Security of IT resources in the outsourcing model (part III)
Protecting resources from unauthorized access has been controversial from the very beginning, especially when it comes to cloud services. Some point out that using them means exposing yourself to a “shot”, while others state that a service provider with qualified experts is able to secure its infrastructure much better than many administrators. The latter are right, but the fact is that the level of IT environment protection varies depending on the hosting service delivery model.
The experience of the last few decades clearly shows: there is no system that you cannot be hacked. But you can significantly reduce the likelihood of such incident. Due to appropriate risk management, the operator of various cloud services can influence their level of security. Besides, it does not necessarily have to concern only issues related to leakage or unauthorized modification of data. Companies should also take care of business security, and therefore guaranteed high availability and business continuity of the IT environment, as well as backing up data.
Shared servers usually host websites. This puts them at great risk of endangering access continuity. Because when one website is attacked, the effects may spread to affect other that are hosted on the same server. These websites are often available at the same IP address (the website domain leads to a specific directory on the server).
In the event of a DDoS attack involving the simultaneous sending of website access requests by millions of computers infected with malware, all websites hosted on a given server may become unavailable. In this situation, security measures applied to your own website or other service may be insufficient; you can only count on the fact that the data center operator uses its own advanced tools to protect against DDoS attacks.
What’s more, using the same IP address for shared hosting has one more consequence. If one of the websites hosted on a given server engages in bad practices, such as sending spam or providing illegal content, this may result in the entire server being blacklisted and, consequently, blocked on reputation websites or lowering its position in search engine rankings.
Virtual private server (VPS)
In the case of virtual private servers, the level of separation from neighbors is much greater than in the case of shared environments. Also in this model many VPSs operate on one physical server, but the probability of the adverse impact of one on the other is very small. As a rule, each virtual server also has a different external IP address, which eliminates the risk of the above-said “collective responsibility” for the actions of the administrator of one of these servers.
Obviously, it is still theoretically possible to attack a physical server and software (hypervisor) that manages the entire virtual environment. However, these tools are much better secured than in the ordinary shared model, so the risk of such event is very small. In turn, the administrator is responsible for the security inside a private server (similarly to dedicated servers, which will be explained in a moment), thus mitigation of the likelihood of hacking or data loss depends on her/his qualifications.
Securing dedicated servers can be much more effective than in the case of shared solutions. They are fully separated from other solutions, and administrators gain full control, which, however, requires them to have extensive qualifications. It is also necessary to define procedures that may affect data security and data protection against loss. The administrator is responsible for making backups or updating operating systems and software.
However, you also need to always remember that such servers are connected to the internet infrastructure of the data center operator. Therefore, it is necessary to make sure that – in addition to network security – the operator guarantees continuity of facility power supply and protection against large-scale DDoS attacks.
Cloud services are the safest form of using hosting provided by an external operator. It is the operator who ensures the continuity of the operation of the equipment, tool software and platform enabling flexible management of services provided to the customer. Finally, it is the operator who assumes the business risk of the project – because the user has the privilege of paying only for the resources used, which is the most financially effective form of settlement; it is the service provider’s responsibility to guarantee the customer the appropriate amount of computing power and disk space, as well as the applications required by the customer.
We also invite you to read the first two articles from this cycle: