Client Site Security
SWORN TO SECURITY
As a digital agency, we take security very seriously for both ourselves and our clients. Last week we talked about National Cybersecurity Awareness Month, the importance of cybersecurity in 2020 and the precautionary measures we have in place to protect our data. But keeping our team safe is only half of our responsibility. Client site security is a large part of what we do. When we start working with a new client, we want them to know we will do everything we can to protect their digital presence.
OUR DIGITAL DUTY
Client site security isn’t a set-and-forget type of process. It starts with the initial framework and continues as long as the site is in use. Our development team has strict guidelines they follow to ensure security features are in place and up to date throughout the development and after completion of a site. When I asked our developers about client site security, they broke it out into three separate sections: development, hosting and authentication. Each aspect plays an important role in keeping a site secure.
Experienced developers are the most important line of defense for our client sites, and luckily we have three of the best. Security threats are constantly evolving, so the precautions have to be evolving too. They are constantly researching the latest developer security news and carefully vet third-party tools on the rare occasion one is needed. As a precautionary measure, they also use tools in the development environment that alert them to potential risks as they are writing code. This allows them to examine the concerning code and rewrite it to reduce risk before an issue can happen.
A website host is the server a website lives on. The host server stores the files that make up a website and allow it to be viewed online. As stated in Domain Name and Hosting: Know the Difference, some hosting companies house thousands of websites on their server, which is fine for smaller sites that don’t require complex functions or back-end programming. Premium hosting companies, however, only allow a certain number of websites on their server, making it a better option for larger, complex sites.
We require all clients to host their website on our servers, making it easier for us to control the security standards and edit the sites when necessary. Our servers log events and monitor the hosting environment for any sign of suspicious behavior. We also back-up the data on our servers regularly so we can restore snapshots in the event of an issue.
All of our client sites are protected by SSL (Secure Sockets Layer), an encryption-based security protocol that provides privacy, authentication and integrity to Internet communications (1). Access to sites hosted on our server is heavily restricted to select company personnel and protected by firewalls to limit server access from specific IP addresses. The database is restricted to the local machine and uses long, complex passwords. Remember the alarming statistic from LastPass mentioned in last week’s blog? 44% of respondents used the same or similar passwords for multiple platforms and 53% of respondents hadn’t changed a password(s) in the last 12 months, even after hearing about a breach in the news (3). The strength and complexity of a password can make or break its effectiveness, so the passwords we use always go above and beyond security recommendations.
Website authentication is the security process that allows users to verify their identities in order to gain access to their personal accounts on a website (2). Our developers use oAuth authentication whenever possible. This authentication protocol allows users to approve an application interacting with another on your behalf without giving away your password (3). Instead, it uses authorization tokens to prove an identity. For example, websites that require a password oftentimes have a “Login with Google” or “Login with Facebook” option. If you use that type of option, rather than creating a new password for the website, your Google or Facebook password remains safe in the event of a security breach on that website. It puts the security burden on the other website and is one less password that can be compromised. And for an added level of security, our developers enable multi-factor authentication.
SECURE STATE OF MIND
There are so many aspects to consider when starting a website project. It’s easy for a client to get caught up in the design, content and functionality since security isn’t necessarily something seen on the site. But they can rest assured that it is there: security standards, protocols and patches thoroughly researched and vetted by our developers to keep each website we create safe and secure.