Protect a PHP/k8s application that can be deployed on-premise

12/19/2019

I'm working in a company where we have build a SaaS-application with the PHP/MySQL/Redis/JS-stack.

It runs in our own Google Kubernetes Engine as a hosted/managed service for our clients.

Most of our business logic is placed in the PHP-layer.

Now we want to provide our product as an on-premise solution, so that our clients can deploy the whole product in their own private cloud or maybe even in their own basement.

This also means that the clients get access to all our "business secrets" (business logic) and this worries me. We are a small business and we are doing business with large companies. Some of them might be interested in doing what we do themselves.

PHP is not compiled and the obfuscaters I have found does not seem to obfuscate the code too much.

We have talked about following solutions:

  1. Trust the customers to not copy/get inspired by our solution and only protect it through law/contracts

  2. Move some vital parts of our logic to our own server and make the on-prem solutions call to our server sometimes. This way we can control licensing etc. But we fear that the customers then will say that it is not totally on-prem. Which is true.

  3. Obfuscate it the best we can and hope for the best. Maybe we are just paranoid?

  4. Do something that makes it possible for the clients to run the code in their private cloud without accessing the source code - we have looked into Google Cloud Marketplace, but as far as I can see, the clients will get access to the VM.

Do you have any good inputs in this regard? We are looking for creative solutions. The main goal is to protect our business.

It would be best if we could offer our Kubernetes setup as a fully on-prem solution, but if you have good ideas to how we can provide it to client's private cloud (even only in GCP) that is also very welcome.

Thanks in advance!

-- thephper
compilation
google-cloud-platform
kubernetes
on-prem
php

1 Answer

12/20/2019

Your question relates rather to IP than to k8s and clouds.

Solutions are:

Trust and open source

  1. Trust the customers to not copy/get inspired by our solution and only protect it through law/contracts

You are right. And there is a power.

“The best way to find out if you can trust somebody is to trust them.” ― Ernest Hemingway

You can select appropriate license and give your app to the client. See this answer:

Some parts of a EULA that come to mind:

  • Limiting your liability if the product has bugs or causes damage.
  • Spelling out how the customer can use their licensed software, for how long, on how many machines, with or without redistribution rights, etc.
  • Giving you rights to audit their site, so you can enforce the licenses.
  • What happens if they violate the EULA, e.g. they lose their privilege to use your software.

You should consult a legal professional to prepare a commercial EULA.

Not-prem

  1. Move some vital parts of our logic to our own server and make the on-prem solutions call to our server sometimes. This way we can control licensing etc. But we fear that the customers then will say that it is not totally on-prem. Which is true.

Not the best solutions since it's not real on-prem. Your client's servers may be located in secure zone under firewall without access to your server.

Anyway, it's popular solutions. For example, see how Vepp works.

  1. Obfuscate it the best we can and hope for the best. Maybe we are just paranoid?

Solutions are:

There are some vital examples of php-driven self-hosted applications. I.e. Self-hosted Bitrix24

Private cloud with ecryption

  1. Do something that makes it possible for the clients to run the code in their private cloud without accessing the source code - we have looked into Google Cloud Marketplace, but as far as I can see, the clients will get access to the VM.

Yes, you can distribute your app as encrypted VM.

-- Yasen
Source: StackOverflow