If a website is available to people via the internet, it is also available as a target to attackers.
The malicious party may be identity or data thieves looking for sensitive information they can use for personal gain. But, they can also be people seeking only to cause disruption. Regardless of which camp an attacker falls under, they pose a threat, and website owners would be wise to protect their sites against threats preemptively.
Security and web hosting providers
One critical aspect of securing websites is to make sure that the hosting providers supporting the website take security seriously. If the hosting company is lax about preventing unauthorized access, finding and removing malware, and so on, it is like leaving one’s back door hanging open and unguarded.
Furthermore, it’s important that the hosting company makes the security features they offer accessible and easy to use. In 2018, the FTC reviewed 11 hosting companies, looking at the security features they offered and how easy it was for users to access and enable them.
Things like SSL support and use of encrypted channels for data transfers were included in most plans and straightforward to use. Others important technologies (such as those used to prevent phishing attacks) were not supported or difficult to enable. The bottom line: the average hosting could be the weakest point in your digital security.
Reviewing hosting security
When comparing web hosting options or when reviewing a current vendor, how does one determine if a given company offers secure web hosting?
When choosing a hosting provider, we often spend a lot of time reviewing the features the company offers to its customers, including resource allocations and supported integrations. These are important.
But, teams and decision makers need to look closely at security features and implementations as well. Look for reviews written by actual customers and research past known security breaches.
Here are the key features that the hosting company should support and be enabled by webmasters.
Secure FTP
File transfer protocol (FTP) is used to transfer files from local computers to the web hosting account. The problem with FTP is that unauthorized parties can intercept and modify files in transit fairly easily (and without detection). Using Secure FTP (SFTP) instead closes this vulnerability.
SSL certificates
SSL (Secure Socket Layer) certificates are used to establish secure connections between a website’s servers and the visitors’ browsers or devices. With a secure connection, the two parties can exchange information without fear that a third party intercepts and reads data that should remain private. Many hosts offer free SSL certificates, but premium offerings that offer additional protection (e.g., for subdomains and other lower-level pages) may be a good idea.
SPF
The Sender Policy Framework (SPF) allows people to publish the domains and IP addresses they use to send emails. Email providers use this information to determine if an email actually originated from the sender indicated; if not, it is flagged as spam.
SPF serves two purposes; it helps those who rely on email prove that they are a legitimate sender, and it helps people identify spam messages. Spam messages are more than just a nuisance; they could contain phishing attacks designed to get users to part with sensitive information. (Phishing attacks are scams featuring emails that look reputable. They include requests for the sender to provide sensitive information, which the attacker then uses for personal gain.)
DKIM
DomainKeys Identified Mail (DKIM) is an email authorization method used to protect against forged sender email addresses (in the From field), a technique commonly used in spamming and phishing. With DKIM, senders sign an email with their digital signature, proving that the domain name displayed in the message is authentic.
Compliance
Depending on the use and purpose of the website, there may be regulations by which the web hosting must abide. Some of the more common regulations include:
- GDPR: Europe’s General Data Protection Regulation (GDPR) regulations categorizes anyone who processes data regarding individuals as a data processor. Most websites are data processors. Furthermore, website owners are also responsible for ensuring the third-parties with which they work are also GDPR-compliant. Since web hosting companies often perform such tasks, they are considered data processors and must comply with stated regulations.
- HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains strict requirements regarding how patient data can be transferred electronically and who may access the data. In addition to offering sufficient protection for data in terms of how it is stored, controlled, accessed, and disposed, HIPAA-compliant hosts agree, in writing, that their actions are in accordance with HIPAA regulations
- PCI: Using web hosting that is PCI compliant is extremely important for those who have online stores. PCI DSS is a set of standards designed to minimize the possibility of credit card fraud due to data breaches, identify theft occurrences, and more. If a website process credit cards or store/transmit credit card information, it must comply with PCI DSS, and part of this agreement is to use PCI-compliant hosting.
Conclusion
Website owners are ultimately responsible for the security of their sites. To that end, they need to make sure that their web hosting provider offers the functionality they need to protect against unauthorized access, malware, privacy breaches, and other types of cyber attacks.