Our organization is ready to transition to the Cloud and require support in the process. Can this be done remotely? What do we require?
The development team can be responsible for deploying to your cloud instances. First complete the list of questions that will help get a handle of your organizations capacity and understand some application deployment parameters. Please note that in order to deploy the application the development vendor will need to have remote privileged access to the target machine.
What is the expected number of users?
What is the hosting provider? Exactly which services have been purchased already? Can you give me the website of the service provider and preferably a description of the service?
What version of Linux is allocated? (Hopefully the only answer will be Ubuntu 14.04!)
What domain/URL will be used for Primero? Is there an existing DNS service?
Primero runs only over HTTPS. Have SSL certificates been purchased? If not, are the free certificates provided by Let’s Encrypt (https://letsencrypt.org/) an acceptable alternative?
What is the IT team’s familiarity with Linux (Ubuntu)? Can support staff in remotely log in, review log files and start and stop system services?
What is the IT team’s familiarity with cloud infrastructure platforms: AWS, Azure, Linode, etc.?
Data Backup: Is there a process for data and application backups? Is this the responsibility of the hosting provider or the organization’s IT team?
What is the acceptable data loss gap? If something goes wrong, data can be restored from a previous backup. How old does this need to be?
System security patching and support: is there a process for that? Is the hosting provider responsible for maintaining and patching the server or will this be the responsibility of the organization’s IT team?
What is the organization’s policy with 3rd party access to its servers for support?
Before the development team can deploy, they will need the following:
- A purchased server instance from a cloud provider (Azure, AWS, Linode, or 1and1)
- The server must be Ubuntu 14.04
- They will need the server’s IP address, user with sudo/root privileges, and password (or pem key)
- A domain/subdomain allocated to the application, and the purchased server configured via DNS. For example, primero-gbv.partnername.org.
- A decision made around SSL certificates: will you purchase them from a particular certificate vendor (such as Symantec) or would you like to use the free Let’s Encrypt tool (https://letsencrypt.org/).
- Backup approach based on your cloud vendor or organization policy. One simple solution is to conduct periodically copy database files to a known backup location.
Before deploying the application, in looking at the server, a handful of things would need to be done in addition to rolling out Primero, depending on the scope of your deployment:
- Security: SSH properly configured and secured. It is very strongly recommended to disable remote access to the
rootuser, and replace all password access with SSH key access.
- Security: Set up a software firewall to block access on all ports aside from 22, 80, 443, and optionally 6984
- Set up backups. See if your cloud provider offers backups or snapshotting options. Otherwise you will need to back up all of the contents of the directory /var/lib/couchdb
We recommend the following guide for securing your server: https://www.linode.com/docs/security/securing-your-server
How do we chose which hosting options are best for our context?
Generally, a choice between the various hosting options depends on the availability of on-the-ground infrastructure and expertise, as well as the legal and security issues surrounding the physical location of data’s storage. Third-party cloud hosting options are preferable in situations where there is little on-the-ground infrastructure or expertise, and where involved parties are not too squeamish about data being stored outside the country. Unless the local government or another participating entity has the proper facilities and a fully-staffed technical team to maintain servers, third-party cloud hosting offers a cost-effective and realistic way of hosting a secure, well-performing application. Given the fact that attacks on web applications are absolutely imminent, regardless of their data’s importance, it generally makes sense to opt for a third party operation which has entire teams dedicated to designing and implementing security measures. This option also may be advantageous in situations where there is a fear of local servers falling into the hands of threatening militant groups. Locally-hosted options, meanwhile, are advantageous in situations where, as mentioned before, there is proper capacity to maintain the necessary software and hardware, and where there are security or legal considerations, which dictate that data be physically stored within a country’s borders.
Can you please guide us with regards to the server configuration? We will require details like credentials, IP address and port details. Once we have the pertinent details, we will set it and test the functionality.