Why you probably shouldn’t host yourself

October 6th, 2016

When delivering software to our customers or helping them setup a DHIS2 for their National Health Information System (NHIS), we always end up with the same question: where should to host the system? While Web Applications can be developed using various languages and technologies, they are common enough to require at minimum a database (to host the data), a web server (to run the code and pages that make the application), and possibly a few other services (e.g. a mail server).

At BlueSquare, we frequently talk about health data, some of which is sensitive (though it’s mostly aggregated data, i.e. not individual patient data), therefore a relatively frequent request or requirement is to “simply” host it inside or close to the customer’s office (e.g. ministry of health).

What you need to know about hosting

What looks like a straightforward and easy decision to make, can be everything but. Hosting software presents an array of very specific challenges:

  • Convenience: How easy is it to deploy new software or new versions on the server?
  • Monitoring: How are we able to know what what happens on the server — especially if something bad happens, such as errors or long response time?
  • Reliability/uptime: During a given period, how often is the server down? From power outage to hard disk replacement to software maintenance.
  • Scalability: How well will the server react to an increase in software users? How easy is it to increase its capacity without impacting the uptime?
  • Security: How well is the server protected against attacks? Including, direct hardware tampering to DDOS attacks or using vulnerabilities at the OS, web or library level.

Meeting these challenges requires an appropriate set of skills.

Options

Having made a quick rundown of the few important questions to keep in mind, here’s a short overview of typical hosting options. They’re listed in ascending order of both service (i.e. simplest to most comprehensive) and cost (i.e. cheapest to most expensive) for the same level of machine/power:

  • Self hosting: this is the DIY option, where you select and buy a machine, put it in corner of your office and install anything needed on it. You must manage all the aspects outlined above, including finding solutions to hardware failure or power outages and preventing physical attacks of the server.
  • Private servers: you rent the machine from a provider such as OVH or Linode. They provide the hardware management and it comes with an OS of your choice pre-installed. They will also watch for some vulnerabilities at the OS-level and patch them.
  • Virtual environment: this is typically Amazon Web Server (AWS) or the equivalent offered by Microsoft (Azure). In addition to the above service, you gain the ability to easily increase or decrease the number of machines in a matter of minutes — effectively paying only for what you use.
  • Platform As A Service (“PAAS”): this is, for example, Heroku. With Heroku, your only concern is your application. The provider takes care of everything else for you. And while you might not have access to the machine, you’ll never need it.

The table below shows a summary of who does what, depending on the service:

Criteria & value

While quality can go up when you choose more advanced services, so does the price. That being said, the company providing the services is still often very cheap for a good reason: hosting your software is their main and only job — meaning they recruit the people needed for that, achieving not only great service, but also an impressive level of productivity.

Privacy & regions

One last important point: the privacy rules. Most providers abide by the laws set in their various regional location. As a very general rule, the EU and US have different views on privacy. The EU generally being more strict in its regulation than the US. As a consequence, given the choice, we often advise people to host sensitive data in the EU if possible (every big provider gives you the option of where you want your data to be located).

There are not (yet) big players in Africa, but local providers can be found and could become alternative to the big US players — again, they should be evaluated against the same criterias.

In a nutshell

Where to host and what level of service to pay for are key decisions that shouldn’t be taken lightly and require thorough comparative analysis. It’s important to pay attention to, for example, security, reliability and cost of the self hosting service with providers such as Heroku or Amazon.

For example, Heroku’s reliability for the last 60 days is 99.995% — that’s 20 minutes of downtime per year, and the security measures they have in place are listed here. I encourage you to check the situation and numbers on your own system and compare. Beating those levels of service is really difficult, and almost impossible if you factor in the cost.

The big take away is: when considering where to host your software, apply the same level of criteria and requirements to all options — including the self hosting. Most people I’ve met assume that in-house systems are more secure and while in some cases that might be true, it’s not a given. So be prepared, and choose wisely.

Written by Martin Van Aken, CTO of BlueSquare. Find him on LinkedIn here and Twitter here.