When to host your Website's security

Does managed website hosting provide stronger security than self-hosting?

Managing the daily updates and upgrades needed to keep the website secure demands a highly skilled administration team. A third party website management company provides both managed hosting and security, but the security of the site depends largely upon the provider.

Larger enterprises come to website hosting providers because they have regulatory requirements that they can’t meet on their own. Commodity providers from AWS to Azure and Rackspace, provide infrastructure, but the enterprise monitors the security of the site themselves.

Self-monitoring with a highly skilled team can be as reliable as entrusting their site to the security team of a web hosting provider, but not every organization has a staff with the expertise and flexibility needed to build a strong security platform program.

Jeff Schilling, CSO, FireHost, said, “The biggest security risk in self-hosting is that they are outward facing toward the threat, and the threat can interact with the website.” It takes a very sophisticated security team to successfully self-host a website.

“Open source like WordPress have a lot of vulnerabilities that make it easy to get access and to eventually get into the database,” Schilling said. “A security team has to be able to identify the threat presence and have knowledge of security patches."

Because there are zero-day vulnerabilities that no one knows about, enterprises need a security team with the tools and capabilities to detect threats, said Schilling, who also noted that most of the customers that come to them have been compromised through their websites.

“They tried to host on their own, but they’ve been told they lost company IP, and they realized they can’t do it themselves,” Schilling said.

The companies who have already been infected require a very sophisticated security team to find the threat. Schilling said, “We are able to find the threat actors who have been on the network for 100+ days.”

Schilling also noted the complications of patching different applications that aren’t compatible. “In some cases, companies can’t patch because it breaks the application that they’ve written on top of the server,” Schilling said.

Schilling advised, “Companies should invest in a web platform that is secure. With platforms like Java exploit, WordPress, or Magenta, they need at least one security person who knows how to keep up.” With these open source platforms, the companies have to monitor their websites themselves.

“In most cases it’s a full-time job to monitor open source platforms and understand whether they are patched or can be patched,” Schilling said. Depending on the size of the organization and the staffing budgets, having their website managed can provide a core intelligence security model that protects customers all the way through the stack, said Shilling.

Most organizations that shift to managed hosting of their websites, Schilling said, “Don’t want to be bothered with managing infrastructure. They can manage the content inside applications. The hosting provider delivers the tech labor so that customers can manage their content.”

Web hosting providers know the latest versions of updates on a variety of applications, and Schilling said, “They can provide upgrades to the infrastructure without much change to the service. They provide high-speed storage with better performance.”

If an organization is considering moving to a hosting provider, Schilling advised, “Make sure the hosting provider stays up to date.”

If the right in-house security team is too costly, companies might find that a hosting provider is more affordable and efficient depending on their needs. Schilling said, “A reputable hosting company should have a security team with talent, tools, procedures, antimalware scanning, vulnerability scanning, and a plethora of tools they can leverage to detect threat activity.”

For those that are self-hosting, John Bock, vice president of software security, Optiv, said, “There are lots of options for website service providers out there, from lower tiered providers who offer free stuff all the way to full service providers. As you scale up the price, you are paying for more isolation so that breaches are dependent on the security of your own site.”

For most companies that are deciding whether to self-host or outsource the website management, cost and security are frequently asked questions. Bock explained, “Aside from the cost of having an internal management team, the hosting provider is more on the ball than you will be with patching.”

Because very few if any hosting providers will agree to unlimited liability in a contract, companies need to keep in mind that even if they completely outsource their website development and management, the website is theirs. Their customer information and data will be collected. In the event of a breach, the name of the enterprise, not the hosting provider, will be in the spotlight.

Bock explained, “If you are a health insurance company who builds its own consumer level website that collects a lot of patient data, and that data gets compromised, it’s not just damaging to your reputation and brand. There are HIPPA laws and additional disclosures that can result in real penalties.”

Organizations need to do a cost-benefit analysis and determine whether the security they can guarantee in-house will surpass that of a managed service provider. Whether having a website fully managed or self-hosting their website, Bock said, “The rules of the game are the same. Keep everything hardened and patches up to date.”

When it comes to self-hosting, a security concern for Brad Anderson, CEO, Fruition, a full service digital agency that provides web hosting and website development, is that companies are banking on the hope that they are going to stay under the radar and avoid risk.

Anderson said “One benefit of having a managed website is that an enterprise has a dedicated team of development operations folks who are specialized in firewall.” Security and accessibility are two of the most important concerns with websites.

Anderson noted, “Places like Amazon and Azure are largely unmanaged. Self-hosting requires an in-house server administration team and the ability and wherewithal to have access to the hardware 24/7. Most corporate IT teams do not want to deal with this,” he continued.

Certainly there is no single reason why companies decide to outsource the management of their websites, but a disastrous event can raise concerns. Noticing a security issue or suspicious behavior is a reason organizations hire external parties to manage their websites, said Anderson. “There has been some security event where they are watching behavior but not quite sure what to do about it,” he continued.

“With managed hosting, they have multiple layers of management. There is managed hosting and managed security with WAFs (web application firewalls) and hardware firewalls. Both software WAFs like ModSecurity and hardware firewalls,” Anderson said.

When enterprises invest in managed hosting, Anderson said, “Companies are shifting the risk and leveraging the cost of hardware firewalls.”

Join the CSO newsletter!

Error: Please check your email address.

More about 24/7AWSCSOGoogleRackspace

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts