Thread: How Secure Are CRMs and VPS Hosting for Storing Sensitive Data?

I would highlight three main lines regarding the security of the VPS
1. The issue of hosting provider certification and the qualifications of their personnel in the field of information security. It has been resolved by the absolute majority of hosting providers, especially by large market players. That is, choosing a reputable provider with positive reviews and implemented certificates will help to avoid risks at the level of Data Centers.

2. The issue of security associated with the shared use of computing resources, despite the localization of resources allocated within the VPS (virtual private server). Large market players are continuously implementing updates, both software and hardware. That is, the risks of compromise are extremely small. And choosing an inexpensive dedicated server will completely remove this issue.

3. The most important aspect is security at the software level of both the self-hosted CRM itself and the operating system on which this CRM will be installed. So, here are a few recommendations that may help you make a decision:
a. The OS and self-hosted CRM software should be up-to-date, with the longest possible support period and security updates release period.
b. You should take care of the security of administrative access to the server: VPN, strict firewall rules, replacement of standard access ports, restriction on the list of trusted IP addresses, two-factor authentication, as well as any tools that will hide/encrypt traffic between the server and the administrator.
c. Access to the CRM interface should also be limited in all possible ways. Probably one of the most common solutions is two-factor authentication, that is, you should pay attention to software products that have this function.
d. Regular installation of updates. Of course, it concerns security updates for both the VPS operating system and the CRM.

The comments above rightly noted that the risks of compromise always remain, but following basic procedures will make your VPS more secure for hosting sensitive data.

Originally Posted by INTROSERV-AN

a. The OS and self-hosted CRM software should be up-to-date, with the longest possible support period and security updates release period...

I completely agree with this. When I think back to previous hacks I've encountered, out of date software was most commonly the root cause. Sometimes only a few weeks out of date. The good news is, it's usually pretty easy to fix.

But here's the rub. I vividly remember a server being hacked within minutes after I installed the latest version of memcached (many years ago now). The problem was the CentOS package was old and insecure. And CentOS was all cPanel would run on at the time. I stopped using cPanel. Those problems have since been resolved but my point is you can't just rely on the most recent version being secure, bugs can be unpatched for decades.

<<snipped>>

Well, it depends on your definitions of "sensitive" and "proper measures" but in general I would say this claim is not really true.

Securing really sensitive data (like bank account passwords, cryptocurrency wallets, national secrets etc) is surprisingly hard. The Edward Snowden disclosures and the ongoing "Salt Typhoon" issues show that state actors can snoop on pretty much any electronic device at any time, logging keystrokes or acting as a "man in the middle". Protection for most people comes from simply not being important enough or wealthy enough to be worth that effort.

"Proper measures" for really sensitive data would therefore most likely include an air gap or cold storage - i.e., not connecting to the internet at all. I don't think that's what the OP is talking about. However they do seem to be talking about greater than usual precautions because they say security is "top priority". If that's because significant financial or legal liability is involved I would urge them to consider greater than usual precautions, including things like pentesting, audits and insurance.

At events like Pwn2Own the starting point is a system set up with "proper measures" and the expectation is that multiple vulnerabilities will be discovered within hours.