Elements of Website and Database Security Plan

Introduction

Internet live stats (2019) reported that there are more than 200 million active websites on the Internet today. The fact that Internet is decentralized and open in nature makes it vulnerable. Therefore, the security of websites and their databases remains a challenge. It is paramount for the website owners to establish a security plan and policy. In this paper we will discuss the important elements of a website security plan that are critical to security of any web based infrastructure.

Types of Websites to Protect

The technology world is innovating at an exponentials rate. Every innovation either it is drones or IoT (Internet of Things), each discipline has its security and privacy concerns (Calderon, 2019). Websites are no exception; they need a robust security plan. Let us go over the types of websites prevalent and then we will discuss how we can make them secure.

Database Driven Websites

In last two decades, the world of technology has seen buzz words such as web 2.0 and web 3.0. The core concept of web 2.0 is users control over the content of a website (Vohra & Yadav, 2016). In order to provision the desired control, a website must be database driven i.e. the state of website’s content and possibly the content itself should be stored in and rendered from a database. Web 3.0 takes a step forward and in addition to all rich features of web 2.0; it leverages the power of artificial intelligence to further enrich and enhance the user experience (K2B Solutions, 2014). Therefore, in addition to protecting the website itself, the owner should also work on protecting the behind-the-scenes database as well.

Static Websites

A website that renders just HTML and CSS without any database involved is a static website. A static website is lightening fast to load and very scalable. As the world of web engineering is making a paradigm shift by switching to micro services based infrastructures, static website are becoming more popular (Williamson, 2017). Just because the websites are becoming database driven, does not mean that securing static websites is not important.

Securing Websites

A website plays a crucial role in establishing brand impression of a business. A website is like an employee that works 24/7 for the business. Security plan for a website depends on the several factors. Like any other security plan and policy the process starts with asset identification, risk assessment, risk mitigation, respond to events and recover (Schaub, 2018). We will go over each of these elements/components in detail now.

Asset Identification

Asset identification for a website is a bit tricky. A website infrastructure normally entails a webserver, a data source (such as a database) and website code. They form the minimal viable components of a web infrastructure. It is always recommended to involve the people who build the infrastructure during the process of assets identification.

Risk Assessment

Parker (2018) defined risk as the function of threat, asset and vulnerability i.e. Risk = Threat x Asset x Vulnerability. The impact of attack on an asset, the presence of the threat and vulnerability is assessed. After risks have been identified, they are triaged based on how critical they are. At this point, it is up to decision makers to ignore risk or prepare for it. The same principle applies to website security too.

Risk Mitigation

As said above, preparing for and executing risk mitigation is totally up to the decision makers and priorities of the business. However, ignoring a risk and expecting it will never lead to an event is not a fair assumption. Similarly, business strategic objectives should be aligned. Risk mitigation in web based infrastructure might include but not limited to making sure the system and application software are up to date, proper encryption and secure communication protocols are in place, none of the components is vulnerable or out dated, users privacy is not compromised, and ensuring the website code is secure.

Respond and Recover

The Internet world is so uncertain that even after enforcing and conducting all risk assessment strategies, it is unfair to assume content and peace. A good website security plan should take in account that unwanted events will happen, and therefore prepare a strategy to respond to and recover from unwanted events. A disaster recovery plan can help in responding and recovering.

Users Privacy

In past few years several privacy scandals took place, due to which governments and legal authorities started considering privacy as an important factor to ensure. Laws such as GDPR were introduced (Powles & Selbst, 2017). Therefore, it is imperative for the websites to protect the users private data. Some companies have added privacy as one of the component of their security plan. Websites should list user privacy as one of the priority for security plan.

Conclusion

Internet is uncertain, thus websites are at a greater risk of compromise. A robust security plan can help in mitigating and preparing the website owners to prevent and cope with unwanted events. Like any other technology security plan, a website security plan identifies assets and manages risks associated with websites. In addition, it also entails responding and recovering from unwanted events. Disaster recovery should be part of a robust website security plan. Last but not least, user privacy should be protected through a website security plan.