Is your website secure today? October is National Cyber Security Awareness Month in the United States and Cyber Security Month in Europe — each aim to provide awareness and education about threats and promote the resources needed to stay safe on the web.
We know the security threat landscape of today is vast -- phishing, malware, DDoS, you name it. Attacks are meant to steal information or disrupt traffic. Although attacks can be addressed and even prevented, security best practices and technology is multifaceted.
Here are some of the common ways to thwart threats, and some options to keep your site secure.
Understanding the web security alphabet soup: HTTPs, WAF, SSL and more
Just because you have HTTPs, WAF, SSL, etc, doesn’t mean your website is secure. You likely have some, if not all of these components already on your cloud platform, but not all of them are created equal. The ultimate decision on security depends on the purpose of your site today and your vision for tomorrow. The key is to ensure you haven’t made decisions that make it difficult to evolve.
Let’s define the following security protections:
- HTTPs: We are all pretty familiar with this one. It is the secure version of HTTP (hence the “s”). What this means is that the data transfer between the client and the server is secured using secure socket layer (SSL) or transport layer security (TLS).
- SSL: SSL is one of the key methods for securing data as it flows across the Internet. Your site has a certificate that the user’s client recognizes to set up the secure connection. Once this transaction is complete, data can flow across a secure connection from the site to the client.
- TLS: Also mentioned above for HTTPS, transport layer security is another method of establishing a secure connection between a client and a site. Like SSL, TLS is based on an encryption certification for data transmitted between the site and the client.
- WAF: Web Access Firewalls are configured to examine web traffic coming in to a site to detect any suspicious behavior. WAFs are primarily used to prevent attacks like distributed denial of service (DDoS) and SQL-injection.
Some vendors package up free security offerings that don’t offer the necessary customizations or protections you need.
For example, SSL certificates may be included with some cloud hosting providers’ offerings. However, with these options you are locked in to your provider’s choice of SSL vendors. Adding your own provider to the mix may result in other features being degraded or unavailable. Different providers offer varying types of protections, some are ironclad, while others may not offer the security support you need to protect yourself from an attack.