VPS vs Shared Hosting – Which is more secure?
The world of hosting is complex, it’s further complicated when you throw security into the mix. A few months back I wrote an article on the delicate line between where the hosts security responsibility begins, and where yours, as the website owner, is required. That however did not address one key question – Which hosting environment is more secure? This is one of the most common questions I get asked.
The response, as you might imagine, is not as simple as the question itself. This question is often confused with misinformation and bias and the responses are often grossly inaccurate. I will spend some time thinking through the various points, applying insight where possible, in the hopes of helping you making a more informed decision on the type of hosting environments, and which ones make the most sense for you.
Hosting Environments
Regardless of platform, hosting environments are something you’ll want to get familiarized with if you’re looking to build an online presence in the form of a website. They come in a variety of shapes, and cross the spectrum of Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) environments, depending of course on what your specific needs are. When it comes to hosting and security, it often comes down to your specific needs and more importantly, your acceptable risk posture.
While there are a variety of types of environments, I’ll tailor the discussion to three specific types that most reading this will understand and relate with:
- Shared Hosting Environments
- Virtual Private Server (VPS) Environments
- Managed Hosting Environments
In essence, and in an overly simplified manner, they all achieve the same goal – they allow you to deploy your online website without having to host your own servers in your basement.
I. Shared Hosting Environments
Shared hosting environments get a lot of negative attention. This comes from the experiences back in 2009 / 2010 when they were experiencing mass infections due to improper server configurations. This affected some of the largest brands like GoDaddy, Bluehost, MediaTemple, and a number of others. Fortunately though, these organizations and many others have learned a great deal since and it’s actually very rare that mass infections are a result of improper server configurations. In fact, it’s often the complete opposite.
What is seen however, is the effect of one too many relationships between an account and the number of websites the account manages. Example, John Smith has 20 different websites within their Shared host account. In these situations, the host’s responsibility stops at the creation of the isolated environment in which John Smith is installing and deploying his websites. The minute John took ownership of that space, he now became the webmaster / system administrator for that space. The harsh reality is that John Smith is rarely any of those things. John is likely a businessman who was told he needed to have an online presence of a website, and he was attracted to the idea of a 5-minute install of WordPress or some other CMS platform.
Additionally, there is a proliferation of shared hosts available that further complicate things. Not all shared hosts are treated equal. It’s easy, relatively speaking, to deploy a website and start selling goods, it’s something outright different to have the appropriate infrastructure in place to support what you’re selling. There are a number of smaller / newer shared hosts that offer really bad solutions that in turn negatively affect the entire shared-host market.
Myth: Shared Hosts are the most insecure environments!
Telling people that shared hosts is insecure is wrong; they actually provide a good / cheap alternative for people. The trick is identifying and going with a reputable shared host that knows what they are doing.
II. Virtual Private Server (VPS) Environments
VPS environments get the best publicity when it comes to security, but that’s often from highly technical people or from those simply regurgitating what they don’t understand. What is often not said is that to manage a VPS, you must invest more energy in terms of money and technical knowledge. They don’t say or share their configurations, and when they do, they forget to appreciate what it is not to know. For the average website owners, a VPS is not a viable option unless you have a system administrator that knows what they are doing; no, not all sysadmins are equal either.
In fact, operating a VPS can be more devastating for you in terms of security if you don’t know what you’re doing.
Can it be more secure? Sure, if configured properly but that’s not the norm unfortunately. The norm is often a purchased VPS environment, with none of the security technologies applied or configured, little monitoring or auditing, everything open to the world, and no real administration of any kind. The hack still happened, and the response is always the same…I don’t understand, I had a VPS!!
Myth: VPS environments are more secure than shared environments!
VPS environments can be good solutions, and when deployed correctly,can provide a higher level of options around security and configurations. However, it requires a heightened level of knowledge in a wide range of things like systems administration, security, and general website maintenance.
It’s not ideal for most small businesses that don’t have staff capable of correctly configuring and monitoring, let alone everyday website owners.
III. Managed Hosting Environments
Managed environments are very interesting environments, and the level of security definitely varies. The beauty of managed environments is that they actively manage various elements of your website; the scale of management varies. There are some that function as fully-closed environments, meaning they might be built on a specific technology like WordPress but to you, the website owner you’re none the wiser and your only responsibility is to push your content and update your design. There are others that are more open to empowering you to make specific changes, update software, and other similar actions, along with updating content and design elements. When it comes to security in these environments, the same applies as the other environments.
In many instances, these managed environments are built on top of shared or VPS environments, but introduce an additional layer on top in which they help reduce some of the risks website owners introduce.
Myth: Managed hosts are the most secure environment for website owners!
Managed hosting environments definitely introduce a lot of appeal, but like Shared and VPS environments they have their challenges when it comes to security. They do introduce a heightened level of service and management, that for the least experienced individuals is definitely an attractive offer. Especially when talking about maintaining environments (i.e., applying updates when released), but note that not all managed environments are the same. Management is not an absolute, meaning every hosting provider will assume a different level of responsibility when offering managed services.
Which is More Secure?
In theory, the environments that remove the most dependency from the user will offer you the most security. In other words, fully managed environments are in essence the most secure. This would be followed by Shared environments, and trailed by VPS environments.
In reality however, the type of hosting environment would be dictated by the stage you are in as a person or organization. If someone was interested in starting a small website to sell bows, I’d likely encourage them to start off in a closed / managed environment and build traction before trying to go with a DIY type configuration. As they evolve as an individual / organization, then I’d have them move backwards in the process moving into a shared and eventually a dedicated environment. With that growth however I’d expect to see growth in terms of technical maturity and capability to move through the options; if that doesn’t exist, then moving to a different environment would introduce too many insecurities.
A different way to think of it:
If you’re someone that has little understanding of how websites work, what hosting environments are, then you have little business fiddling with shared or VPS environments. From a security perspective, it’s in your interest to go with a managed environment. If you’re an organization with your own NOC or SOC, or your own sysadmins, then a VPS could definitely be a perfect alternative as it provides you the flexibility you require and opportunities to drastically improve your security posture. If you’re a web developer or designer, know the basics of deploying and managing the website, then a shared environment might work out perfectly for you. Your situation and risk tolerance will dictate which environment you deploy.
Every host, regardless of environment, suffers some level of security incident within their customer accounts. It’s very rarely attributed to the host themselves; instead it’s often the customer who is at fault. When thinking about a host and asking yourself which is more secure, I’d challenge you to turn that question to yourself and ask:
- How much energy will I put into the management of the environment?
- How much do I really know about web servers?
- Do I want to worry about manual configurations / tuning and other actions?
- Do I have the staff to support the requirements of managing a web sever?
Four simple questions can help dictate which direction you go in terms of hosting environment.