Author David Riley
I’m sure we’ve all seen the shows about ‘Bad Neighbours’, or perhaps you’ve experienced them in your own life! Having Bad Neighbours is never a good thing. They can keep you awake at night, the can cause you trouble and they can bring down the value of your house! But what about your ‘virtual’ Neighbours? Do you know who’s living – virtually – next door?
Security in shared hosting, is your hosting provider doing enough?
Shared hosting can be a very cost efficient system to run a complex website but what are the security implications of such environments?
Security in shared hosting is difficult to maintain as a single web application with weak security could potentially allow access to your site and your data. You could take all necessary steps to secure your site but another site on the same server could open up the system to attack. Although the published applications security responsibilities fall squarely with the developers and hosting providers can’t expect to review every piece of code that gets published to their environments, there are things hosting providers can do to protect their environments from vulnerabilities introduced.
Intrusion Detection/Prevention Systems (IDPS)
These are designed to detect and prevent malicious activities or policy violations from reaching your website primarily using signature based identification similar to your Anti-virus software. The benefit this provides is common attack vectors are detected and stopped before they hit the web site.
Along with IDPS, monitoring of systems for malicious activity should be completed to identify threats that may have bypassed the IDPS. Monitoring can detect subtler attacks by using file integrity monitoring solutions to identify changes in core files as well as application and system log aggregation to detect unusual activity.
While hosting providers wouldn’t perform these across the sites hosted on their infrastructure, they should be testing their infrastructure using Vulnerability Analysis or more in-depth Penetration Testing on a routine basis. They should also allow you to test your web applications as these tests will also cover their infrastructure to some degree so be wary if they refuse.
Are they doing the simple things?
Password management, patch management and remote access control. Although it can be difficult to verify these things, don’t be afraid to ask. How often do you apply security patches? Do you use 2 factor remote access or restricted management networks? How do you store and share passwords? These questions should be easy to answer.
A good marker for companies that look at security seriously is external assessment against a well-known standard like ISO 27001 (accredited by UKAS or local national body), maintaining such
accreditations requires investment, not just monetary but also time. If you provide ecommerce functions on your site, then PCI-DSS certification should be in-place for any service provider you use or they should be happy to be audited under your compliance requirements (if you take card payments then you should be compliant, regardless of how they are processed).
Although these control can’t guarantee complete security, nothing can. They all add to a layered security approach to make technological attacks as difficult as possible.
Get to know your ‘neighbours’ by asking the right questions, so that they’re not the ones keeping you awake at night.
Speak to a member of the team now on
03455 760 999
We would love to help you, ask for David: