Protecting your server

Servers are the source of all kinds of digital information on your laptops and desktops - some public, some private. If you're reading this, you're concerned about what steps you should take to keep your server safe. We're going to take a look over the next few tutorials at numerous considerations you'll have to make: it's not an easy ride.

The big questions

Protecting your server can be split in to two big questions:

1. What sorts of threats am I likely to face?

If you're running a private server, chances are it's in your home (unless you are operating it remotely). That means the threats are not likely to include unauthorised local access. However, if you're administrating a server in an enterprise environment, you will want to provision and control access for employees, probably with local safeguards built in.

The ultimate problem here is this: server security is a potential black hole. Unless you start to weed out options that just don't need considering, you will spend all your time administrating - and you might as well just carry a filofax.

2. What am I trying to protect?

In general information security, this comes down to three aspects: Confidentiality, Integrity and Availability. Confidentiality is the anonymity of your data, and the protection of access from unauthorised users. Integrity is the data itself: how easy is it to change? Availability is the maintenance of server access to those who are authorised to do so.

These three security aspects can be compromised at three different levels: LOW, MODERATE and HIGH. A LOW compromising of information security is one that has limited impact on either Confidentiality, Integrity or Availability. Say, for example, a hacker managed to get in and change the ordering of a file from 'alphabetical' to 'by type'. Annoying, yes, but hardly impactful. MODERATE threats are more serious - one that has significant or substantial impact on one or more aspects, such as to impact the mission of the organisation in charge of the server. That sounds very technical, but let's flesh it out with an example - a hacker gets in, and changes all the word 'the's in all official documents to 'an'. Frustrating, time-consuming to sort, moderate impact on integrity - but not a total disaster. HIGH threats are ones that cause catastrophic damage to one or more aspects of security - say, if your private server were downloaded on to someone else's machine without your permission. That's something we're really going to make sure we avoid.

So the question you need to ask yourself here is: what level of threat can I tolerate - you cannot administrate a server with zero threat. For a home media server, I might accept a MODERATE threat rating, so long as I have my files backup up (and not serving) elsewhere. For an enterprise-class server, it might be worth hiring a specialist team to ensure you can keep your threats LOW.

Your decision

Your decision as to how much or how little to protect your server needs to take in to consideration the two big questions above. They're designed to save you money, hassle and time. Get it straight before you dive in to software.

Taking measures

Next time we're going to look at protective measures (also called 'security controls'). We'll see that they split in to two sections, and we'll evaluate the relative importance of each - and how you can go about ensuring the safety of your server.