Thread: How Secure Are CRMs and VPS Hosting for Storing Sensitive Data?

Hey everyone,

I’ve been exploring options for setting up a CRM to manage client data and considering VPS hosting to support it. However, security is my top priority, and I’m wondering how reliable these solutions are for storing sensitive information like customer details, invoices, and internal communications.

Here are a few specific questions I’d love input on:

• CRM Security: How do popular CRMs (like HubSpot, Zoho, or self-hosted options) handle sensitive data? Are there specific security features I should be looking for?
• VPS Hosting: For those using VPS hosting to run their CRM, how do you ensure the server is secure? Do providers like OVH, DigitalOcean, or Hetzner have a strong track record for safeguarding data?
• Best Practices: What steps should I take to secure a CRM and VPS setup, especially for compliance with privacy laws (e.g., GDPR)?

I’d love to hear your recommendations.

Lots of warning bells here. If security is your "top priority" then you need to involve security professionals, you're unlikely to get adequate advice from a forum like WHT because the specific details of your setup will be extremely important.

Many of the largest providers (including ones you mention) have had significant security breaches in the past. Also, even the best protected VPS is vulnerable to an attack from a single compromised administrator's PC, which may be completely invisible to you. You have to assume that sooner or later your VPS may be compromised due to no fault of yours. You need to have processes in place to detect that and deal with it if it happens (monitoring, log file checking, backups...). Also you need to be constantly aware of the latest vulnerabilities and keep everything patched to reduce the attack surface as much as possible. Security is an ongoing process.

You should avoid handling any "sensitive" data at all, if you can avoid it. If you can't avoid it you should track it so you know what is exposed and where and when. That's what GDPR is all about.

Originally Posted by Monvex

Hey everyone,

I’ve been exploring options for setting up a CRM to manage client data and considering VPS hosting to support it. However, security is my top priority, and I’m wondering how reliable these solutions are for storing sensitive information like customer details, invoices, and internal communications.

Here are a few specific questions I’d love input on:

• CRM Security: How do popular CRMs (like HubSpot, Zoho, or self-hosted options) handle sensitive data? Are there specific security features I should be looking for?
• VPS Hosting: For those using VPS hosting to run their CRM, how do you ensure the server is secure? Do providers like OVH, DigitalOcean, or Hetzner have a strong track record for safeguarding data?
• Best Practices: What steps should I take to secure a CRM and VPS setup, especially for compliance with privacy laws (e.g., GDPR)?

I’d love to hear your recommendations.

Popular CRMs usually offer robust security features like encryption, access controls, and regular audits, so definitely look for those. When it comes to VPS hosting, choosing a reputable provider with a solid track record is key, they often have built-in security measures, but you should also regularly update your software and follow best practices for compliance with privacy laws like GDPR.

Re-reading my previous post, it was perhaps a bit too negative. In practice you can get pretty good security fairly easily. Here are some steps I would take.

Most VPS hosting providers already have pretty good physical security - secure buildings, redundant power and network connections, lots of monitoring. The main risk by far comes from the humans using the installed software - accidental data deletion, clicking links in emails, responding to phishing phone calls, using weak passwords and so on. So my first tip is to make sure everyone is trained, and are using things like 2FA and password managers (not memorable or shared passwords).

Check that data is encrypted "at rest". Surprisingly few VPS providers use (or even allow) full disk encryption. That's because web servers are rarely "at rest", but they forget about backups. Backups really should ALWAYS be encrypted if you're serious about protecting user data and privacy.

Check that VPS setups are up to date - not just patched but following best practice. I very commonly see out-of-date security setups, by which I mean setups that were state of the art 10 years ago but are now totally irrelevant because the hackers have moved on. In particular, default setups often use obsolete ciphers and allow unencrypted connections (http instead of https), and omit http headers that deflect "XSS" and "SQL injection" attacks (which are still very common).

Many providers fail basic compliance checks like NIST, HIPAA and GDPR guidance. That's usually because they're not in the EU or the US or wherever, but compliance doesn't have to be compulsory to be useful.

I would highlight three main lines regarding the security of the VPS
1. The issue of hosting provider certification and the qualifications of their personnel in the field of information security. It has been resolved by the absolute majority of hosting providers, especially by large market players. That is, choosing a reputable provider with positive reviews and implemented certificates will help to avoid risks at the level of Data Centers.

2. The issue of security associated with the shared use of computing resources, despite the localization of resources allocated within the VPS (virtual private server). Large market players are continuously implementing updates, both software and hardware. That is, the risks of compromise are extremely small. And choosing an inexpensive dedicated server will completely remove this issue.

3. The most important aspect is security at the software level of both the self-hosted CRM itself and the operating system on which this CRM will be installed. So, here are a few recommendations that may help you make a decision:
a. The OS and self-hosted CRM software should be up-to-date, with the longest possible support period and security updates release period.
b. You should take care of the security of administrative access to the server: VPN, strict firewall rules, replacement of standard access ports, restriction on the list of trusted IP addresses, two-factor authentication, as well as any tools that will hide/encrypt traffic between the server and the administrator.
c. Access to the CRM interface should also be limited in all possible ways. Probably one of the most common solutions is two-factor authentication, that is, you should pay attention to software products that have this function.
d. Regular installation of updates. Of course, it concerns security updates for both the VPS operating system and the CRM.

The comments above rightly noted that the risks of compromise always remain, but following basic procedures will make your VPS more secure for hosting sensitive data.

Reputable VPS provider is important. Sometimes small, but serious, providers can offer better security. Consider dedicated server - quite often, especially with not-so-new hardware this can be on-par in terms of price. Keep OS and CRM itself updated and address these questions to their developers - at the end of the day it comes to the code that you run - if code allows - all kind of things might happen - it's way more likely there is a bug in CRM, than VPS provider is hacked.

<<snipped>>

Well, it depends on your definitions of "sensitive" and "proper measures" but in general I would say this claim is not really true.

Securing really sensitive data (like bank account passwords, cryptocurrency wallets, national secrets etc) is surprisingly hard. The Edward Snowden disclosures and the ongoing "Salt Typhoon" issues show that state actors can snoop on pretty much any electronic device at any time, logging keystrokes or acting as a "man in the middle". Protection for most people comes from simply not being important enough or wealthy enough to be worth that effort.

"Proper measures" for really sensitive data would therefore most likely include an air gap or cold storage - i.e., not connecting to the internet at all. I don't think that's what the OP is talking about. However they do seem to be talking about greater than usual precautions because they say security is "top priority". If that's because significant financial or legal liability is involved I would urge them to consider greater than usual precautions, including things like pentesting, audits and insurance.

At events like Pwn2Own the starting point is a system set up with "proper measures" and the expectation is that multiple vulnerabilities will be discovered within hours.

Originally Posted by INTROSERV-AN

a. The OS and self-hosted CRM software should be up-to-date, with the longest possible support period and security updates release period...

I completely agree with this. When I think back to previous hacks I've encountered, out of date software was most commonly the root cause. Sometimes only a few weeks out of date. The good news is, it's usually pretty easy to fix.

But here's the rub. I vividly remember a server being hacked within minutes after I installed the latest version of memcached (many years ago now). The problem was the CentOS package was old and insecure. And CentOS was all cPanel would run on at the time. I stopped using cPanel. Those problems have since been resolved but my point is you can't just rely on the most recent version being secure, bugs can be unpatched for decades.