Managing the daily updates and upgrades needed to keep the website secure demands a highly skilled administration team. A third party website management company provides both managed hosting and security, but the security of the site depends largely upon the provider.
Larger enterprises come to website hosting providers because they have regulatory requirements that they can’t meet on their own. Commodity providers from AWS to Azure and Rackspace, provide infrastructure, but the enterprise monitors the security of the site themselves.
Self-monitoring with a highly skilled team can be as reliable as entrusting their site to the security team of a web hosting provider, but not every organization has a staff with the expertise and flexibility needed to build a strong security platform program.
Jeff Schilling, CSO, FireHost, said, “The biggest security risk in self-hosting is that they are outward facing toward the threat, and the threat can interact with the website.” It takes a very sophisticated security team to successfully self-host a website.
“Open source like WordPress have a lot of vulnerabilities that make it easy to get access and to eventually get into the database,” Schilling said. “A security team has to be able to identify the threat presence and have knowledge of security patches."
Because there are zero-day vulnerabilities that no one knows about, enterprises need a security team with the tools and capabilities to detect threats, said Schilling, who also noted that most of the customers that come to them have been compromised through their websites.
“They tried to host on their own, but they’ve been told they lost company IP, and they realized they can’t do it themselves,” Schilling said.
The companies who have already been infected require a very sophisticated security team to find the threat. Schilling said, “We are able to find the threat actors who have been on the network for 100+ days.”
Schilling also noted the complications of patching different applications that aren’t compatible. “In some cases, companies can’t patch because it breaks the application that they’ve written on top of the server,” Schilling said.
Schilling advised, “Companies should invest in a web platform that is secure. With platforms like Java exploit, WordPress, or Magenta, they need at least one security person who knows how to keep up.” With these open source platforms, the companies have to monitor their websites themselves.
Do you trust your security to someone else?
5 questions to ask yourself whether to outsource your web site’s security.
- What happens when the server goes down at 2 am?
- What's the true cost of managing your website?
- Who is in charge of each layer: hardware, app, etc?
- Who is in charge of security?
- Is the headache worth it to keep it in-house?
Sign up for CIO Asia eNewsletters.