“In most cases it’s a full-time job to monitor open source platforms and understand whether they are patched or can be patched,” Schilling said. Depending on the size of the organization and the staffing budgets, having their website managed can provide a core intelligence security model that protects customers all the way through the stack, said Shilling.
Most organizations that shift to managed hosting of their websites, Schilling said, “Don’t want to be bothered with managing infrastructure. They can manage the content inside applications. The hosting provider delivers the tech labor so that customers can manage their content.”
Web hosting providers know the latest versions of updates on a variety of applications, and Schilling said, “They can provide upgrades to the infrastructure without much change to the service. They provide high-speed storage with better performance.”
If an organization is considering moving to a hosting provider, Schilling advised, “Make sure the hosting provider stays up to date.”
If the right in-house security team is too costly, companies might find that a hosting provider is more affordable and efficient depending on their needs. Schilling said, “A reputable hosting company should have a security team with talent, tools, procedures, antimalware scanning, vulnerability scanning, and a plethora of tools they can leverage to detect threat activity.”
For those that are self-hosting, John Bock, vice president of software security, Optiv, said, “There are lots of options for website service providers out there, from lower tiered providers who offer free stuff all the way to full service providers. As you scale up the price, you are paying for more isolation so that breaches are dependent on the security of your own site.”
For most companies that are deciding whether to self-host or outsource the website management, cost and security are frequently asked questions. Bock explained, “Aside from the cost of having an internal management team, the hosting provider is more on the ball than you will be with patching.”
Because very few if any hosting providers will agree to unlimited liability in a contract, companies need to keep in mind that even if they completely outsource their website development and management, the website is theirs. Their customer information and data will be collected. In the event of a breach, the name of the enterprise, not the hosting provider, will be in the spotlight.
Bock explained, “If you are a health insurance company who builds its own consumer level website that collects a lot of patient data, and that data gets compromised, it’s not just damaging to your reputation and brand. There are HIPPA laws and additional disclosures that can result in real penalties.”
Organizations need to do a cost-benefit analysis and determine whether the security they can guarantee in-house will surpass that of a managed service provider. Whether having a website fully managed or self-hosting their website, Bock said, “The rules of the game are the same. Keep everything hardened and patches up to date.”
Sign up for CIO Asia eNewsletters.