When to host your Website's security
Larger enterprises come to website hosting providers because they have regulatory requirements that they can’t meet on their own. Commodity providers from AWS to Azure and Rackspace, provide infrastructure, but the enterprise monitors the security of the site themselves.
Self-monitoring with a highly skilled team can be as reliable as entrusting their site to the security team of a web hosting provider, but not every organization has a staff with the expertise and flexibility needed to build a strong security platform program.
Jeff Schilling, CSO, FireHost, said, “The biggest security risk in self-hosting is that they are outward facing toward the threat, and the threat can interact with the website.” It takes a very sophisticated security team to successfully self-host a website.
“Open source like WordPress have a lot of vulnerabilities that make it easy to get access and to eventually get into the database,” Schilling said. “A security team has to be able to identify the threat presence and have knowledge of security patches."
Because there are zero-day vulnerabilities that no one knows about, enterprises need a security team with the tools and capabilities to detect threats, said Schilling, who also noted that most of the customers that come to them have been compromised through their websites.
“They tried to host on their own, but they’ve been told they lost company IP, and they realized they can’t do it themselves,” Schilling said.
The companies who have already been infected require a very sophisticated security team to find the threat. Schilling said, “We are able to find the threat actors who have been on the network for 100+ days.”
Schilling also noted the complications of patching different applications that aren’t compatible. “In some cases, companies can’t patch because it breaks the application that they’ve written on top of the server,” Schilling said.
Schilling advised, “Companies should invest in a web platform that is secure. With platforms like Java exploit, WordPress, or Magenta, they need at least one security person who knows how to keep up.” With these open source platforms, the companies have to monitor their websites themselves.
“In most cases it’s a full-time job to monitor open source platforms and understand whether they are patched or can be patched,” Schilling said. Depending on the size of the organization and the staffing budgets, having their website managed can provide a core intelligence security model that protects customers all the way through the stack, said Shilling.
Most organizations that shift to managed hosting of their websites, Schilling said, “Don’t want to be bothered with managing infrastructure. They can manage the content inside applications. The hosting provider delivers the tech labor so that customers can manage their content.”
Web hosting providers know the latest versions of updates on a variety of applications, and Schilling said, “They can provide upgrades to the infrastructure without much change to the service. They provide high-speed storage with better performance.”
If an organization is considering moving to a hosting provider, Schilling advised, “Make sure the hosting provider stays up to date.”
If the right in-house security team is too costly, companies might find that a hosting provider is more affordable and efficient depending on their needs. Schilling said, “A reputable hosting company should have a security team with talent, tools, procedures, antimalware scanning, vulnerability scanning, and a plethora of tools they can leverage to detect threat activity.”
For those that are self-hosting, John Bock, vice president of software security, Optiv, said, “There are lots of options for website service providers out there, from lower tiered providers who offer free stuff all the way to full service providers. As you scale up the price, you are paying for more isolation so that breaches are dependent on the security of your own site.”
For most companies that are deciding whether to self-host or outsource the website management, cost and security are frequently asked questions. Bock explained, “Aside from the cost of having an internal management team, the hosting provider is more on the ball than you will be with patching.”
Because very few if any hosting providers will agree to unlimited liability in a contract, companies need to keep in mind that even if they completely outsource their website development and management, the website is theirs. Their customer information and data will be collected. In the event of a breach, the name of the enterprise, not the hosting provider, will be in the spotlight.
Bock explained, “If you are a health insurance company who builds its own consumer level website that collects a lot of patient data, and that data gets compromised, it’s not just damaging to your reputation and brand. There are HIPPA laws and additional disclosures that can result in real penalties.”
Organizations need to do a cost-benefit analysis and determine whether the security they can guarantee in-house will surpass that of a managed service provider. Whether having a website fully managed or self-hosting their website, Bock said, “The rules of the game are the same. Keep everything hardened and patches up to date.”
When it comes to self-hosting, a security concern for Brad Anderson, CEO, Fruition, a full service digital agency that provides web hosting and website development, is that companies are banking on the hope that they are going to stay under the radar and avoid risk.
Anderson said “One benefit of having a managed website is that an enterprise has a dedicated team of development operations folks who are specialized in firewall.” Security and accessibility are two of the most important concerns with websites.
Anderson noted, “Places like Amazon and Azure are largely unmanaged. Self-hosting requires an in-house server administration team and the ability and wherewithal to have access to the hardware 24/7. Most corporate IT teams do not want to deal with this,” he continued.
Certainly there is no single reason why companies decide to outsource the management of their websites, but a disastrous event can raise concerns. Noticing a security issue or suspicious behavior is a reason organizations hire external parties to manage their websites, said Anderson. “There has been some security event where they are watching behavior but not quite sure what to do about it,” he continued.
“With managed hosting, they have multiple layers of management. There is managed hosting and managed security with WAFs (web application firewalls) and hardware firewalls. Both software WAFs like ModSecurity and hardware firewalls,” Anderson said.
When enterprises invest in managed hosting, Anderson said, “Companies are shifting the risk and leveraging the cost of hardware firewalls.”