That last item on your checklist, security, is usually one that is given the least importance and yet when it is not addressed it can trump all others. And when it is addressed, for many it usually means the purchase and implementation of an SSL certificate. A favorite and useful security mechanism, SSL certificates offer security to protect the user and business information, yet it still leaves us with the ultimate question:
Do SSL certificates completely PROTECT websites?
At its core, SSL Certificates are aimed to secure the communication between the client (browser) and server. Any information shared in between will be encrypted with the SSL Certificate so that no one nor robot can breach, temper or modify it – resulting that cute green padlock on the browser symbolizing encrypted protection.
So that green padlock in the search bar means your website is SECURE, right?
Unfortunately, if not properly maintained websites can have many vulnerabilities through the very platforms that make them easy for you to create (WordPress etc). Any security risks within your web application such as Cross-Site-Scripting, Cross-Site-Request-Forgery, SQL-Injection, insecure Session-IDs, DDoS attacks, etc will mostly still work, even if the connection is encrypted with the SSL certificate. SSL Certificates alone can’t protect you from bad code, malware injections, spam and other common malicious attacks that are present on the web application and/or servers themselves.
No Worries I’m HTTPS secure – isn’t that enough?
HTTPS (and SSL/TLS) provide what is called “encryption in transit”. This means that the data and communication between a browser and website server (using a secure protocol) are in an encrypted format, so if these packets of data are intercepted, they cannot be read or tampered with.
However, when the browser receives the data it decrypts it, and when the server receives your data, it is also decrypted. This decryption is then stored so browser or server can remember the data in the future or even used by other integrations, such as CRMs. SSL and TLS don’t provide us with encryption at rest – such as when the data is stored on the website’s server. This means that if a hacker can gain access to the server, they can then read all the decrypted data you have submitted.
Most hacks and data breaches come as a result of hackers gaining access to these unencrypted databases, so while HTTPS technologies mean the data gets to the databases securely, it isn’t then being stored securely.
Saying that HTTPS is secure isn’t false, but it is also not entirely true. It is one piece in a cybersecurity jigsaw puzzle that on the face of it is one of the easiest security features to identify – especially from a web-crawler point of view.
Layered Security Approach is the Answer
Great, so you have SSL and HTTPS and question whether you should get rid of it? What is complete website protection if not with SSL?
Well don’t get rid of SSL altogether – compliment it. SSL certificates are an important part of your website security but do not provide complete protection. Protecting your website is like any other comprehensive security protocol. The more layers you have the better. Consider how you protect your physical home – just having locks on the doors and windows does not completely protect you. You choose to install cameras to have visibility into any possible threats, alarms/sirens providing notifications of said threats, and many even rely on their trusty dogs to remain vigilant and thwart any intruders. Protecting your website is no different.
Fortunately for us all, it is now as easy to protect your website as it was to design, develop and launch it. cWatch Web security is a fully managed protection service that encompasses all layers of website protection – yes, even an included SSL certificate so you don’t have to worry about anything security related. For .25 cents a day you can have the security technology used by larger enterprise websites and cyber security experts live on call 24/7 protecting your website.
Here are some of the features offered with the cWatch Web service that completes the protection package:
Malware Monitoring and Remediation service that provides comprehensive scanning tools in order to uncover AND repair any hidden malware lingering on your site.
Content Delivery Network (CDN) that will not on provide protection against traffic spikes but also improve your site upload speeds by providing global servers to shorten the distance between your site content and visitors.
Web Application Firewall (WAF) operating right in the cloud within the CDN that acts like your “watch dog” – detecting, filtering and fending off any malicious attempts.
Security Information and Event Management (SIEM) which is the brain of its layered approach – this provides continuous real time monitoring, forensics and incident management of all activity to determine the good from the bad.
Why not check out cWatch Web on us with a 30-day trial. Add all the needed protection and have peace of mind that something and someone is your watch dog against all online bad actors.