Web Hosting Security is Manual Operation
Web hosting security is big concern by both service providers and end users. We probably tried everything we can to keep our data in safe place such as firewall and anti virus software installation, enhanced password policies etc. However, the server end daily operation is beyond our control. In this article we discuss hosting security problems caused by hosting company staff and how we should deal with it.
To start with, let's check following top security events from hosting industry.
On August 25, 2011, a former Rackspace sales employee called David John Whitman was sentenced two years of probation for defrauding the company over $60000 commission. Being a salesman, he had familiared with everything about the company structure and sent Rackspace multiple fake order forms to generate higher commissions.
On April 22, 2013, a former employee of Hostgator Eric Gunnar Gisse was arrested and charged with installing a backdoor that gave him root control over 2,700 servers. Before Eric left hostgator, he had been medium-level server administrator with good performance. He then worked at Rackspace as a DC technician. He's currently held at the Harris County Jail.
Besides above, there're multiple similar events revealed by thewhir website. As we learnt from all industry news, most top issues are generated from the internal company instead outside attacking. Thus no matter how hard we have tried to secure our stuff, everything will finally depend on people. That means when we consider security, human is a big concern.
The both Rackspace and Hostgator are pretty reliable hosting groups and millions of clients being served by their service. They're actually rule makers of the industry so with no doubt they have the most advanced technologies for server protection. However such serious issues are actually occured with them, why? Let's reveal the secret by our experience in working with several groups.
The truth
The truth is when a company grows, there're lots of peopel in & out on different positions. Most of the time the trainning courses focus on tech and service parts instead teaching people how to follow the company terms/rules and any potential punishment because of violation.
In our training experience, we paid too much efforts in teaching people how to familiar with our tools and basic skills to deal with customer complaints. Because the trainning period is always limited for one or two weeks, there's no more time to teach other things. The real practice at work is also about technical guidelines which is directed by supervisors. Once customer complaints solved, they can do whatever they liked.
As we see, such workflow brought us lots of potential problems because employees are not tought how to follow company policies properly and even worse, many companies don't even have papered policies that could be seen in office. From support end, almost every people be able to grab client privacy information including email ids, full names and cc numbers etc. In the sight of supporters, there's no privacy because they have access to all client information, they can access to your hosting space without a valid id/password because everything can be bypassed from their end. You can't tell if your contact email is kept by anybody or not and one day you'll be surprised about a direct promotional email with your full name on it!
Another stupid thing is many hosting company employes part time workers in order to reduce costs. Most part time workers are students who are teenagers. They can determine when to work and when not to. Some people are even granted to work at home by VPN connection!
How can we Get guaranteed safe hosting?
The answer might vary based your situation. When you're running a big business, a reputable and high quality dedicated service is definitely the best choice because nobody could access it besides you. If shared hosting is good enough for you, you can probably do the following
Read company blogs about their daily workflow. This would be the most direct way to learn about a hosting company. If their people are active, they will post their company events frequently on blog. There we can know how the company looks like in reality. For example if everywhere is lousy in the office, they must be less professional in managing customer accounts. We don't recommend a hosting service without a company blog. In this way, InMotionHosting is very good example. It's probably the only hosting group who is managing so successful blog. Their people update almost daily for various events and upload lots of work evironment pictures so clients can know exactly how they're doing.
Learn about the company department structures. Read the company yellow page and email to their CEO directly if needed so you can understand how the service is organized. Based your understanding about the company you can judge easily if they're running a healthy business. Prepare your questions carefully so you can get useful replies.
Read online about the company history. If the hosting service has been offered for some time, there must be a plenty of customer reviews. We can read how people say about their service and if there's any serious issues to bring down customer business. Don't complain about the time taken work because you put your privacy and business there.