a person uploading a file on a computer

Savvy businesses are leveraging the cloud for storage, hosting, data processing, and even hiring. Cloud-based platforms offer affordability and flexibility for organizations that want to stay nimble—especially when it comes to finding top-quality talent when you need it.

Once you’ve found the perfect freelancer, tools like Google Docs, Dropbox, Slack, and InVision do the trick when it comes to working with a distributed team—whether it’s to chat, meet online, collaborate on documents, or share prototypes. But for development and engineering projects that require more granular access to servers, development environments, and shared code, many organizations wonder where to draw the line and how to safeguard their systems.

In our article 7 Tips for Securely Working With Remote Freelancers, we discussed a few tactics to head off the security concerns of cloud-based work. Here, we’ll cover a few development-specific tips for engaging remote engineers without compromising the security of your project.

The mechanics of offsite development

Like any distributed team, offsite developers need remote access to certain systems in order to collaborate on and deploy your website or software. Generally, freelancers are independent contractors who work remotely, outside of your organization’s network. While they can easily work on mission-critical projects, they don’t always have the same access to security tools and policies that employees at enterprise organizations do. Bearing this in mind—that devs will likely be on their own computers, WiFi networks, and email and file sharing accounts—it’s helpful to approach more sensitive projects with a few security-boosting tactics.

Containerized development environments like Docker are the future when it comes to securely working with remote teams. These environments orchestrate deployment without even requiring access from the developer’s physical machine. If you’re not deploying software in containers, your remote developers are likely to remotely deploy software using something like Ansible or Chef for IT automation or using a built-in deployment feature within a framework like Ruby on Rails.

How much access does a developer need to your server?

It’s helpful to know a few basics about server access before you start handing out credentials to remote developers.

First and foremost, all remote connections to a server should be securely established via SSH (“secure shell”) connections that allow computers to securely access remote servers and cloud systems.

Root access is the highest level of administrative access you can give someone to your server. This means you’re giving a developer access to your entire file structure vs. compartmentalized access to your files on that server. You’re likely never going to give an offsite contributor root access to your server—in fact, even if you have root access yourself, it’s best to toggle out of that admin level unless you need to make system-critical changes because there’s a chance you could edit or delete important files by accident.

Instead, you’re more likely to give developers delegated access to your files (read, write, execute, or all of the above)—or even specific folders within your file structure. A server administrator can even create a specific folder just for them where they can upload files but not perform other actions. This article does an excellent job of explaining chmod (change mode) file permissions if you’d like to learn more.

  1. Containerized software

Containerization creates dedicated server environments for applications to run in that streamlines application management issues and allows teams to deploy and update modules without dependencies. This is the future of software development, and it heads off a lot of machine-to-server connection issues by moving environments to their own virtual operating systems. Learn more about containerization in this article, and get tips on securing microservice-based environments.

2. File Transfer Protocol (FTP) for smaller projects

For smaller development projects like WordPress sites, freelancers often have their own workflow, whether that’s editing files locally then using a remote deployment environment or uploading the files to your server via file-transfer protocol (FTP). Web devs and web designers use FTP to send files they’re working on locally (whether it’s a PHP, JS, or CSS file) directly to your server.

What is FTP? It’s a protocol for transferring files from between two remote systems, typically a computer and a server. FTP access can be set up by a network administrator or handled by your hosting provider, and it will likely be one of the first things you do when engaging a remote developer.

Typically, a developer with FTP access will pull a site’s files down to their local environment, make edits, run tests, then push those files back to the server via FTP. For businesses hesitant to grant FTP access for security reasons, there are a few options:

  • SFTP (SSH-protected, or Secure File Transfer Protocol) offers next-level security by using authentication measures to remotely establish a secure SSH connection for FTP.
  • Use a secure FTP service. SmartFile is a secure FTP and file sharing service. With its web interface option, you can give a freelancer an “upload only” URL to restrict access. With this, they’ll be able to upload the file and you’ll get notifications when the file has been received.
  • Set up a second FTP account with limited access to restricted parts of your site, then revoke access or terminate the account when you’re finished with the project.
  • Have a second developer (or your in-house developer, if you have one) on hand to keep an eye on new code and to run backups in case you need to roll back. If you hire a second developer just for this purpose, be clear about their role so there’s no overlap.
  • Limit IP addresses that are allowed to connect via FTP to your server. In this case, even if a third party gains unauthorized access by hacking the FTP password, they won’t able to connect and do any damage.
  • Be sure that you or your DevOps team turn on FTP access and change the log file. By using an FTP log file, you can investigate any incident related to the FTP protocol: Brute force attacks, the FTP user making a change to a certain file, the IP used to connect to the FTP server, etc.
  • Enable FTP security rules, e.g. “Block an IP address after 5 unsuccessful login attempts.”
    Note that today, while still used, FTP is relatively archaic (the most modern version was issued on September 1998), but if it’s part of your developer’s workflow, be sure to supplement it with VPN.

3. Use staging environments

You can take the local machine part out of the equation with a staging environment—a dedicated server where duplicates of files can be edited and tested before going live. For site design and development, staging servers are safe ways to remotely work on files and view them in the browser without pulling them down to a local computer (or risking editing a site while it’s live). Anyone with credentials can access and edit files on a staging server rather than pulling the files down to their own computer.

4. Try a local development service

A local app development service like Flywheel (which boasts an array of its own security features) is an excellent solution for working with remote developers. Developers can share previews and live prototypes of your site in progress via a secure URL. This solution might not be the best for more collaborative coding (say, if two developers are working on the same CSS file at the same time, which lends itself more to a Git repository), but it’s great for seamlessly working with a solo developer and viewing progress in real-time.

5. Try a Continuous Integration (CI) and Continuous Delivery (CD) service

If you are using repositories like Gitlab, GitHub or BitBucket, you can also use continuous integration and delivery services. By using those services and automated tests (even for WordPress) you’ll avoid including buggy code onto your production (or, public) server. The workflow would look something like this: A freelancer makes an update to your repository’s code, then the CI or CD service clones it and runs automated tests. If the test is successful, the source code gets copied to the production server. If the test fails, the CI(CD) service sends a message to the developer with a description of any error(s) and code is not copied to the production server.

CI(CD) solutions might not be the more affordable option for smaller projects like a quick website, but a tool like Jenkins or Circle CI is a good idea for medium to large projects.

6. Find a smart storage solution

No matter how you’re sharing files, never set aside the importance of how you’re storing them. In our article Cloud Security: Keeping Data Safe No Matter Where It Is, we covered some best practices for hosting data in the cloud, like compliance, service-level agreements, multitenancy risks, and API security. If you’re using a service like Amazon Web Services, you might opt for a dedicated server to bolster your own app’s security.

7. Backup to the cloud

File storage and file backups aren’t the same things, but they’re both important. Cloud storage is not a substitute for backup—it’s still too easy for things like accidental overwriting, deletion, or corruption to destroy valuable files. With backup, copies of files—as well as different versions, when edits are in progress—are safely saved and can be restored if the worst occurs. Many backup systems offer encrypted storage so you know your files are in good hands.

8. Delegate access to your hosting account

If you’re not hosting your own site, you can give a freelance developer delegated access to your hosting account, which only allows them to do certain things once they’re in—but not things like editing administrative information or altering your account.

If your developer offers hosting and you want to switch your site to theirs from your own server—a common thing when you want to hand over monitoring and maintenance—your IT professional can make this change simply by obtaining your developer’s IP address and redirecting your site there.

9. Obscure Passwords with a Password Manager

Share access to various systems and tools via a password management service like LastPass or OnePass. This way, anyone logged in can access a system without directly seeing what the password is. It’s always possible to change the password, but this extra step can add a layer of security as long as you trust the person. It’s easy to set security controls and restrictions on a per-user basis, depending on their needs.

10. Always Use Secure Connections

Encrypt all traffic to and from your network, including that coming from freelancers, by routing it through a virtual private network (VPN). Freelancers can set up their own VPNs like ExpressVPN, or you can give them a login to yours and require it to access certain systems.