Starting and growing a small business is tough. And shoestring ventures have it even tougher. Money is scarce. Expertise is scarce. It seems like the only resource that’s consistently abundant is bad advice. Small businesses are easy prey for hackers because they know that small businesses often don’t have the resources available to protect themselves. Small businesses are also easy targets for scams that promise protection but don’t deliver.
How do you, as a small business owner — especially a startup business owner — combat data thieves and find good advice on how to protect your customer’s data without going bankrupt in the process or falling prey to a scam? The answer to both parts of that question is found in finding reliable colocation and hosting services. Your hosting provider will assist you in protecting your data. They have a vested interest in doing so because their reputation as a provider is also at stake.
To help validate information gleaned from various sources, we have assembled a checklist of services and protection options against data theft. And, possibly to your surprise, most of them could be part of your hosting contract and available at no additional charge. This article provides you with an overview of data protection techniques and technologies that either are provided by your hosting company or are available as third-party add-ons.
Firewalls: Network and Host-based
Whether you select a hosting company that leases hardware to you or you place your own servers into their data centers, network firewalls are part of the package. Hosting companies must protect their own computing environments as well as yours, so firewalls are already in place. If you have special firewall needs, you’ll need to discuss them with your hosting company to review your options.
Typically, hosting providers grant you access to a hosted environment portal where you set up and maintain your own firewall rules. If they don’t have such a service, then you must open tickets and make your requests to their support staff. Providers also separate your network environment from other customers so that there is no traffic mixing among environments.
Some firewall-related questions to ask your hosting provider:
- What firewall services do you have in place?
- How do I request or configure a firewall exception?
- Am I responsible for maintaining host-based firewalls?
Host-based firewalls are those that run on the servers themselves. These are independent of network firewalls, but they work together to provide a multi-layered approach to overall security. You’ll have to find out whether you or your hosting provider’s staff has the responsibility for maintaining host-based firewalls and their rules. All host-based firewalls should be set to the most restrictive or enforcing mode and only allow those access to specific ports and services required for functionality.
Password Strength Enforcement
Providers often enforce password policies for systems that are either collocated or owned by the hosting company. Password enforcement means that any username/password pairs must be sufficiently complex to pass an automated screening process for weak passwords. Complexity refers to using capitals, numbers, and special characters in a password or passphrase. The purpose of this enforcement is to strengthen across-the-network access to resources, such as your servers, portals, or your applications.
Password strength enforcement includes password length, complexity, and other factors designated by the one who configures the policy. Passwords may also have a limited lifetime or expiration date. Some strict enforcement rules and regulatory requirements dictate that passwords change every 30 to 90 days.
Some password-related questions to ask:
- Do you enforce password complexity for remote access?
- How often must we change passwords?
You don’t have to fear long, complex passwords because services such as LastPass will remember your passwords for you and fill them as needed as a browser extension. Passwords are your first defense against intruders. Select passwords at least 10 characters in length and complex. Teach users to configure passwords or passphrases to comply with complexity requirements.
Multi-factor Authentication: The Password Solution
Passwords, no matter how strong, are still a weak form of authentication. Multi-factor authentication is the solution to the password problem. Multi-factor authentication raises the bar for authentication to a level such that it’s almost impossible to breach. A second authentication factor is a device, a bit of knowledge, or a technology that requires that the user do something other than type in a password, such as supply a randomly generated number supplied by a keyfob, recognize a pattern and give a response, or use a fingerprint.
The theory is that the other factor isn’t hackable by brute force, guessing, or other non-physical means. In other words, a second or third factor rule out the possibility of some anonymous person being able to impersonate a legitimate user.
Multi-factor authentication questions to ask:
- Do you support multi-factor authentication?
- Is multi-factor authentication part of the services I pay for, an add-on, or do I need to seek out a third-party solution?
- If the provider supplies the second factor, how secure is it?
- What are my other options for multi-factor authentication?
If multi-factor authentication is available in any form from your provider, you should enable it and use it from the beginning of your contract. Any multi-factor authentication solution is better than none. But, if your provider’s solution is weak, find your own and implement it as soon as practical.
The solution for protecting your customer’s data from exposure, even if it’s stolen is encryption. You should encrypt data in-flight (in transit) to and from your site and to and from applications. You must encrypt all transfers between your site and any other site for data transferred over the local network or over the Internet.
You also need to find a solution for encrypting data at rest. In other words, any data that’s stored on a filesystem, in a database, or in memory must be encrypted so that any compromise and subsequent theft will yield no value to the thief. Only the person who holds the decryption key will find any value in the data that’s encrypted.
Encryption-related questions to ask:
- Is my data encrypted in-flight, at rest, and on backup media?
- Which third-party encryption options do you support?
All backed up data should be encrypted. Encryption is very important for data that are physically stored on media. Media can be stolen or lost and its data can be recovered if not encrypted.
Offboarding Employees and Contractors
Employees come and go from businesses and even the most trusted employees must be properly offboarded before they are separated from the company. Offboarding procedures guarantee that access by a former employee isn’t possible.
Some good employee offboarding steps are:
- Disable the user’s account on all systems. This is easy if you use LDAP or Active Directory (AD).
- Disable the user’s remote access. This means VPN access and any over-the-network access.
- Request that all hardware be returned before leaving. Laptops, phones, tablets, keyfobs, keys, and access cards must be surrendered before leaving the premises at termination.
- If the user is a privileged user, such as an Administrator or support personnel, all privileged account passwords must be changed immediately.
- The user’s access should be revoked during the exit interview and should have no access after leaving the premises.
Employee and contractor offboarding is often a neglected aspect of small businesses but it is critical to do so. It seems harsh to cut off a trusted employee’s access before they’ve left the building but it has to be done to ensure security for your customers. To leave access available is a problem that you don’t want to have to explain to your customers should a breach occur.
Trust Your Partners with Your Data
Securing your customer’s data should be a major priority for your business and an expense that you must factor into your business costs. Your hosting provider can assist you in making good choices for securing your customer’s data and adhering to regulatory compliance requirements. Be especially cautious of customer data protection under the General Data Protection Regulation if you have customers in the European Union. Compliance is mandatory and penalties are severe.
Your colocation or managed hosting provider can direct you beyond the scope of this article for more in-depth security issues. To learn more about ColoCrossing’s data security practices, contact us.