The following sections make up the relevant structure of this simple research document.
- Security principles
Website hosting protection. What do we need protection from? Shouldn’t a website represent the thoughts and ideas of the creator and exist securely on the internet? Doesn’t the hosting software and provider automatically have enough resources and restrictions to support my website’s security needs? In an ideal world, this should be the case. Hosting services may not be enough to keep your website safe in the real world of nefarious bots, malware, and cross-site scripting.
A professional website developer should take all reasonable responsibility to protect website security. This document will list the minimal viable security measures necessary for site security.
Our research will involve the study of current web2.0 standards. Web 2.0 standards refer to Websites that emphasise user-generated content, ease of use, participatory culture and interoperability (i.e., compatible with other products, systems, and devices) for end-users.
Web 2.0 is a more advanced standard than its predecessor. Old school websites represented a catalogue of pages created using HTML without end-user participation or interaction. The end-user interaction of Web 2.0 complicates the security requirements because an end-user may have the authority necessary to introduce malware accidentally to a system.
Web 2.0 presents the “social web”. With all the advantages to communications and social interaction offered by the social web, it also introduces a new security threat, trust. The security principles discussed in this document include the following.
A method that the world has learned recently with the Corona Virus, Isolation and quarantine, can remove the spread of infection.
Military ships and submarines engineered with bulkheads (watertight doors) can isolate and quarantine sections of the ship. This subdivision of a ships hull is known as a watertight compartment. Vertically, floors are separated from each other, and the ship’s compartments are isolated from each other horizontally. If water fills one compartment, the ship can stay afloat.
Hosting providers have virtual machines and software containers to effectively quarantine sections of the software and prevent the effects of one site impacting another website. In an Apache Web Server, this is known as Compartmentalize.
Another type of isolation is the use of privilege. Applying privilege to users and containers lets administrators follow another military method of “need to Know”. If a user is not required to access information or a container of information, they are not on the “need to know” and therefore should be restricted.
The underlying protocol to transport information via the internet has improved. Url’s should be using the HTTPS – protocol. The end to end encryption of HTTPS ensures information can not be intercepted and translated.
Q. What needs to be protected?
The original website content presented with an expected customer experience should be protected from unexpected change.
Q. When is this unexpected change likely to occur?
If our customer tries to access our site, and our site does not exist, an unexpected change has occurred. If our customer can access our site and the expected customer experience is not achieved, an unexpected change has occurred.
Q. Where did this unexpected change originate?
You will be asking this question when an unexpected change has happened. Where did this change come from? Who, what, when, where, why did this happen?
Documenting changes made to a site will help you as a developer understand the timeline of change. However, if the change was not expected, then your documentation will be of less value.
Live monitoring will show changes made to a site that can then be reversed or restored to bring a website back to an expected stable result.
Our first mandatory method
Our first mandatory method of website hosting protection is to have live monitoring for changes made to any software or pages on the website. Live monitoring will alert the administrator to changes and site downtime. Repair and restoration can then be effective.
Creating Watertight Compartments.
Closing software doors can restrict access to areas of the website and reduce the risk of accidental damage. Privileged access using restrictions based on user accounts, user permission and page restrictions closes security doors and isolates sensitive information.
User-based privilege involves creating user accounts and identifying permissions and rights for each user; an improved method is to identify groups of users and assign permissions to the group. Changing group permissions can then be deployed to a collective of users all at once.
Other forms of restriction and privilege include:
- Physical restrictions to hardware
- Application isolation strategies
- Host security
- Network security
Web application firewalls (WAF)
Our second mandatory method of website hosting protection is to use a web application firewall (WAF).
A WAF applies rules and restrictions to the end-user before they reach the webserver. The webpage is only made available to end-users on the “need to know” list.
Restriction can be implemented by geographical location or website structure. If you are a local plumber and your customers and suppliers are also local, there is little benefit in displaying your website to an international audience. Restricting site access to a local audience can keep your data safe and improve your customer experience.
WAF can detect distributed Denial of Service (DDoS) attacks, Brute Force Attacks and Zero-day exploits.
An automatic daily backup of system files, user files and database files is our third mandatory method of website hosting protection. Hosting providers often include a complete webserver backup as part of their hosting package, and for me, this is the final backstop to recovering your site and systems. Adding an independent offsite backup offers a new level of site security. If there is a problem with your hosting provider, you can then change the DNS to another hosting provider and restore your offsite backup to the new destination.
You can be back online while your original hosting provider is still trying to solve their hosting and backup problems. For me, it is all about choices. I like the idea of having options.
If your DNS is hosted using a WAF, it can have an automatic backup site. If the WAF detects that the original site is not responding, the backup location is automatically engaged, and your site switches. The end-user customer experience is not compromised.
Mandatory website hosting protection summary.
1. Live website monitoring
2. Web application firewall (WAF)
3. Daily offsite backups.
Our goal is to keep our information secure, keep attackers out, and limit security effects on the end-user experience. Recognise the systems at block level and identify the single points of failure that will impact your end-user security.