Whether webspace package, own server or cloud solution: Security plays a big role in web hosting. With the product selection, the hosting customer determines essential aspects. On the other hand, he has no influence on the security of the data center. It is all the more important to find a reliable hosting partner.
If you are looking for a hosting solution for an Internet project, you often first compare storage space, database, and programming functions. Although these are important criteria for product selection, security aspects rather determine how practical a hosting solution is. The best server is of no use if it is unavailable, and the fastest hard drive is waste money if data is lost.
Overview: Four security areas
Security in web hosting concerns four areas – one can also say four levels. At the top of the list is the security of the data centers that the hosting provider must guarantee. These include building security, fail-safe power supply, and air conditioning, to which the hosting customer has no influence. The second area is the security of the network at the provider, such as firewalls and intrusion prevention systems – the defense system against cyber attacks of various kinds. Again, you have to trust the hosting provider. Level three is product safety. These include backups, operating system, and software updates and system monitoring measures – as a result, service, and support. Product safety is controllable by the customer by selecting the right product and using it properly. That’s why it’s the focus of this article.
Focus: Product safety
As different as the hosting products are, so are their security features. Shared hosting offers fewer customer-manageable security options than a dedicated root server, and virtual server security properties are different from those in the cloud. But there are also similarities: aspects of product security that apply to all hosting variants. These include regular backups because they are the best way to prevent data loss.
Backups of files and databases
For virtual and dedicated servers, file backup is usually done using File Transfer Protocol (FTP) on a server-independent storage space provided by the provider. Depending on whether it is a managed server or a root server, setting up and controlling the FTP backup is more or less the responsibility of the hosting provider or the customer. How much space is available depends on the chosen hosting product? Often several tens to several hundred gigabytes are included, more backup space costs extra. But there are also server offers where the customer has to pay for backups from the beginning. Automatic backups are the standard, but additional manual backups do not offer any hosting solution. These are necessary, however,
Even with shared hosting, backups of the web space content are possible – at least for professional offers. For example, “BackupControl” from Strato secures the web space data daily at 8, 16 and 24 o’clock. If necessary, the customer can restore the situation at a specific time in the last three days, or resort to a weekly backup of the past four weeks. A similar system offers 1 & 1: “Webspace Recovery” restores the backups of the last six days.
In addition to file backups, database backups are very important because database content changes quickly. These are regulated differently by each hosting provider: For example, they can be controlled by Hostnet via the administration tool “easyTECC”, while Goneo and other providers recommend the free tool “MySQLdumper”, which the customer first has to install on his webspace.
Updates for system and software
Important for product safety are regular updates of the operating system and the software. Critical security updates should be made immediately to prevent cyber attacks of any kind. With shared hosting, the customer has to rely on the hosting provider to maintain the systems. On the other hand, anyone who rents a dedicated root server is responsible for updates to the operating system and the software itself. The administration requires expertise and costs time, which is why many users prefer to use a managed server, where the hosting provider takes care of the system maintenance. But pay attention: Which services belong to the server management and which not, regulates each hosting provider differently. Therefore, you should be informed before deciding on a specific offer.
Server disks in RAID configuration
Redundancy ensures more security. Therefore, server disks work in a RAID array, so all data is automatically saved twice or more. The most common method is RAID1, where the data is mirrored on two disks. Depending on the offer, it is a hardware or software RAID. In the case of hardware RAID, hardware controls the hard disk connection: the controller. The software RAID does not use its own control software; rather, the server processor has the command over the hard disks. This can but does not have to, lead to performance losses for the server. And in terms of security, a hardware RAID can even cause more problems than software RAID, namely, when the controller fails.
Server monitoring around the clock
Despite regularly maintained systems and redundant hardware, any hosting solution can fail. Network, hardware or software problems can be the reason. Solving the problems as quickly as possible is the essential task; to recognize the causes, the more difficult ones. Monitoring systems help with this. They monitor server systems, ideally around the clock, and report abnormalities to the customer. Depending on the provider, the customer will be notified by e-mail and/or SMS. Rarely is the notification via messenger, Twitter or even possible by phone. In any case, the customer can respond to the problems himself or consult the host. Customers of a managed server have advantages over root server users.
Standard or 24/7 support
Service and support play an essential role in web hosting security. Because all technical measures do not help, if in case of emergency no help from the hosting provider is to be expected. So ask your provider, which services the standard support by phone and e-mail includes and what costs arise. 24/7 help should be self-evident, but it is by no means: Some hosting providers do not provide 24/7 support or charge high fees for out of hours assistance. In a service level agreement (SLA), some hosting providers specify their services exactly. Often they also provide information on the availability of their offers.
At first glance, between 99.0 and 99.99 percent availability does not seem to be a big difference. What makes one percent? Very much! Because one percent of the year is about 3.5 days. If hosting providers guarantee “only” 99 percent uptime, it means that the hosting plan can be up to 3.5 days a year without the provider is responsible. For many Internet projects, such a failure would have fatal consequences.
Secure cloud hosting and privacy
Cloud hosting distinguishes between public clouds, private clouds, and hybrid clouds. When it comes to safety, this distinction is especially important.
Public clouds correspond to the basic idea of cloud computing: The hosting customers share the resources offered by the provider. The required hosting services can be changed at any time, during operation. With auto-scaling, this resource adjustment is even automatic. The customer pays only for services actually used. As advanced as it may be, the security situation is so unclear: Perhaps the “locations” of public clouds are anonymously distributed all over the world. Users can’t spatially locate their data. They may not know in which countries, in which data centers, on which servers and with which software their data are stored and processed. According to the philosophy of cloud computing, the customer probably does not know whether the hosting provider outsources services. So it is also conceivable that providers operate a trade in their resources.
Critics of Public Clouds even see an increased risk of data theft, as more and more people get administrative tasks and could be among them “black sheep”. The recent ruling by the European Court of Justice on the Safe Harbor Agreement also shows how difficult international law currently is. The court had annulled the agreement governing data exchange between the EU and the US because it did not see the personal data of European Internet users sufficiently protected from access by US authorities.
No wonder many companies prefer private clouds. These are dedicated server environments where the hosting customer can run their own private cloud. He does not have to share the infrastructure with others. This limits the scalability of hosting offerings but increases security.
A German company that outsources personal data to a cloud provider must ensure that it complies with German data protection laws. However, only hosting providers based in Germany guarantee this. But a data center in Germany is no guarantee. The best example of this is the market leader Amazon with its Amazon Web Services (AWS), which includes, for example, the public cloud solution Amazon Elastic Compute Cloud (EC2) and the Amazon Virtual Private Cloud. Those using these services in Germany to store data under privacy laws may be at risk. Although Amazon has its services more strongly based on European law this year, there is no guarantee for compliance with German law.
For customers of a German hosting provider, the use of a hybrid cloud could be interesting. Data relevant to privacy is stored in a private cloud, other data in a public cloud. At peak loads, the customer can add more power from the public cloud.
More reliability in the cloud
Anyone looking for individual hosting solutions for complex Internet projects may be interested in cluster hosting – a hosting variant that combines several real servers or instances in the cloud, such as Profihost’s FlexCluster system. Rather than further increasing the performance of a server or cloud instance and eventually exploiting the system, it is often more effective to combine multiple servers or instances into one cluster. Incidentally, this brings a major advantage for security: the cluster elements secure each other. In the event of a sudden failure of one system, another jumps in while the problems can be resolved without downtime of the Internet project.
Even more, resilience promises the combination of load balancing with a cluster IP, as they offer, for example, Host Europe and Strato. An additional IP address allows web requests to be redirected to another server within minutes. If the server configured as master can’t be reached, for example, due to maintenance work or a software error, another server will start up in no time. There are also a number of other scenarios for ClusterIP.
System security at the hosting provider
By choosing the best possible hosting product and its correct use, customers contribute significantly to the security of an Internet project. On the security of the network with the provider, however, they have zero impact. Nevertheless, it is worth taking a look at the infrastructure of the hosting provider, as it is more or less secure depending on the provider.
Important is about an effective core firewall. This is preceded by an intrusion prevention system (IPS). Such a system monitors all Internet-to-data center traffic and specializes in detecting and countering cyber-attacks. Practically all well-known hosting providers like WPEngine, Bluehost, SiteGround etc today use intrusion prevention systems or similar technologies. If the IPS detects a brute force attack, for example, it interrupts or alters the Internet connection, immediately stopping the attack.
Security in the data centers
By choosing a particular hosting provider, the customer fully relies on its expertise. This also affects the equipment and operation of the data centers. A recognized certificate proves the fulfillment of the requirements of both the legislator and the customer for a modern information and security management. The customer, who has personal data processed by third parties, is obliged under §11 BDSG to “regularly verify compliance with the contractor’s technical and organizational measures.” Thanks to ISO 27001, the customer is spared these elaborate controls.
But what makes a data center secure? The first priority is building security. Secure data centers are structurally designed to withstand as many unpredictable events as possible. This applies, for example, to acts of God due to severe weather, water or fire, but also intentional acts such as unauthorized intrusion into the building, theft, vandalism or terrorist attacks. As a result, secure data centers have not only sophisticated fire protection systems, mostly nitrogen or argon gas extinguishing systems, but also door locking systems with recorded locking, various (video) monitoring devices, and alarm systems. Most systems are two or more times available, so that in case of failure of a protective mechanism automatically the replacement mechanism comes into force.
But a secure building alone does not guarantee a secure data center. The reliability of the servers and other hardware is fundamentally ensured by a multi-redundant power supply. Ideally, there are independent circuits and two stages of emergency power supply: In the event of a main power failure, an uninterruptible power supply (UPS) will be the first to take over, and in an emergency, diesel units will provide power for a few days.
A large part of the power consumption is at the expense of the air conditioning, without which no data center can manage. A consistent indoor climate ensures smooth operation, so your Internet projects are sure to be well hosted.
Conclusion: Better to play it safe
Before you put your internet project in the hands of others, check that you have found the right hosting partner and the best product for your purposes. Pay attention to the mentioned security aspects and ask better once more than too little with the hosting provider, what your desired product offers and how safe it is. Consider also the high demands on the data protection.