I will join the development studio in the near future. My role is that of a customer, where the studio will be responsible for back-end development tasks.

To ensure a secure transfer of access to the domain, hosting, and other services that the developer will work with, I wonder what is the best approach.

Once the work is completed, it is expected that all accesses will be changed. However, I am curious to know about the experiences of others regarding this process.

How do you usually handle the transfer of access to various services after the work is done?

During my time at the state office, a CryptoPro program was used to encrypt the file before sending it. The decryption key was located on the other side and could be transferred via SMS (messenger) or by placing it on a website and sharing a link along with a description. For more secure methods, the key could even be sent through mail or any other file sharing platform.

If you are using Windows, the simplest method would be to use RAR with a twenty-character password for the entire package (containing letters from a-zA-Z0-9 and all symbols) or AxCrypt. For Linux users, openssl enc/openssl dev can be used with the same password. Alternatively, regardless of the operating system, you can encrypt a message using a personal certificate (make sure to obtain and exchange certificates beforehand, your CA will suffice for this purpose - global trust is not necessary).

All forms of access, excluding passwords, can be transmitted in clear text. It is possible to encrypt it within an archive, HOWEVER! The key point is to NOT USE a PASSWORD FOR SERVER ACCESS!
To ensure security, the password for server access is intentionally long and designed to avoid attracting attention. It is split into two parts.
Example of a password: 4764_S989854SSL
The password is divided into "4764_S989854" and "SSL".
Subsequently, both halves are sent separately through different communication channels, along with instructions on how to reassemble them.

To enhance security, it is recommended to utilize a chat platform that offers end-to-end encryption, such as e2ee.

When it comes to transferring access to various services after the work is done, there are a few common approaches that can be followed. Here are some best practices:

1. Change All Passwords: It is crucial to change all passwords associated with the domain, hosting, and other services once the work is completed. This ensures that any previous access is revoked and only authorized individuals have the new credentials.

2. Implement Two-Factor Authentication (2FA): Enabling 2FA adds an extra layer of security to the access process. It typically requires both a password and a secondary verification method, such as a unique code sent to a mobile device, to gain access. This helps prevent unauthorized access even if someone obtains the password.

3. Maintain Proper Documentation: Keep a record of all the services that need access, including their login credentials, associated email addresses, and any specific instructions or requirements. This documentation should be securely stored and shared only with authorized individuals.

4. Role-Based Access Control: Assign roles and permissions to different team members based on their responsibilities. This ensures that each person has access only to the necessary services and limits potential risks.

5. Regular Auditing: Conduct periodic audits to review and verify the people who have access to various services. This helps identify any unauthorized individuals or potential security breaches.

6. Communication and Transparency: Maintain open communication between all stakeholders involved. Discuss and document the transfer process with clear timelines, responsibilities, and any specific requirements or concerns.

else:

1. Transition Period: Depending on the nature of the project and the relationship with your development studio, it may be beneficial to have a transition period where both parties share access to ensure a smooth handover. This allows for any necessary knowledge transfer and troubleshooting during the initial stages.

2. Non-Disclosure Agreements (NDAs): Consider having all parties sign NDAs to protect sensitive information and prevent unauthorized sharing or use of proprietary data.

3. Secure File Transfer: If there are files or documents that need to be transferred between parties, use secure file transfer methods such as encryption or secure file-sharing platforms to protect the confidentiality of the information.

4. Third-Party Services: If the project involves third-party services, like APIs or integrations, update any API keys, secret tokens, or other authentication credentials associated with these services.

5. Cloud Permissions: If you're working with cloud infrastructure services like AWS or Azure, review and update access permissions for IAM (Identity and Access Management) users and roles.

6. Communication Channels: Ensure that all communication channels, such as email accounts or messaging platforms, are properly secured and access is transferred or terminated as necessary.

7. Backup and Recovery Plans: Discuss and establish backup and recovery plans to handle any unexpected situations, such as accidental data loss or system failures, during the transfer process.