|
Website Security |
The standard layered-security model for network security depends on maintaining appropriate security measures and procedures at the five different levels within a network environment. The standard network levels are:
1. Perimeter - pertains to all access points to a company's internal network
2. Network - the company owned network
3. Host - hosts are individual computers within the company network
4. Application - applications are any piece of software running on a server
5. Data - all the information stored on a specific computer or computers
Security Provided by a Hosting Company
For the typical website owner, the first three levels of security are provided
by your web hosting company. Their firewall and intruder detection software
will be setup to protect their internal network from hackers and other non-authorized
users. The hosting company will usually restrict internet traffic destined
for their web servers to ports specifically used to provide website services
and they will block all of the other ports on the web servers. Normally,
they will also put a second firewall between the web servers and the rest
of their network.
Web hosting companies will run sophisticated anti-virus programs to protect their servers, which, as a side effect, will also protect the data on your web site from viruses. The hosting company will also use standard user ID/password authentication for website owners to access their websites for maintenance and uploading purposes. If they provide web-based email, they may also provide email filtering software that checks all incoming messages. The hosting company will provide application and data security for their servers, but not for their client's websites.
Security Provided by the Website Owner
The website owner must provide both application and data security for their
web site.
Input Validation
For applications, you typically use input validation checking. Input validation
verifies that the application input is safe to process. This is extremely
important for Web-based input. For example, let's look at a web-form with
a zip code field. The only acceptable input from this field should be five
characters that are the digits 0 through 9. All other input should be rejected
and produce an error message when submitted. You could use a Java script
to initially perform browser based validation on the client side, and CGI-bin
validation controls could be put in place on the Web server so that the application
only accepts data that’s expected for any given field.
Encryption
It is also standard to use a secure connection when collecting sensitive data,
such as a visitor's personal information. The levels of encryption currently
used in websites are none, 40-, 52-, and 128-bit encryption, where 128-bit
is the highest level of page security.
Encryption is the most effective tool for protecting information. Data is scrambled so that only the intended recipient can unscramble and read the contents. It is useful for ensuring the protection of the information, but it does not address the issue of privacy after the information has been collected. (Click here for information on privacy policies.)
It is also important that you let your visitors know that you are taking security measures to protect their private information.
Backups
The hosting company will backup their server data, but most hosting companies
do not backup their client's website data. It is your responsibility to keep
a backup copy of your website so that you can restore it in the event of
failure. If you create the content on your desktop PC and then upload it
to the web server, your local copy of the website should be sufficient because
the probability of your desktop PC and the web server crashing at exactly
the same time is pretty small. Your local copy will also remain current.
But it wouldn't hurt to make an additional copy as well. Just remember to
update the offline copy anytime you make any major changes to your site.