SafetyDetectives spoke with Arnaud Franquinet, CEO of Gandi, a domain name registrar, and provider of web hosting, email and SSL certificates to over 350.000 users worldwide.
We looked at the security measures implemented in their web hosting solutions, the current state of security in the web hosting industry, and what site owners should do to keep their websites and data safe from hackers.
What hosting services are you currently offering?
Our hosting offers are structured around cloud products on the one hand, and webhosting products on the other.
For the cloud, we offer a complete range of Virtual Private Servers (VPS) based on Openstack, with 4 possible choices depending on your needs: testing or hosting a site (1 CPU/1GB RAM), hosting an online service or e-commerce site (2 CPU/4GB RAM), deploying an enterprise application (4 CPU/8GB RAM) or intensive processing (8 CPU/16GB RAM). The infrastructure is open, allowing you to configure servers with your own tools. Basic storage is 25 GB, but can be extended to 1 TB or more by adding several disks. Servers are located in France or Luxembourg, and have been guaranteed 99.95% uptime for over 20 years.
On the webhosting side, we offer 4 ready-to-use packs based on dedicated resources, depending on the capacity required: 20GB, 50GB, 100GB or 200GB (expandable to 1TB). With this configuration, it’s possible to install WordPress, Nexcloud, Prestashop, etc. quickly and easily, without the hassle of setting up a cloud organization.
What security measures have you implemented to protect your customers’ data?
In terms of security, we need to distinguish between what we can implement and propose to secure access to the admin and data, and what the user must do to avoid an intrusion. In this second area, our action is limited to raising awareness and sharing best practices, or even raising alerts.
On the part we control, we have our own data centers on two sites, with our own secure infra-structure to which physical access is strictly controlled:
- replication between the two sites enables us to cope with any disaster
- the infrastructure is protected by firewalls
- we have developed a highly resilient infrastructure to cope with attacks
- staff are regularly trained and made aware of the various risks of cyber-crime
- daily monitoring coupled with machine learning enables us to identify any patterns likely to correspond to abnormal usage
- security/intrusion audits -pentests- are regularly carried out to test the various measures in real-life situations, identifying areas for improvement and leading to a continuous process of improved security over the past 20 years.
On customer admin access, we have a strict authentication (password) policy, with the option for customers to activate double authentication. We also simplify the sharing of the resources with organization and role based rights delegation to avoid password sharing. For all products we clearly distinguish resource technical management from resource discovery and billing. So our customers can have different accounts, one for management administered by their tech team and one for billing dedicated to the financial team.
We also provide temporary token for temporary users to be able to delegate the resource management for a predefined period of time.
How do you ensure compliance with relevant data protection regulations?
We’re GDPR compliant.
Moreover, Gandi is regularly listed by DNSAbuseInstitute.org as one of the world’s low 10 registrars in terms of abuse. Thanks to the work of our Security/Compliance/Abuse teams and their interconnection with all the other players, enabling us to act quickly and 24/7 in the event of a report, but also to our 20 years of experience and our ability to identify abnormal patterns.
From the outset, Gandi has always worked to protect personal data, developing a different approach to the major platforms by offering the tools for a controlled, secure online presence that respects personal data.
This concern for personal data protection even extends to our cookie less website.
What tools and practices do you suggest to individuals and businesses in order to prevent and mitigate cyber attacks?
You need to secure access, if possible with double authentication, regularly update all programs and releases with patches for security flaws, and be vigilant for abnormal behavior such as sudden traffic, check email sources, monitor forums, watch site open fields and check file uploads… You also need to be regularly informed of the various vulnerabilities that have been updated, as well as the flaws published on the sites that are reissuing them.
What security challenges and exciting developments do you see in the future of web hosting, and how do you plan to cope?
The development of AI tools – which are easily accessible to the greatest number of people – represents a major challenge, for example in their ability to build fake sites very easily and very realistically, and to create avatars that appear real. So we need to be doubly vigilant. But these same AIs can also be a source of help in identifying anomalous patterns or abuses.