it would be a huge disaster to lose significantly more than that because of bad backups or operator error - downtime / restore time is a big concern; the app has to be highly available. We're not talking 5 9's uptime, but something like 99.9% *with a guarantee* is what I'm after - cost will be an issue Not having great experience with hosting providers, I'm not really sure how vendors such as Dreamhost would fit these requirements. How reliable are their backups? What security arrangements are there around online and backed up data ? What do they offer in terms of uptime guarantees? Do they provide failover hardware as part of their "regular" offerings, or is that available as an option? Do they have some sort of ISO or other accreditation saying that their processes are documented/reliable/...? I've tried to find this info at the Web sites of several companies, but their information tends to be long on terms like "minimal downtime" and "hassle-free nightly backups" and short on terms like "99.9% uptime guaranteed". There's no visibility of e.g. how their backups are stored - whether they're offsite at a secured facility somewhere, or a bunch of discs bouncing around in an operator's car every night. At this point, my impression is that hosting companies in general are focused on reducing costs as far as possible and catering to the lowest common denominator customer base, whereas I'm looking to pay a bit more and get some solid service guarantees for my money. As cost will be a factor, I'd ideally like to start with a low cost solution and then be able to scale up if/when the application usage grows to justify the additional expense. I know this is vague, but what I'm after is some sort of sliding scale of service level vs. cost that I could move up/down to different levels based on my changing requirements. Is it actually feasible to expect all this from a hosting company, or should I just be biting the bullet and putting dedicated host/s on the floor somewhere and building in security and redundancy myself? I know the type of service guarantees I'm after have traditionally been the domain of the likes of IBM Global Services and EDS; do any hosting providers work in the same space in terms of their offerings, or are they all focused on making things as cheap as possible? I've got a lot of operations experience, and I know how to do this stuff properly, but in this case I'd prefer someone else did it *if* I was comfortable they knew what they were doing. I know this isn't a "yes/no" question, and that there will be degrees of security/failover/etc. provided by all hosting companies, but I can't see how you can compare hosting companies' offerings on these terms based on the lack of information they each make available. Thanks in advance for any advice or suggestions Dave M.
on 2006-02-09 02:54
on 2006-02-09 03:34
David Mitchell wrote: > Hello everyone, > > ... > > Dave M. Dave- First of all, Dreamhost is NOT what you're after. I gave them a shot for the last few weeks on a not-critical-at-all website and it's been horrible. I'm not impressed. They're slow, unreliable, and just economy all the way. I've only been with TextDrive (after reading all the hype around Rails folks) for about 2 months now, but have been thoroughly impressed. Great server speed. Great access. I've been moving my sites to them and dropping other hosting (including Dreamhost and Sonataweb). While I don't know if TextDrive can provide everything you're looking for, I think they're a fantastic start. You'll hear a lot of lip-service paid to TextDrive around here. So far, in my opinion, it is well-deserved. I gladly pay their price premium for what they offer. I'd like to know, though -- how are you encrypting everything going into the database? Jake
on 2006-02-09 03:36
David Mitchell wrote: > Hello everyone, > > - backup/restore has to be reliable; it's not a big deal to lose (say) > the last day's data, but it would be a huge disaster to lose > significantly more than that because of bad backups or operator error One note on this one. I think most folks will recommend that you backup your database yourself (in addition to the host-provided nightly backups), and save the backup at your end if possible. This provides another layer of backup and at least keeps your data safe. I'm doing nightly (cron/mysqldump) backups of my database at the moment. I don't yet shovel that backup to another machine. Jake
on 2006-02-09 04:11
On 09/02/06, Jake Janovetz <email@example.com> wrote: > for the last few weeks on a not-critical-at-all website and it's been > You'll hear a lot of lip-service paid to TextDrive around here. So far, > in my opinion, it is well-deserved. I gladly pay their price premium > for what they offer. > > I'd like to know, though -- how are you encrypting everything going into > the database? > > Jake > Thanks Jake, I'm encrypting sensitive stuff in the database by using an encryption key in the Rails app. Nothing complex, but it means that a bad guy would need to probe through the Rails code to track down the encryption key and then apply it to all the data for the data to have any value. Just having a SQL dump of the database wouldn't be worth anything. This is one of those requirements that the customers stated must exist, but which is somewhat unrealistic to do in a more in-depth manner without increasing the cost significantly. Does Textdrive offer quantifiable service-level guarantees, or is it simply that they're "better" in terms of Dreamhost having lots of downtime in your experience? Regards Dave M.
on 2006-02-09 05:47
Hello everyone, I've had a bunch of replies on this - both via the list and privately - but most seem to be missing my main point. I probably should've spelled it out more clearly... I'm after a hosting service that offers an uptime guarantee. I'm not after "minimal downtime" and "best effort support 24x7"; I want a hosting service that will offer me e.g. a weekly 99.9% uptime *guaranteed* (i.e. my site can only be down 10.08 minutes of the 10080 minutes in each week), with the guarantee involving some sort of (presumably financial) penalty on their part if they don't meet the agreed requirement. If *my* site goes off the air, I want it to be *their* problem and I want *them* to be falling over themselves to fix it; I don't want to be trying to diagnose e.g. misconfigurations of DNS servers at the hosting provider which have brought my site down. I also don't want someone else's app on a shared box going haywire and bringing my site off the air (this can be managed on shared Unix/Linux boxes by people who know how to do it). I can and have built systems to similar specs in the past, but I'm not interested in doing it any more and I'd be surprised if it's only the big outsourcers offering such a service these days. If e.g. a server needs to be replaced, I want plenty of prior notification and a scheduled outage period when the change will occur. That gives me the chance to schedule downtime with my customers, who will be fine with that provided they're given sufficient notice. If not, well, my 99.9% uptime guarantee will kick in at some point to protect me. I also (potentially) need a similar guarantee covering data security. If my customer's senstive data starts floating around due to lax business practices at a hosting company, I'm going to get sued; in that case, I want my customers to be suing the hosting company instead of me, or (more likely) for me to have a fairly watertight agreement in place that lets me on-sue the hosting company if I get sued due to their security process problems. As far as I know, TextDrive, DreamHost etc. don't offer this type of service at all. Many colo providers won't guarantee data security, presumably because they aren't willing to guarantee their night operators won't do anything naughty with backups. I've heard of one provider that is currently considering offering a service that's broadly along these lines for Rails, but it's not available yet. I need that guarantee from a hosting service, as I'll be expected to provide a similar guarantee to my customers. I can't give a guarantee to my customers, without getting a suitable guarantee from a hosting provider. My customers won't accept explanations like "well, you know, sometimes you just have to reboot to fix problems"; they want the app up for a guaranteed percentage of time. Does anyone offer a service like this for Rails? Regards Dave M.
on 2006-02-09 06:26
If a data center won't guarantee your data, hang-up the phone or walk out the door and find someone else. You probably aren't going to find a Rails specific provider to meet your needs but if you are willing to pay for it, give Planet ARGON a call and they may be able to work something out with you. Got a bunch of Ruby/Rails guys in house so they will have the knowledge to maintain a stable Rails environment. Sounds like for your requirements, you will need to find a dedicated hosting solution with a major provider who offers SLA's that will meet your specifications and maintain your own Rails environment. As my Dad would always say, "If you want something done right, you gotta do it yourself." But he was an asshole so make your own decision. Bob Silva http://www.railtie.net/
on 2006-02-09 17:13
Hi David, Blackacid, a security based hosting company, offers a private commercial hosting system for people that don't want to host with the big boys and have exactly the same offerings. You get your own ip(s), as many as you need, a full jail, and a guarantee that we won't be taking any of your services down. How do we do this? Basically, we run a very stable operating system, FreeBSD. We give our customers the luxury of having a full system(that includes root access) so that they can do multi-user based services. You can provide yourself mail, dns, apache, j2ee if you wanted too, etc. I can guarantee that anything on the jail will never be seen by any of our operators because they manage exclusively only customers jails who want our managed services. In terms of security, they do not have access to the main system nor does the main system have any external access provided other than our sshd. We do not provide a site as it takes away an extra limb to distract away from non-legitimate customers who cause more security nightmares than profits. If you would like to try us out, we can set you up with a free month trial, a full system jail, and can go from there. Honestly, what you are looking for is to hold the host liable for anything that isn't related to your actions to cause downtime. I can guarantee that no one will touch your account, your ips, your dns, your apache configuration, etc., unless you ask us to first. We get notices 2-4 weeks from our provider before down time occurs and notify our users when we get them. Without any extra services we will be held accountable for downtime beyond ten minutes and depending on the amount incurred of calculated losses of your businesses, we will credit your account. Our pricing is based on how much bandwidth you need, we can guarantee you 1.5mbps of sustained pipe for example. Secondly, backups are up to you unless otherwise stated that you would like us to do them. If you have any questions, feel free to email me and we can answer your questions right away. Please do not spread word about this service as we tend to only find customers with specific security needs. Having just any customer is not just a liability to us, its a liability to our customers as well. Take care!
on 2006-02-09 17:17
Woops, cats out of the bag. Try not to bombard me, I'll try and take anyones requests if need be =) So much for me keeping it under wraps.
on 2006-02-09 18:03
> Please do not spread word about this service Anyone else find this ironic on a mailing list? Sorry Adam, couldn't resist. Bob Silva http://www.railtie.net/
on 2006-02-09 19:07
On Thu, Feb 09, 2006 at 09:12:27AM -0700, Adam Ballai wrote: > customers jails who want our managed services. In terms of security, > they do not have access to the main system nor does the main system have > any external access provided other than our sshd. We do not provide a > site as it takes away an extra limb to distract away from non-legitimate > customers who cause more security nightmares than profits. If you would > like to try us out, we can set you up with a free month trial, a full > system jail, and can go from there. It sounded like David was asking about managed services, not blank slate vps hosting. Do you have an option preconfigured with rails? Also, what distinguishes your service from any of the other VPS/jail hosting providers that claim the same thing? -- - Adam ** Expert Technical Project and Business Management **** System Performance Analysis and Architecture ****** [ http://www.everylastounce.com ] [ http://www.aquick.org/blog ] ............ Blog [ http://www.adamfields.com/resume.html ].. Experience [ http://www.flickr.com/photos/fields ] ... Photos [ http://www.aquicki.com/wiki ].............Wiki [ http://del.icio.us/fields ] ............. Links