Is your website secure today? October is National Cyber Security Awareness Month in the United States and Cyber Security Month in Europe — each aim to provide awareness and education about threats and promote the resources needed to stay safe on the web.
We know the security threat landscape of today is vast -- phishing, malware, DDoS, you name it. Attacks are meant to steal information or disrupt traffic. Although attacks can be addressed and even prevented, security best practices and technology is multifaceted.
Here are some of the common ways to thwart threats, and some options to keep your site secure.
Understanding the web security alphabet soup: HTTPs, WAF, SSL and more
Just because you have HTTPs, WAF, SSL, etc, doesn’t mean your website is secure. You likely have some, if not all of these components already on your cloud platform, but not all of them are created equal. The ultimate decision on security depends on the purpose of your site today and your vision for tomorrow. The key is to ensure you haven’t made decisions that make it difficult to evolve.
Let’s define the following security protections:
- HTTPs: We are all pretty familiar with this one. It is the secure version of HTTP (hence the “s”). What this means is that the data transfer between the client and the server is secured using secure socket layer (SSL) or transport layer security (TLS).
- SSL: SSL is one of the key methods for securing data as it flows across the Internet. Your site has a certificate that the user’s client recognizes to set up the secure connection. Once this transaction is complete, data can flow across a secure connection from the site to the client.
- TLS: Also mentioned above for HTTPS, transport layer security is another method of establishing a secure connection between a client and a site. Like SSL, TLS is based on an encryption certification for data transmitted between the site and the client.
- WAF: Web Access Firewalls are configured to examine web traffic coming in to a site to detect any suspicious behavior. WAFs are primarily used to prevent attacks like distributed denial of service (DDoS) and SQL-injection.
Some vendors package up free security offerings that don’t offer the necessary customizations or protections you need.
For example, SSL certificates may be included with some cloud hosting providers’ offerings. However, with these options you are locked in to your provider’s choice of SSL vendors. Adding your own provider to the mix may result in other features being degraded or unavailable. Different providers offer varying types of protections, some are ironclad, while others may not offer the security support you need to protect yourself from an attack.
How can you tell the difference between strong protection vs. another check of the box?
Within the list of protections above, you have a combination of requirements and choices. However, it’s not as straightforward as a definition. If your objective is a secure website, then you need HTTPS, but in terms of how you deliver it, you can choose between TLS or SSL.
Acquia Cloud supports SSL certificates and allows our customers to select their preferred certificate provider. Our customers have different use cases that mean one size doesn’t fit all when it comes to SSL certificates. For some customers, technology like content delivery networks (CDNs) are not required, making some of the free certificates a good option. For others, incorporating SSL certificates for Acquia Cloud Edge CDN make more sense. The key for Acquia is providing our customers the freedom to manage their requirements for HTTPs.
While Web Access Firewalls aren’t necessarily required to maintain website security per se, they can significantly prevent downtime caused by distributed denial of service (DDoS) attacks. It takes time for network monitors to realize that an attack is happening.
Once an attack is identified, it will take time to solve the problem. Between the time of the attack, investigation and response, your site is (at best) experiencing poor performance. Adding a WAF to your site will enable site traffic to be detected as harmful before it reaches your site. This means, no downtime and less effort spent on investigation and mitigation of attacks.