Companies' Data May Be Up For Grabs

A growing number of solution providers are finding Web hosting and managed services a valuable add-on to existing service and product offerings, and they're also finding they need to be aware of the potential security risks present in shared hosting environments.

Many solution providers stepping into Web hosting are serving the small- and midsize-business markets. These clients are attracted by shared hosting's cost savings, as the hosting environments average about $15 to $20 per month. In addition, these customers don't necessarily need the number of resources that dedicated hosting environments offer. Some industry watchers estimate the number of Web sites hosted in shared or virtual server environments is at least 1 million and may be several million.

New software can help solution providers address the risks inherent in shared hosting environments.

The problem is that in a shared hosting environment, in which hundreds of Web sites are hosted on a single server, it is fairly easy for a Web site owner to get a peek at other companies' data residing on the same server. This can even include customer data such as credit card information.

Getting a look at other companies' data is very easy to do. From an administration control panel, a Web site owner simply runs CGI scripts, which any customer on the server is allowed to do, then uploads a file that provides the ability to view and steal other Web hosting customers' information, including password-protected content such as commercial content and customer ordering information.

So far, little has been done to address the problem. But with the majority of major hosting providers and ISPs now housing on average up to 200 individual Web sites on a single server, some vendors are starting to get serious about security, said Joshua Bell, an analyst at Tier 1 Research. Web hosting automation software vendor Sphera has for some time embedded security technology in its software to address the problem. Now software vendor Ensim is the first to address the security gap at the control panel level, said Bell.

Ensim, Sunnyvale, Calif., recently introduced WEBppliance Pro, a new version of its control panel software that has embedded technology to address the shared hosting environment security gap. WEBppliance Pro includes a virtual private file system that prevents Web site owners from viewing files outside their own site.

"When a CGI script runs on WEBppliance Pro, the Web site owner is constrained so that the owner can only see the files for their own site," said Steve Dauber, vice president of marketing at Ensim. "It basically creates a virtual private file system that prevents owners from accessing other sites' information."

NeoVerve, a San Diego e-commerce hosting and design company, has migrated a number of its customers from dedicated to shared hosting environments and has implemented WEBppliance Pro to secure client information.

These customers "thought they needed a dedicated server to ensure security for their data, but [they] were spending more than they needed to," said Kurt Davey, president of NeoVerve. "Now we can offer them the same security as in the dedicated environment at a lower shared hosting cost."

NeoVerve is also rolling out the security solution to its resellers, which private-label the e-commerce hosting provider's services, according to Davey.

Productive Computing is one such reseller. The Vista, Calif., solution provider specializes in database and software design and refers its customers to NeoVerve for shared hosting.

"Security is a funny animal. Our customers never really notice if they need it until they need it. With [Ensim and NeoVerve's] solution for shared hosting, we think they'll never notice the need for it because the solution fills the security gap," said Keith Larochelle, CFO of Productive Computing.