Grapic dots

Costs & Liabilities in Adopting a CMS

Mike Milano

The internet is an amazing medium for building applications. Whether it’s a simple marketing site, or a sophisticated business solution… these applications are accessible on just about any device with an internet connection.

A Content Management System (CMS), like Drupal, is a popular choice as the foundation for many of these applications.

A CMS is an application which enables non-developers to manage content on a website. They come with user support built in, which allows site administrators to control the types of access users have throughout the system.

For example, a site which hosts articles may have user roles including authors, editors, and administrators. Permissions can then be assigned so authors can create articles, editors can update or delete articles, and administrators can do everything, including manage the roles each user has.

Free?

Out of the box, you get a rather sophisticated solution for free.

The free headstart sounds wonderful, but you now have a very complicated piece of software to customize and maintain.

There are the obvious costs:

  • Data Customization (Configuring content types and their fields)
  • Visual Customization (Branding and theming the site)
  • Security Customization (Configuring user roles and permissions)

And the not so obvious costs:

  • Liability
  • Maintenance
  • Hosting (Perhaps obvious, but the optimal hosting may not be)

Let’s focus on the not so obvious costs.

Liability

A vulnerable site is a significant liability to your organization.

As the complexity of a system increases, the opportunity for vulnerabilities to exist increases as well.

We’ve established that Content Management Systems are complex, so it’s important to accept they will become vulnerable, especially when not properly maintained.

Vulnerabilities are found one of three different ways, listed here from best to worse case: - A developer finds the vulnerability before it has been exploited - A security researcher has found the vulnerability and reported it to the developers - The system was exploited before the vulnerability was known

Once vulnerabilities are known, an update is made and a new version of the software is released. It’s critical to patch systems immediately because at this point the vulnerability is public knowledge.

In the case that your website is exploited, the liability you are now dealing may include:

  • A data breach (Mitigated by not hosting sensitive data)
  • Data/website restoration costs
  • Website downtime

Adopting a CMS, like adopting a dog, comes with responsibilities. It’s critical to your business’ reputation and financials that you understand what’s involved in maintaining the system, and the consequences for not maintaining the system properly.

Maintenance

Besides liability of security vulnerabilities, another reason for maintenance is so components of the CMS stay current as technologies advance.

For example, TLS 1.0, a protocol used in a popular email library, was phased out by popular email providers. As a result, systems suddenly were unable to send emails. The point here being there are reasons beyond security that your CMS, or a component of the CMS, will require maintenance.

In addition to maintaining software updates, maintenance includes operational functions such as backups and system health checks. It’s critical to store backups and important to preempt avoidable failures due to disk space, expiring SSL certificates, and other points which can be monitored.

It sounds like a lot to watch over, and it is! A proper host, however, can take some of this weight off your shoulders.

Hosting

Web sites require web hosts. Obvious, right? Not so fast!

Each web host is different, like snowflakes, but let’s take a look at the 2 major types when it comes to CMS hosting:

  • Budget Hosts (Godaddy, Hostgator)
  • Specialty Hosts (Platform.sh, Pantheon)

Budget hosting is typically $5 to $25 per month and comes with a control panel where you can manage things like FTP, redirects, and SSH, if you’re lucky. Deploying sites is a pretty manual process and your hands are tied if you want to use specialized tools.

Specialty hosts are slightly more expensive, but provide you with a very controlled workflow for building and deploying your projects. They use version control to move code around, which is what your development shop will be using to manage updates to your website. Specialty hosts also provide multiple environments, so you can easily stage changes for review, before that version of the software is promoted to production.

Besides supporting best practices like these, they also make maintenance a breeze by providing mechanisms to schedule and restore backups. Each provider has their own command line tools and drop-in configurations for developers to run actions against the platform or CMS.

One feature which I think is often overlooked is their network filtering. These hosts know what software you’re running on their systems, and often have network filters in place which drop traffic recognized to be exploiting known vulnerabilities specific to your CMS.

When you consider the hourly rate you’re paying developers, it’s likely you’ll be saving money when using a specialized hosting provider.

Conclusion

There are countless reasons to use a CMS, but often the liability and responsibility to keep them maintained are overlooked. Make informed decisions with adequate consideration to details beyond the initial development. Proper hosting and maintenance keeps risk down and makes for predictable website ownership.

If you would like to discuss site maintenance or development, give us a call!

Tags:  Drupalcmssecurity

8 Reasons Why Standardizing on Drupal is the Right Choice for Enterprise.
Read about it in this free white paper.

Download for Free Now!