How to run a website securely on a server whose administration and security is outsourced?

Blossoming_Flower asked:

I’m a web developer, and don’t know much about system administration and security. Would it be possible for me to set up a site that processed credit card payment, payouts, bitcoin payments, or other private activities while using a managed host or outsourcing the security and administration, without sacrificing security?

Of course, I could use APIs, such as Stripe, to process payments, but that doesn’t mean someone with access to my server won’t go using the secret API key to charge customers and other such misbehavior.

In summary, how do small startups without a security/system administrator on board deal with security/administration, without jeopardizing its users?

My answer:


This is not a technical question, and the answer is not technical either.

I colocate servers in a datacenter which is regularly audited for PCI-DSS and SAS-70 Type II compliance. My agreements with them specify that they will treat my data confidential (the same as theirs).

You need a legal agreement with the datacenter or managed service provider you do business with that they will not swipe your customers’ data off your server, and you will need copies of their PCI compliance audits to provide to your own auditors, when they show up.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.