How to decide where to host an online store?

Question

How can one know whether it is more secure to host the store on
our own servers or on those from external vendors?

Answer:
Do a risk assessment.

1.) Summarized Answer
2.) Detailed Answer
3.) Answer that might help you, if you're in the same situation as me

---

Details:

The CEOs at my company plan to launch an online store to let our customers buy and download our software-products 24/7. They want also to leave the hosting to another company that is more experienced in webhosting than we are.

Edit: Some Information about us:

• We are not a webhosting company
• The only website we have set up was our own (it is also running on our own servers)
• We have IT support staff (administrators), but none of them is currently versed in security.
• We have some developers that are experienced in web-development

---

The Problem

However, I am skeptical because this means that the external hosting company:

• Can accumulate large parts of our customer database.
• Has to care for penetration tests (and regular checks, whether a data-breach occurred, or not)
• Has to inform us about breaches (There is a risk that they won't do it, to avoid getting sued)
• We have to trust them (which is sometimes impossible¹)

On the other hand, it's not a good idea to host the store on our servers because:

• Most of the software devs don't care about security (I am the only one)
• CEOs don't want to spend money on penetration tests and audits.
• We have to inform our customers about breaches (possible suits).

---

NOTE 1:
This question is not about convincing the CEOs to invest more in security.

NOTE 2:
The other company does not necessary has to be an ISP (directly).
It could also be a webshop-developer who takes care about the hosting (and ISP).

---

The Question is:
How can we know whether it is more secure to host the store on
our own (insecure) servers or on those from external vendors?

---

¹ For Example:
No one outside of the USA can trust US-American hosting companies. (Not really their fault)
The patriot act forces them to hand every data to the NSA. (https://en.wikipedia.org/wiki/Patriot_Act)

Combine this with economic espionage
(https://www.theregister.co.uk/2015/06/29/wikileaks_docs_show_nsa_vs_france/)
and your business is ruined.

So this is really a serious problem.

Answer 1

This is hardly a security question but I can give you some pointers.

• ... can (and will) accumulate large parts of our customer database.

  This is normally handled by contract law. (or to be more specific using a Service Level Agreement (SLA). this document normally holds what level of care the hoster has, what level of support the customer can expect, and how different parts of physical and digital security is handled.

• Has to do penetration tests (and regulare checks, whether a data-breach occured)

  Probably not. Security audits should be done by someone outside of the chain. (so an objective outsider or specifically a third party that has signed NDA's (Non-Disclosure Agreement's) and does whitebox and / or blackbox testing dependaing on need and impact.

• Has to inform us about happened breaches (There is a high probability that they won't do it, to avoid getting sued)

  If in the contract there is no provision for how to handle (security) threats and the SLA also does not mention it. than yes there is only local applicable law that might require the company to inform you (for example European law has some of this). This is why typically this is written down in both contract and SLA.

• We have to trust them (which is just impossible IMHO)

  Trust is the foundation of business and has little to do with the issue, if you can not trust the company you hire to do work for you there is a bigger problem than just your data being leaked!

• On the other hand it's not a good idea to host the store on our servers because: Most of the software-devs don't care about security (I am the only one) CEOs don't want to spend "unnecessary" money on penetration-tests and audits. We have to inform our customers about happened breaches (possible sues).

  This is not your problem, basically your boss or CEO is responsible for this, and you are only responsible to notify him/her (or some level between the CEO and yourself in) about the risks involved. Sometimes there are laws that require you to also inform some outside party / law enforcement. But generally thats only for 'criminal neglect', contact lawyer in the field before you do that! Of course the CEO does not want to waste money on "unnecessary" penetration-tests or audits. You should only do those that are necessary, and convince by showing and telling why it is necessary. There are real-world examples of risks and requirements to convince any CEO of the necessity of audits and pen-test.

• The Question is: Where to host the webshop, if each choice has so serious disadvantages?

  Answer: On the bottom of the Marianna trench inside of a 1Km3 cement Block without power or Internet access. Or to be more precise, there is no safe place to host anything. the best place is a location with the least amount of risks and the best value for money. We on stack-exchange can not tell you where that is, nor will we try.

Answer 2

In addition to LvB's answer....

Has to do penetration tests (and regulare checks, whether a data-breach occured)

The hosting provider may do penetration testing (or may sub-contract this) however this will be directed their infrastructure. Unless you are paying for a fully managed service, they won't be doing anything to test the Security or any other part of your system. Certainly some hosting companies may offer this as an add-on, but they are the last people you should be asking (since your application's security is heavily dependent on the infrastructure security).

Most of the software-devs don't care about security

This a problem - but most of the issues it creates are not changed by where you host the service. The only thing that does change is that the issue of accountability when your system is compromised becomes a lot more complicated when you are not hosting the service yourself.

OTOH you make no mention of the skills of your IT support staff - which makes me think this is another task the developers are expected to take on. If so, then that's another big problem - a hosting company should have dedicated and competent system administrators and network engineers.

Answer 3

When you are faced with options that all introduce new risks, you need to perform a risk assessment to determine what risks you are willing to bear, which risks can be mitigated, and which risks cost less than the benefits of the option.

A risk assessment looks at the likelihood of a threat becoming real and the impact of that threat becoming real. You typically make an educated guess about the likelihood score, and then try to find a monetary value for the impact of a threat.

The resulting score is very useful in weighing options, like the ones you outlined.

Answer 4

This is an appendix to schroeders answer which you find above.

How to get started with Risk Assessments:

Overview:

1.) Read the linked documents (NO REALLY, DO IT!)
2.) Decide what needs to be assessed (scope)
3.) Collect data about status quo
4.) Security policy
5.) Threat Analysis
6.) Vulnerability Analysis
7.) Correlation and assessment of Risk Acceptability

---

1.) Documents

READ THIS!
https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204

---

2.) Scope - Decide what needs to be assessed

Identify what systems and applications are included in the assessment.
Ask yourself:

• What needs to be protected?
• What is the sensitivity of what is being protected?
• From which perspective should the analysis take place, internal or external?
  (e. g. internal = bad employee, external = malicious hacker) # reference to evil maid and blackhat

• Also important: Intended recipient
  Who will get to receive the final risk assessment report? (maybe not so tech-savy people?)
  

  Make sure to include $$$ (costs) as well, because profit and loss
  is the only thing management understands and cares about.
  (MARK EVERY POTENTIAL LOSS BOLD AND RED!)

---

3.) Collecting Data about the current status

This is now about technical details.
Depending on what you want to assess, you need to determine:

• Operating System Types
• Running services
• Network applications
• Physical location of the systems

• Access control permissions

• Open and filtered Ports

• Wireless Networks and their security (not only w-lan but also Bluetooth [KEYBOARDS!], 3G, ...)
• Phone system security
• Ability to detect intrusions
• Firewall and anti-virus effectivity

---

4.) Security policy compliance

This is a difficult topic.
I recommend you to get an expert to help you with this.

Here are some policies that are considered as baseline, according to sans.org:

• ISO 17799
• BSI 7799 [I think they've meant BS 7799]
• Common Criteria - ISO 15504

Note:
While it isn't wrong to inform yourself about these norms in particular,
remember that every second you spend studying, costs your employer money.
Sometimes it's really just cheaper to hire an expert to do the job.

---

5.) Threat Analysis

According to sans.org, threats include everything that would contribute to:

• tampering
• destruction or
• interuption

of any service or item of value.

These threads can be split into human and Non-human elements, EG:

Human:

• Hackers
• Theft (electronically and physically)
• Non-technical staff (financial/accounting[/cleaning lady])
• Accidental [Dropped wrong table in sql statement?]
• Backup operators [imagine a hard disk error if the last backup was 10 years ago...]

Non-Human

• Power outages
• Water (Plumbing or Rain)
• Fire
• Earth quakes

---

6.) Vulnerability Analysis

Now the time has come, to take the gathered Information
and to test every potential attack surface that has been found.

You need to check whether the established policies and safeguards are
sufficient in terms of confidentiality, integrity and availability.

This should be done in a particular order, to save you some money:

1. Bring your software Up-To-Date (including operating systems)
   
2. Let a vulnerability scanner go over your target systems
   
3. Fix all flaws that are critical to fullfill your security policy
   
4. Let a penetration testing company do again a vulnerability scan and a penetration test.
   

You should choose this order because:

• You don't have to pay them for enumerating low hanging fruits
• Even if you did a vulnerability scan, they will have better tools
• The penetration test will reveal security holes that are missed by scanners (e.g. scanners often work to fast and get locked out before they can scan for all vulnerabilities, a skilled pentester will sneak into the network and avoid getting locked out, so he can test for specific vulnerabilities)
• Depending on scope, they can find out whether someone breaked already into your systems
• Pentesters are also more skilled in recognizing false positives and false negatives

Some scanners are:

• OpenVAS (free)
• Nessus (commercial)

---

7.) Correlation and assessment of Risk Acceptability

• Were the existing policies, procedures and security meausures sufficient?
• Have the previously known and discovered risks been mitigated?
• What level of risk is acceptable to the organization?
• Are some procedures ineffective and can they be removed to save money?
• How maintainable is the current level of protection?
• Do you have over-protection, which makes workflows more difficult and cost-inefficient?
• Did you discover new attack surfaces?

Answer thoose questions and prioritize all the problems that need to be addressed.
Then eleminate every problem one by one.

Until none or only acceptable security risks are left.

Answer 5

If someone's in the same situation as me (the asker):

Here is a higly summarized version of the risk assessment we did and its results.
(We are not finished yet, but this is the way to go)

---

The risk assessment was mainly about:

• external threads
• from human nature

It does not include internal or non-human threads.

---

Things that might be of interest for Hackers:

From bad to worse:

• Our E-Mail Adresses (Phising threads can be mitigated)
• Free Software-Licenses (to pirate or redistribute our software)
• Integrate our servers into a botnet
• Customer Data (steal our customers or spam them)
• Credit Card Data (If our customers are robbed because of us, that would be our downfall)
  BTW: Optimal solution for credit card data: Don't store it.

---

In the end we decided to:

• write our own webshop application
• host it on our own servers (own = within our company, NOT IN THE "CLOUD")
• to let security companies pentest our webshop and the server it is running on (Scope)
• including whitebox and blackbox tests and
• monitoring

We also do occasionally tests on our own:

• Vulnerability Scanning (<== NOT THE SAME AS A PENTEST!)
• Checking versions and keeping our systems up to date

---

We did this

• to maintain control over all data
• to be informed about ongoing attacks and breaches

We choosed MULTIPLE pentesting-companies which are BASED IN OUR HOME COUNTRY:

• MULTIPLE: To ensure that most security holes will be found
• MULTIPLE: To see if a company is suspicious underperforming
• BASED IN OUR HOME COUNTRY: To avoid conflicts of national interests

---

Other important stuff:

Pentests are really expensive (I mean like REALLY!), BUT they are worth their money.
Make sure to compare many offers and LET THEM SHOW YOU WHAT THEY'VE GOT!
Some of them demonstrated the used software and their costs to justify their prices.

One company even gave a crash course in IT-Security for FREE
(for 15 people including one management guy).

They showed us how to hack (they taught us literally how to break into systems).
That was pretty impressive. (So if you get the chance to do hands-on security training... DO IT!)