Re: Security in a hosted facility

From: Michele Jordan (mjordan@gestalttechnology.com)
Date: 06/08/02


Date: Sat, 08 Jun 2002 08:43:44 -0400
From: Michele Jordan <mjordan@gestalttechnology.com>
To: Lists <lists@tigerteam.cc>

Well, I work in that environment.

We do the system type security, upgrade software, apply patches, etc
etc. We monitor access to the server, and scan for blatantly *bad*
things that the customers might put on the server. (phpinfo and
formmail.pl comes to mind immediately). We use chroot'd ftp
environments to protect customers from each other. We don't allow
anonymous ftp access. We put the servers behind a firewall, and only
allow the necessary protocols through.

The customer is responsible for the security of his ftp password, any
programs to access databases he may implement, etc. If there is
something that is being exploited on the 'net, I will look and see if I
think we are vulnerable via a customer. I have gone in and disabled
scripts on customer sites before because they were insecure.

The squeeze is in offering services. If we offer php, we are inherently
insecure. If a customer wants to access his database from anywhere for
management, it opens it up to everyone else. And, I'm pushed between
management all the time to be "customer-friendly". We are in the
business to sell web hosting, and need to make sure that our customers
want to host at our site. Extremely tight security does not make for a
pleasant environment for the customers. We are implementing differing
security level hosting, for customers that care a bit more than the
others. But, if I drive all the customers away with my security
efforts, we go out of business.

So, it's a balance. I monitor logs, security lists, etc. try to do my
best. I inform my customers they are in a shared environment, and hope
they *understand* what that means. Most won't, but most of our websites
are little mom/pop things, and won't be devastated if something happens
and we have to recover.

-Michele

Lists wrote:

>I've been researching web defacement trends lately and realized that most (higher percentage) defacements appear to be performed on servers in a hosted facility (such as Interland, Iquest, OLM, Digex etc) furthermore as most of the sites appear to be related to small business I assume they are on shared hosted boxes.
>
>Is there anyone on the list in the ISP/Hosting provider world that can answer who is responsible for security in this configuration?
>
>I realize that some hosting providers offer additional managed security services, but for those that don't and offer shared (multiple sites on 1 box) hosting do they just secure the box and let their clients control their environment? Therefore leaving their customer in charge of their own security for their site?
>
>If indeed this is a bit of a gray area, is there any documented legal proceedings that have held the ISP liable for the lack of security on a hosted site?
>
>Thanks in advance for your assistance.
>
>
>



Relevant Pages

  • Re: [fw-wiz] Security dumming down - the kings clothes
    ... these networks we have: "it's a trifle chaotic out there". ... responsible for the security portion of this overall process our ... me that our greatest weakness as an industry is not that our customers are ... >>marketing or rhetoric PhD. ...
    (Firewall-Wizards)
  • RE: Charging customers on security
    ... The key issue would seem to be what the expected environment of a piece ... malicious attacks and to have designers whose ability to ... Subject: Charging customers on security ... I think your idea of layered security will work quite well. ...
    (SecProg)
  • Re: How do you monetize your skills?
    ... organizations that were dedicate on only the Information Security ... In sales you'll learn that customers that "want" your product/service ... market customer to reach in all of marketing/advertising. ...
    (Pen-Test)
  • Re: Data Center Theft
    ... went wrong, change security and procedures. ... NOT lie to your customers, and put them in the positions that CI Host ... So how is it possible that the facility has been robbed ...
    (bit.listserv.ibm-main)
  • Re: Security and Contingency Planning
    ... Subject: Security and Contingency Planning ... > Hypothetical Situation: ... scenarios should a healthcare provider actually loose data to data theft, ... angles (current customers, former customers, medical staff, union ...
    (Security-Basics)