Sometimes it begins with an email.

In 2014, an email was sent to a promising up-and-coming SaaS provider that said:

“We have full control of your account. For a large fee, we will return all privileges and leave. Failure to pay these demands will result in the deletion of all of your information. Any attempt to remove our access will result in total deletion of your data.”

Code Spaces’ Amazon EC2 control panel had been hacked and the attackers had access to everything. The company found the unauthorized accounts and deleted them. However, the hackers had created backup access and began to systematically dismantle Code Spaces’ business.

In less than 12 hours, every backup, snapshot, repository, and volume had been erased from existence, and shortly thereafter, Code Spaces dissolved.

By their very nature, control panels have unfettered access to your entire system. And although some control panels are highly secure, such as Plesk, it doesn’t mean you should take a back seat to your security.

To help prevent the above scenario from happening to you, I put together a quick checklist, and although I provide how to get all of these steps done in Plesk, you can just as easily apply this checklist to your own environment.

That being said, Plesk makes it much easier.

Restrict Admin Access

Studies have shown that when admin access is restricted based on role and usage, the risk of malware is greatly reduced. The first part of the process involves figuring out which users actually need admin rights and which do not.

Your blog writers should probably have zero access to the system. Your devs should probably have access to databases and possibly the ability to install programming environments. By compartmentalizing administration activities and restricting roles, you make sure that if a user is compromised the damage that can be caused is minimized.

How:

• Editing and creating roles 

Result:

Restricting admin access greatly reduces risk when a user account has been compromised. It also reduces the opportunity for malware to be installed on your server. Though it may add some inconvenience, the security gains alone justify the few added hoops your employees will have to endure.

Restrict Remote Access

Remote access is a good thing. Being able to admin your system from around the world comes in handy and sometimes can be necessary for your business’s survival. However, remote access needs to be restricted so that only you and those authorized by you can access the system. The easiest route is to restrict IPs. By adding only yours and your colleague’s IPs you make it so only they can access the admin.

However, if you are trying to connect from somewhere other than where those IPs are (office, home, etc), you will be unable to access your system. In those cases, you should set up a VPN and whitelist the IPs of your VPN. When you need to access admin, you just need to connect your device to your VPN and then connect.

How:

• Restricting IPs 
• Prohibit Remote Access 
• Add VPN 
• Install Fail2Ban 

Result:

By restricting remote access you can help reduce the attack surface, while also helping to prevent brute force logins.

Set Minimum Password Strength

For years, security experts have been saying enough with passwords we need something stronger. And although I agree with this, we still live in an era of typed out passwords.

Therefore it would behoove you to make sure everyone who has a password creates something far stronger than 123456. Seriously, we’ve been over this before (link to password infographic). And honestly, while you are looking at passwords add two factor.

How:

• Minimum password strength
• Add Two Factor Authentication

Result:

The stronger the password the harder to crack. Setting a minimum password strength insures your employees create difficult passwords. By adding two-factor, you give your password a fighting chance.

Turn on Enhanced Security Mode

In Plesk, this is a default setting. Still, you should check to make sure it’s checked. Enhanced security protects information stored in the Plesk database, so any sensitive or personal information you place within Plesk will be protected. This is not to be confused with information you place in an application like WordPress.

How:

• Checking Enhanced Security Mode 

Result:

A super-easy way to ensure Plesk passwords are encrypted and that sensitive data cannot be accessed using the API.

Using Secure FTP

FTP is still the fastest and most convenient way of uploading files.

How:

• Turning on FTPS 

Result:

Again another easy way to increase the security of your server. Do it and enjoy. 

Getting SSL Certifications

SSL ensures a secure connection between your audience and your site. It doesn’t mean your website is on lockdown. It doesn’t mean you have bulletproofed your server. It just means the connection is secured.

That being said, you should use SSL to secure your connection. SSL also has helpful benefits for other areas, as well — especially when it comes to your marketing efforts with search engines

How:

• Plesk makes the process pretty easy

Result:

Having the S designation on your link (https as opposed to http) is almost standard. Also, there is no sense in locking down your site if the transmissions can be intercepted.

Plesk Firewall

The Plesk firewall is enabled on all fresh installs. That being said, you should still give it a once over to make sure it’s blocking the traffic you want blocked and allowing the traffic you want to allow.

How:

• Plesk Firewall for Linux 
• Plesk Firewall for Windows 

Result:

Plesk uses a default firewall with standard settings. It doesn’t hurt to get familiar with the firewall and the settings, and you may see something that needs to be changed. Plesk’s software firewall is good for most applications, but it is rarely the best.

For sites that require lots of security, I would strongly suggest having a hardware firewall and some form of software firewall, such as Plesk’s firewall.

Cloud technology continues to grow as a new and exciting domain in technology. As it becomes integrated into daily life and business on a growing scale, the need to understand its uses becomes increasingly necessary. The cloud can no longer be defined concisely (if it ever even was, for that matter). As it proves to be a fluid form of technology with endless applications, most environments can be categorized within a few different models of cloud technology: public, private, community, or hybrid.

These deployment models are typically geared toward different user bases and emphasize their own strengths and weaknesses. After gaining an understanding of the technology, it is prudent to analyze the advantages and disadvantages of each implementation.

Public Cloud

A public cloud is the most familiar model for most, and requires minimal technical savvy to utilize. This model may be described as “external to the consumers’ organizations,” meaning the user has no relation to its deployment, customization and maintenance of its infrastructure. Many technologies used in daily life are synchronous with this type of cloud: smartphones and laptops will automatically sync data to a cloud to be accessed from any device. The iCloud provided by Apple Inc., Google’s cloud, and Amazon Web Services are recognizable names in public cloud service.

Most of a public cloud’s user base is likely to be individuals with their own private data needs. However, the vastness and simple integration of this model makes it practical for small businesses as well. The large and growing user base of public clouds keeps pressure on providers to maintain a quality, cutting-edge and reliable product; as a result, public clouds offered by enterprise giants tend to be secure, cheap and scalable.

Still, it is necessary to point out that the user has the least amount of control within this model, and is subject to the provider’s terms of agreement. A user of a public cloud must examine how their data is shared and with whom. As the infrastructure itself cannot be altered by the user, this privacy deficit may extend beyond the control of their personal settings. For the average person, this is likely not an issue. For enterprises, this may be critical to examine.

Private Cloud

Broadly speaking, a private cloud represents the opposite of a public cloud, but has its own benefits. Although hosted, managed private clouds are increasingly popular, private clouds are traditionally deployed within business enterprises. The basis of this model is that all infrastructure is setup in-house for a company’s own use and is not advertised or seen by the public. Private clouds offer the most sincere form of control, and are just as private and secure as they are configured to be.

Of course, a company maintaining a private cloud is subject to a greater amount of human error and ignorance, so this model may be a risk in itself if its creator is not completely adept. However, for enterprises with adequate security personnel, this can be the most secure type of cloud. Companies may also wish to outsource the maintenance of a private cloud to a third-party company, effectively gaining the benefits while distributing the actual deployment and maintenance to a more capable group.

It is critical to stress the need for risk assessment and mitigation with private cloud infrastructure. It may be prudent to house the infrastructure in a location separate from a business’s primary quarters, and even better to have multiple locations for failover in the event of disaster. Beyond security and risk, private clouds — especially on-premise private clouds —   are less easy to scale; a company may need to upgrade or expand the physical counterpart of this technology, which can be a resource-consuming process. For large enterprises, this is not necessarily a deterrent.

Small companies may find this impractical, however, especially if they expect to grow. For them, hosted private clouds that share similar functionality to their public cloud counterparts are an increasingly viable and cost-effective option.  

Community Cloud

A community cloud may offer a good solution for small and medium-size businesses. This cloud model offers a greater level of uniqueness in its configuration than a public cloud, while not being as exclusive as a private cloud, thus eliminating some of the drawbacks of a private cloud. A community cloud is geared toward organizations with similar needs, that have common privacy and security needs. This model lends the opportunity to standardize privacy and security.

Many businesses fall short in their information technology sector, and a community cloud can mitigate that. Furthermore, community clouds offer a way to create an industry standard. They are a hallmark of the healthcare industry and universities, where cloud needs are similar, and the need to uphold a standard is crucial. The infrastructure of these clouds may be more complex than its public and private counterparts, which implies its own drawbacks. As a rule, a cloud structure which relies on standardization as its key feature may be less adaptable to changing technology needs.

Hybrid Cloud

Like a community cloud, a hybrid cloud is defined by its standardization. A hybrid cloud represents the marrying of a public and private cloud. An organization will jointly use a public and private cloud for different functions, effectively gaining the ease of use and other benefits of a public cloud while maintaining another private cloud as it is necessary.

This is an excellent solution for businesses that need to differentiate data which is too sensitive to host publicly, but also have data which must remain in-house. A hybrid cloud may also be used to create a fail-safe environment, where data is held both within their own infrastructure and outside of it. A common practice is to host e-commerce within a private cloud, and a public website in a public cloud. The use of a hybrid cloud offers a cost-effective solution for enterprises with complex needs.

***

Cloud technology continues to develop rapidly, and it is increasingly important for those in the technology community to understand the differences between the types of clouds offered. Each has its own development and deployment model, as well as its own targeted user base. As the internet continues to expand and cloud technology becomes more fundamental to businesses and private citizens alike, knowing the resources available is more critical than ever.

With the global cloud computing and hosting market estimated to be worth in excess of 94 billion dollars by 2017, the move to the cloud is no longer a far off notion for most businesses. It’s happening now. Both enterprise-level and small businesses are increasingly integrating cloud technology into their companies.

Whether you are considering using public/private/hybrid cloud tech for your business, security needs to be your top priority. If you are interviewing a number of cloud service providers before signing a contract, potential candidates should be able to skillfully answer a series of cloud security questions. Consider asking the following questions before making a final decision on a cloud provider for your company.

1. How will your company protect my data?

From hacker attacks to system failures, cloud customers need to be 100% secure in their cloud provider’s’ ability to manage their data. If a service provider can’t give you extensive details on data protection, it is time to look elsewhere for a reliable cloud provider.

2. Can I integrate any of my current IT software with your cloud services and if so, how secure will the integration be?

Just because you are adopting cloud technology for your business, that does not mean you have to get rid of all existing technologies your company is currently using. A premium provider will be able to help you understand which components of your existing IT system will work well with their services and which will need to be retired in favor of cloud services.

3. Has your company ever been the victim of a distributed denial of service attack (DDoS), and if so, how did your company respond?

A denial of service attack can be devastating for your business. If you can’t access your data in the cloud, how can you possibly run your company and serve your customers. Before signing on the dotted line with a new cloud provider, make sure they give you the details on previous DDoOS attacks, their mitigation strategies, their response times, and how their customers were impacted.

4. Has your company ever experienced unauthorized access to customer data?

Just like a DDOS attack can be devastating, so can unauthorized access to your business data. Make sure a potential cloud provider is able to give you clear data on previous instances of unauthorized access. Whether the intrusion was the result of a terminated employee gaining access to data or security patches that weren’t in place, you need to know a service provider is completely focused on guarding your data.

5. Do you offer an API and if so, is my company’s data at risk?

A growing number of companies are offering APIs or open-sourcing their software. You need confirmation that your business’ data will in no way be impacted by a publicly available API. While it is admirable that a cloud provider wants to turn their business into a platform (instead of just a service), their choice to offer developers an API should not put your company at risk.

6. Does your service meet all regulatory and legal guidelines?

Companies storing data in the cloud are utilizing cloud technology for data transfers need to be 100% convinced they are meeting existing regulatory and legal guidelines. Especially for sensitive data like health records or financial information, a business that puts their customers’ data at risk can be subject to severe penalties. If a potential cloud provider can’t guarantee compliance, walk away and find a more secure provider who can.

7. How secure are your services if I opt for a hybrid cloud mix for my business?

A growing number of businesses are opting for hybrid cloud computing. Some data is stored in private clouds while other business operations run on a public cloud infrastructure. The cloud sales representative you are dealing with should be able to give you clear information regarding hybrid cloud computing options and how they will affect your company.

8. How do your services interact with IoT devices my company might choose to use?

IoT devices are playing an increasing role in business management. From IoT-enabled thermostats to IoT security cameras, the number of Internet of Things on business premises is only going to increase. If your IoT data is being processed in the cloud, you want assurances that the intersection of IoT and cloud data is impenetrable by hackers.

9. What sort of expertise do you require of your employees and do you require security certifications?

If you are going to put your business’ data in the hands of a cloud provider, you want assurances their employees meet strict standards. Does your potential provider insist on background checks for their employees and do they double-check the credentials they offer on their resume?

10. Do you insist that your employees participate in ongoing training?

Cloud computing is a rapidly evolving sector. New technologies are being developed on an ongoing basis. If you are going to utilize the services of a cloud provider, you want assurances their employees are trained on the latest advances in the industry. Failure to remain current with industry standards and certifications could put your business at risk.

***

Carefully consider the responses you receive to the above-listed cloud security questions. The reaction from the provider will be telling. Were you made to feel like you were asking too many questions? Did your sales representative appreciate your desire to make an informed decision?

A reputable cloud provider will take whatever time is necessary to ensure you are completely comfortable with their company’s service offerings. When you have received assurances and are convinced you have found the best cloud company for your needs, you can feel comfortable putting your business’ data in their hands. Is this the year you move your company’s data to the cloud?

Updated: January 2019