If you’re an entrepreneur who’s running your own instance, but not a security specialist, this is an article for you!
You may have a business focus, or even be a developer of some kind, but we know that not everyone is a security engineer. However, security is truly important and sometimes, unfortunately, a little bit overlooked. We believe everyone building a business online should establish an easy-to-follow security routine. It isn’t all that hard to start building a routine and get the ball rolling. To make it as easy as possible, we’ve compiled a few tips and resources in this article to get you going. We will give you a starting point, from which you can develop your security routine to fit your needs.
Security is a multi-faceted and very wide topic. So wide, it is in fact subject to research both academic and commercial. If you use a cloud provider like Exoscale, the physical part of security is already taken care of, the machines are tended by the technicians and kept in a secure data center. In this article we’ll look at that which you can influence: the software.
Secure user connections with HTTPS and SSL Certificates
If you’re running a web service it’s your responsibility to make sure your visitors/users/customers personal data does not fall into the wrong hands.
First things first, since we are talking about web services here, let’s have a look at HTTP. You might have heard of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), both commonly referred to as SSL. It’s a means to encrypt communication between two applications. For instance, your browser and a web page or a local client and your online platform. This is what gets you HTTPS (‘s' is for secure) in your URL rather than just HTTP. As you may already know, to ensure the integrity for your customers personal data (such as credit card information), you need to have SSL. Plus, it helps with the google rank, since they count this aspect as an important factor. You can get SSL either by buying a certificate or by getting a free TLS certificate from Let’s Encrypt. The latter is a fairly new but already popular service.
There have been vulnerabilities in the SSL protocol, though. The Heartbleed bug (you can read more about it here) was a big one, that surfaced a couple of years ago. Without going into details, it’s a bug that makes it possible to steal information that should be protected. A fix came out pretty fast after the public disclosure of the bug and updated versions of OpenSSL can’t be exploited. Checking for vulnerabilities and making sure your SSL is updated should be on the very top of your security routine. It’s easy to check, using a resource like SSL Labs. Just write your domain name, press enter and the tool gives you a report on your SSL certificate, tells you which version you have and how secure it is. There is also a lot of documentation on SSL. We recommend that you return to the website on a regular basis.
Your domain is an important part of your online presence. It relies on a somewhat complex solution called Domain Name System (DNS). If you want to find out more about it, this Wikipedia article is a good place to start. The part you most often come in direct contact with is the name server. In your security routine it is wise to include the task of checking your name servers status from time to time. There are different services to choose from for this. DNSCheck is a free one and you can find it here.
Software security: keep your SaaS application patched and updated
Now that we’ve covered some tips on basic user connection security, it’s time for the software. Bugs or vulnerabilities can occur in both your service and the software running underneath it.
As we’ve seen in the previous part, attacks can target the user connections. But they can also leverage the vulnerabilities of the software running your application.
That’s why it is wise to follow the security newsletters and websites of the developers of the operating system and the services you are using. This will help you stay updated on newly discovered problems. It will also make sure you don’t miss any official bug fixes.
There are also several relevant security mailing lists you could subscribe to. From these mailing lists you will obtain information about CVE:s (Common Vulnerabilities and Exposures) and patches for them. This is a great resource page for such information. Staying updated on CVE:s is truly beneficial as we experienced in 2015 with the CVE designated Venom. Being informed early allowed us to promptly ensure protection from this vulnerability. This is beneficial both for Exoscale and for our clients.
For the bigger things, keep an eye on Hacker News as well.
To be clear, the whole system should be kept up to date. This is fairly easy to achieve, since most operating systems can maintain themselves through automatic updates.
By the way, when it comes to accessing your server securely for maintenance, the use of a Bastion is best practice. We’ve described how to create one in the article here.
And to prevent unauthorized access to your server in general, make sure it is protected by a firewall. If you use Exoscale, have a look at the Security Groups feature. It enables you to control both inbound and outbound traffic by applying the rules most suited to your purpose. You can find more information and links to guides about our security groups feature here.
To sum up, let’s return to where we started, establishing a routine. When you’re building it, begin with these points:
- Check your SSL with this service
- Make sure your name servers are healthy, here’s a tool for that
- Subscribe to newsletters from your application developers
- Subscribe to security newsletters and stay up to date on CVE:s
- Visit Hacker News from time to time
- Create a Bastion
- If you use Exoscale, use the Security Groups feature
Like we explained in the beginning of the article, this blog post covers only a very small part of all that is security. You could devote a lifetime of study to the topic without coming close to learning everything. However, establishing good routines is a great way to keep your resources secure without having to devote too much time.