Why hosting is not a commodity
While I was given stewardship of our business in June 1995, we did not start hosting clients until the latter part of 1996. Our first customer was a local bank in Allentown, Pennsylvania with the goal of doing online banking vs. having a lot of physical branches.
We learned early on that security matters because if you are going to be hosting online banking, you need proper security in pace every single minute of the day.
Back then there was no question that hosting was a valued added service; hosting was not a commodity.
Over the years, as automation systems became more and more common, the number of hosting companies increased by the thousands.
According to Webhosting.info there are approximately 32,000 web hosting providers in the United States.
With that many web hosting providers, it can be easy to get into the mentality of well, a computer is a computer, and automation is automated… therefore hosting is a commodity… and therefore it all comes down to who has the best price for the amount of storage, traffic, and generic feature sets.
Yet, behind all of those web hosting provider businesses are stewards who set up and maintain the security (or do they?), who set up and maintain the infrastructure (or do they?), and so on.
The solid providers will properly secure their servers, and keep them secure. The solid providers will have a great infrastructure. The solid providers will stand behind their services.
Yet, what I find more common than not as I read various web hosting forums to keep up with the industry is the number of hosting providers run by teenagers (are their contracts legally binding?), those looking to make a quick buck (whether they sell customers or the company for which they steward should they last long enough), and those that hear web hosting can be a good second income (their full time job is not being a steward of a hosting business).
Unfortunately, out of the 32,000 hosting providers in the U.S., it is far more common to find the owners / management of the company fitting into those three categories — very young adults whose main issues are wisdom and the ability to legally stand behind their services; those wanting wall street type money; and, those whose customer come second after their main job.
I was reminded of that this past weekend when I was reading a forum thread titled, “Be aware, Security Metrics.”
Here are some snip its from the first post:
“Today a hosted client received allot of traffic. Someone scanning to the last file of this wordpress install. Guess what. The IP was from Security Metrics “18.104.22.168”
Even his logs shows it.
I would not wonder about it, since they seem to be a PCI certification service and they would probably just scan their website for security. This scan was not normal. It was like a small DOS attack. The load spiked and it scanned hundreds of urls on the same time for my hosted client.
What really wonders me is why the same IP is trying to hack the cPanel. Ok. Maybe its part of their certification not a problem. The problem starts when they do the same on the server hosted for out main website, which by the case is not the same as the client. Since when does a certification also scans the host website and the clients servers?
So this IP is attacking a clients website, and trying to hack several servers. Nice. I wonder what a real scam this company must be that someone can pay them to scan websites which dont belong to them.
The IPs are blocked and unless there is a real explanation for this, why they scanned the clients website and then tried to log into our own personal servers as well we are going to report this company. If someone hired them to hack the clients website, which I think is the case. They are really unprofessional as they should only allow to scan servers you own. Is clear that we suspect who it was, as the client already told us about this. They seem to have paid Securiy Metrics to find holes not only the clients website but on ours as well.
Well aside from the provider not having a clue about PCI Compliance scanning and authorized vendors, several pages of posts followed by various other web hosting providers agreeing with him that blocking the IP address(es) of PCI compliance scanning companies is a good thing.
What is the impact of their stewardship for their customers based on their actions of blocking valid PCI Compliance companies from scanning their servers?
- Their clients cannot pass PCI compliance scans; their client banks will now charge them higher rates for credit card processing.
- The owner / management team of the hosting providers who block valid PCI Compliance scanning vendors never learn of real security holes and threats to their servers; and therefore never take action to make their servers more secure.
- As a result of #2, the number of hacked sites on their servers increase.
- As a result of #3, since hacked sites often reach out to hack other servers, the threat becomes viral.
- And to top it off, if a server cannot handle a scan from one authorized, valid, PCI Compliance scanning provider, can any of the customers on the server be assured that if their site ever takes off, it will go as far as it can without being shut down?
Dynamic Net uses and recommends SecurityMetrics; we allow all valid PCI Compliance scanning vendors appropriate access to our servers. We have scans against our servers from several PCI Compliance scanning vendors on a very regular basis; all of those scans function without causing a single performance or stability issue on our servers.
Hosting only becomes a commodity if and when every single critical piece of the service and product are the same. When you shop for groceries, you can expect to find uniformity in the various products on the shelf; it is easy to compare prices down to the unit to see the exact savings you will get should you buy 12 ounces or 16 ounces, this volume or that volume, the store brand or a brand name with a coupon. Those are commodities.
In hosting, at least in 2012 as it has been for almost two decades the only standards of measurement are the human beings, the people, who stand behind their services and offerings.
What is their full time job? How long has the company been in business? How often has management / ownership of the company changed? Is the company itself, PCI Compliant? When was their last PCI Compliance scan run? Did they pass it? Are they willing to talk about their security policies, procedures, and practices? And really get deep with you, the customer?
Please contact us for more information. We care about our customers. We care about the business we steward; it is our full time business, and we’ve been in business since June 1995 thanks to Jesus.