Logo Source: Let's Encrypt
Beginning this coming summer, a new certificate authority will allow any domain to obtain basic security certificates for free. Let’s Encrypt is sponsored by Mozilla Corporation, Cisco Systems, Akamai Technologies, Electronic Frontier Foundation, and IdenTrust Inc.
Let’s Encrypt is built on the idea of cooperation and openness. It is a simple one-click process developed with the help of researchers from the University of Michigan and through the Internet Security Research Group (ISRG) to deliver an open Internet security infrastructure in 2015.
With so much personal and business information flowing through the internet. In the past, we have used SSL certificates. Now there is the successor TLS that is supported by every browser and device supporting it. The challenge, however, is the public-key certificate that needs to be used to verify the server you talk to so actually the one you are intending to talk to. For many operators, basic server certificates is a big hassle to obtain – the application process is confusing, it costs money, is tricky to install and frustrating to update.
Let’s Encrypt wants to solve these problems by making their service:
Free – any domain is eligible for a certificate at no cost
Automatic – the enrollment process is easy and renewal occurs automatically
Secure – it will serve as a platform for security techniques and best practices
Transparent – records for certificate issuance and revocation is always available for those that wish to inspect them
Open – the software will be open-source as much as possible and there will be a standard of automated issuance and renewal
Cooperative – Let’s Encrypt is a joint effort to benefit the community and will not be controlled by a single organization
Many organizations have been preparing for January 1st, 2015, when version 3.0 of Payment Card Industry’s data security standard (PCI DSS) will come into effect.
PCI guidelines are very important for small and medium businesses and organizations that process credit and debit cards (whether directly or indirectly).
However, meeting the data security standard doesn't necessarily mean an organization meets and maintains compliance. Businesses should stay on top by preventing intrusions with the following PCI best practices:
1. Maintain compliance for security: Businesses want to look good, which means that they often forget the purpose of meeting PCI DSS compliance is to maintain security of card-holder information and not just to achieve a favourable Report on Compliance (ROC).
2. Have a compliance manager: A designated person or team should have the resources and authority to manage security within a business. This might mean engaging with certain personnel and continuous collection of evidence that shows compliance and effectiveness of PCI DSS.
3. Make security a part of the company's culture: Fulfilling PCI DSS compliance is often not enough to secure all risks. Make a habit of protecting an organization's data and infrastructure and implement risk assessment processes, especially during big changes to the IT environment.
4. Monitor security controls and measure success: Have a consistent and continuous documentation of the status of security controls, including the implementation and effectiveness of it. Automated control monitoring tools may be helpful and aim to develop metrics used analyze success and effectiveness of your security. Measure implementation (how many systems have password security), effectiveness (how many vulnerabilities have been patched) and impact (how much return is there for your security efforts).
5. Be prepared: Organizations need to be able to respond immediately following security control failures. Have steps set up to restore operations to normal as soon as possible, and then identify the cause of the failure. Then follow up with better security and higher monitoring frequency. When business objectives change or if a key IT security personnel leaves your organization, have change-management practices prepared and analyze associated risk.
6. Commit to security: Maintaining compliance is critical for organizations, but it also means businesses and their executives need to co-ordinate efforts in sustaining that compliance. Allocate enough resources to be successful in building an ongoing PCI DSS program.
Graphic from NAC
Have you been working on your SEO and hoping to get your website to the top of the search engine?
Google is pushing for HTTPS
On August 6th, 2014, Google tested out using HTTPS as a Ranking Signal. They reported that their test showed positive results when they used encrypted connections as a signal in their ranking algorithm. HTTPS has since become a permanent search ranking signal on Google.
Google stated that the HTTPS is a very lightweight signal that only affects less than 1% of global queries and there has been no reports of ranking changes. So if two sites were the exact same, then the page using HTTPS may rank above the unsecured page. The boost will only be URL specific and not site-wide.
Watch Google’s video on why HTTPS matters: http://bit.ly/1tmM5z5
High quality content on a webpage will still outweigh the HTTPS signal but it looks like Google is pushing for the switch and hinting that the HTTPS signal will become a bigger part of their ranking algorithm in the future.
Even if you are a non-commercial website, it may be wise to switch to a secure server anyway. For one thing, a secure server guarantees that your content cannot be altered, e.g. have unexpected ads added. It also allows your website to look more authentic, an important factor if the content on your website is intended to provide advice, e.g. financial or medical information.
Google may be pushing for HTTPS so that it helps identify site ownership and therefore eliminate spam. It could also be potentially harder for NSA to track the content users are consuming if we browse HTTPS sites.
No, migration to HTTPS doesn’t have to be complicated. It’s relatively easy to purchase the Security Certificate from your web hosting company. But sometimes you may experience a 301 error code, which means the redirect from your HTTP domain to your HTTPS is corrupted. This happens when there is a potential for duplicated content and several other technical issues during transition.
To avoid potential problems during migration, site owners should avoid redirect chains, similar to this one:
- I click on your website at http://iloveyoyos.com
- You redirect me to http://www.iloveyoyos.com
- Then you redirect me to https://www.iloveyoyos.com
If you’re building a new site, changing domain names or making a change to your URL structure (e.g. platform changes) then you won’t be experiencing the redirect issues.
It is estimated that we have two years to move to HTTPS before a non-secured website becomes a critical SEO problem. So you can take your time, but we are starting to see warnings generated on websites that tell visitors they are connecting onto a non-secured website:
So for a low annual sum, it may really be worth it to make the move now and avoid these privacy warnings that kill site traffic.
The different kinds of security certificates
These are the different types of secured/non-secured URLs you will come across:
On Google Chrome:
So which one should we choose for our website?
Google won’t factor in the different kinds of certificates into site rankings at this time, but they do affect user trust and conversion rates, so it is good to understand how to choose from the variety of security certificates available.
- Shared Certificates are commonly offered by web hosts. You use their certificate but the security certificate isn’t connected to your domain name. www.iloveyoyos.com will contain your non-secure content while your shopping cart will go on www.iloveyoyos.cartprovider.com. This is less costly but takes away from your brand name and user confidence.
- Free Certificates are sometimes used for personal websites or forums. Companies may offer these free security certificates for specific reasons, e.g. if you are part of qualified Open Source project. These certificates will not be valid for businesses but may be applicable for non-profit projects.
- Domain Validated (DV) Certificates are the most common SSL certificates. It is often used by small businesses and covers a single subdomain, e.g. www.iloveyoyos.com but not iloveyoyos.com. Users to this website will see a security icon by the domain.
- An Organization Validated (OV) Certificate requires both the organization and the domain registry to verify information. The OV certificate will check to make sure the business is legitimate and is therefore more expensive to get than the DV certificate. Users can only tell the difference between the two if they click the padlock icon.
- The Extended Validation (EV) Certificate is the most expensive and hard to get SSL certificate. It requires a business to include domain ownership and organization information, as well as show legal existence in their organization. The EV Certificate takes more time to process and are more expensive. Users of EV certified websites will see a green bar on their browser and likely be more confident in their shopping experience.
Hopefully by now you have learned more about security on websites and how to improve your business online.
The European Union (EU) and Canada supervises the private sector’s use of personal data while the US has minimal regulation of their private sector. Canada’s privacy laws focuses on “individual autonomy through personal control of information” (Techvibes).The US focuses more on protection from the government while Europe tends to protect their dignity and public image (Identity Bureau Trulioo).
In addition to two federal laws in Canada that protect personal information, there are also provincial laws in Alberta, British Columbia and Quebec that are similar to PIPEDA (Personal Information Protection and Electronic Documents Act). These laws set out ground rules for how private sectors may collect, use, or disclose personal information in a commercial setting. Unlike the US, Canada’s strict privacy laws are recognized by the EU and privacy compliance is overseen by privacy commissioners and ombudsmen at both the federal and provincial levels (Techvibes).
So what does this mean for businesses in Canada?
In today's business market, service organizations are looking for a partner who can help them deploy IT infrastructure services and have the necessary controls and measures that comply with their local and corporate requirements. One of Canadian Web Hosting's core missions is to help businesses meet their SSAE 16 certification requirements (formerly the SAS70), which meets the new international service organizations standards for Type I and Type II reporting.
The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issues the SSAE 16 Type II (formerly SAS 70) to service organizations that typically offer outsourced services. An auditor's report details the ability for a service provider's ability to offer adequate controls and safeguards when they host or process data belonging to their customers.
The CSAE 3416 certification is issued under Canadian Institute of Chartered Accountants (CICA), Canadian Standard on Assurance Engagements (CSAE) 3416 to service organizations that typically offer outsourced services. An auditor's report details the ability for a service provider's ability to offer adequate controls and safeguards when they host or process data belonging to their customers.
Okay... then what does this mean for our customers?
Customers can now outsource web-hosting services including Dedicated Servers, virtual servers (VPS), CA Cloud Servers and/or Shared Hosting to a provider that already meets SSAE 16 requirements. In doing so, you can focus your company's time, money, and manpower on core functions that will drive additional revenue to your business. Here are some examples of Canadian Web Hosting's SSAE 16 compliance controls and physical security that our hosting environment supplements:
- Facilities and asset management
- Logical access and access control
- Network and information security
- Computer operations
- Backup and recovery
- Change and incident management
- Organizational and administrative controls
- Security policies, reporting, and monitoring
- Physical and logical security
Canadian Web Hosting is the industry leader in delivering 100% Canadian web hosting solutions for businesses requiring a SSAE 16 certification with their web hosting environment. When combined with our enterprise-grade web hosting hardware, and a securehosting environment that features many leading technologies including our Unified Security Services, Canadian Web Hosting will help you achieve compliance.
- SSL capability
- Enterprise-level, application level protection
- Hardware/Software firewall
- IP-Restricted FTP
- Managed backups with guaranteed retention
- Advanced 24/7monitoring
- Multi-level intrusion prevention (IPS/IDS)
- Anti-Spam, Anti-Malware, Anti-Virus
- Log Management
With an increase in online business trends, a company’s digital infrastructure should be beneficial to your business and not interfering with its growth. A strong framework is therefore essential to a business’ performance.
Learn the qualities of a good digital infrastructure:
1. Have options.
Your employees should have multiple ways of accessing business applications. With a soaring number of portable electronics being used, employees should have the ability to access their work applications on their phones, tablets, laptops, etc. This increases the rate of communication internally and with customers.
2. Have multi-media applications.
Business applications should be able to handle any type of communication, not just text-based. Think of videos, voice, and other data that could be easily passed between employees and with other businesses and clients.
3. Allow for collaboration.
Increase productivity by using applications that allow for collaboration in real time. Employees that can view and edit projects together save time and get better results.
Understand your current digital infrastructure:
1. Know what your current infrastructure can and cannot do.
Do you know what components you have and whether are necessary?
2. Employees need to know how to use it.
Your employees should have a clear understanding of how to use your digital infrastructure.
3. Think about your physical limitations.
The digital infrastructure needs to be able to handle the environment it is in, such as extreme weather conditions. And when problems arise and employees can’t physically get to work, they need to be able to access your digital infrastructure remotely. Customers also need to be able to get in touch for support.
How to improve your digital infrastructure:
1. Ask your employees and customers.
Find out what they think is missing. Employees and clients are the ones using your infrastructure and providing business.
2. Modify applications and come up with your own if necessary.
Find what’s right for your company and tweak it to make it perfect.
3. Virtualize it.
Use business applications that are accessible outside of your office. Store these systems on a remote server. Virtualizing also helps save you money by lowering support cost.
4. Be up to date.
Consult IT professionals and stay on top of your game. Don’t be spending money and time on developing applications that are soon out of date.