How can Linode protect itself from malicious ex-employees?
The recent attack on Verelox, a Netherlands based hosting provider, has raised several questions about security and disgruntled malicious ex-employees. In the Verelox case, an ex-admin added backdoors on critical servers and caused data loss (some say to just about the entire company, but did not affect backups). Verelox has since started to bring back many of the customers servers.
I understand that the VPS offerings are not secure, any admin can read/write files on any container VPS via the hardware node, in addition to any data centre admins with physical access. Plus, almost all data centres and hosting providers do some kind of monitoring for xyz government agencies, so that adds another admin person on top of the others, who also has wide-spread access our data.
In another hosting provider, I asked for customer support to fix something as part of their "managed" services, so a random guy from Pakistan accessed the server and messed it up (I monitored the situation remotely, so I could see how clueless he was). I mention this as an example, because legally going after someone across the globe could be nearly impossible, thus some people find it easy to hide after doing something bad. The hosting provider of course denied wrong doing and said that "Bob" was an experienced admin…. (LoL).
IT-related companies that I deal with, have various levels of security, thus one person can do widespread damage, in many cases admins are limited to a certain number of services/clients. I am hoping that Linode will have similar security policies.
Food for thought.
2 Replies
The deterrent is pretty heavy. Food for thought.
IANAL