Web Hosting Trials and Tribulations
As with so many things in life, web hosting is a more complicated problem than at first appears. I particularly notice this now as I'm involved with several websites, each with different objectives. One of the most interesting problems is finding the right balance of security.
Security is typically defined as confidentiality, integrity, and availability. Many sites, like this one, don't worry much about confidentiality because the site is for the public without much, if any restriction. All sites worry about integrity because everything needs to have a form and context (e.g., is this the actual text that I wrote or did someone else edit this page after me?). And most websites care a lot about availability.
Unfortunately, availability objectives run counter to both confidentiality and integrity. Leaving confidentiality out of this for now, we'll focus on integrity.
In order to maintain the integrity of a website I need to restrict access to change the web site files. In order to have high availability I need to have round the clock maintenance oversight of my web server and that server's Internet connection, not to mention name resolution and software maintenance. Now for the catch, the enhanced level of maintenance I want for availability reasons undermines my ability to guarantee the integrity of the site. For example, by hosting a website at a professional data center I enjoy the higher level of maintenance they provide as part of the hosting service, however, those system administrators now have access to my files and can make changes to them without my knowledge. The only thing preventing this from happening is professional responsibility on their part, and perhaps some additional security controls that I put in place...of course, there are no effective security controls available to me that will counter a determined attacker with physical access to the web server.
So, in the end it's a matter of weighing the options and picking the devil you're most comfortable with. You can host the site at a data center and enjoy (theoretically) better availability or host the web site yourself and enjoy more integrity.
- micah's blog
- Login or register to post comments
Comments
Re: Web Hosting Trials and Tribulations
Sites that have high confidentiality and integrity requirements will either want to avoid using hosted services or engage services providers that have been well vetted. These vetted service providers tend to have cleared engineer and administrators.
Additional, a distinction must be made between hosted and managed services. You retain more control over the content of your sites with hosted services. Configuration Control processes tend to be better defined. Plus as the site owner, your content can be developed and tested at some location and then securely (there are a sleuth of VPN & integrity check solutions out there) delivered to your host.
Ultimately, the amount of controls built around your sites should be determined by the IMPACT of an unauthorized disclosure, compromised integrity or nonavailability of your site's content will have on your corporate business or national security.
I agree that the impact of a
I agree that the impact of a problem is the determining factor in designing the security controls, however, it's always a tough call to say that you'll compromise on security because the impact is relatively low. For example, I'm not really using this website for too much, however, I'm concerned about the security of the website because it's a reflection on me to at least some degree. Because the impact of a security vulnerability on this website is low I host the website at a shared service provider and don't use many security controls. That's a risk based decision that maximizes up time, minimizes workload, and does a relatively good job at securing the site.
As to the hosted versus managed services, unless there is a legal contract offloading responsibility for security than I don't really consider the two very different. Specifically, I discount all security controls if the object being secured is physically controlled by the attacker. So in the case of a managed service where I put a server in a managed data center, but I control everything on the server, I'm still giving up complete control over my server because it's physically controlled by the managed services company. And I don't believe in any form of vetting. I've worked with enough organizations to know that there is no vetting process that works, just ask any security officer dealing with national security concerns about all the violations he or she has to deal with. Vetting an individual helps but that process still relies on defense in depth with multiple layers of technical, policy, and legal security controls. One of the most basic security controls is the ability to fire someone for making a bad mistake (more than once perhaps). Managed service outsourcing doesn't give you that control over the staff. So when the facility manager for your hosting center forgets to renew the service contract on the generator, and the power goes out and the generator doesn't work, and the generator repair person doesn't show up for two days while the contract is renegotiated, your site is down. Oh, and you don't get to fire that facility manager and you probably don't even know what the root cause would be.
Of course, the problem with security is that the alternatives cost a fortune. In the end it's usually better to bite the bullet, hope that the S3 cloud doesn't contain a massive security vulnerability, and go outside to enjoy the day while your site hums along perfectly.