日本語版のセキュリティポリシーは、こちらのページからご確認いただけます。OCSホスティングサービス セキュリティの取り組み

Security is a core functional requirement that protects mission critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion.

As a web hosting company, our primary task is to provide our customers with a highly-optimized, secure place to host their data and web application.

It is for this reason that we utilize time-tested and best security practices to keep your data and assets in the cloud safe.

But we also expect our customers to be responsible for their own security under what we call a "shared responsibility model".

What you see below are by no means exhaustive but it is definitely a step in the right direction.

Two-Factor Authentication

Frankly, it's easier than you think for someone to steal your password that you could possibly ever imagine because passwords are increasingly easy to compromise.

Any of these common actions could put you at risk of having your password stolen:

1. 1. using the same password on more than one site
2. 2. criminals infecting your computer with keystroke loggers
3. 3. data harvesting via phishing websites
4. 4. sharing or reusing passwords with other people
5. 5. social engineering and attacks over your phone
6. 6. downloading an app on software to your local system or mobile device
7. 7. clicking on links in email messages from friends, families or those you don't know.

Two-factor authentication adds an additional layer of security by introducing a second step to your login.

It takes something you know (i.e.: your password), and adds a second factor, typically something you physically have (such as your phone).

Since both are required to log in, in the event an attacker obtains your password two-factor authentication would stop them for accessing your account.

Whenever you sign in to either your billing portal, cPanel server, Plesk server, you'll enter your password as usual.

Then we will ask for something else to make sure that you are who you said you are ... at least within a reasonable bound.

But this can only happen if you have set up 2-Step Verification using the methods on the after-sign up emails that we have sent to you.

We highly recommend that you enable and configure two-factor authentication for your servers and your customer dashboard.

If you ever lose access to your device or unable to authenticate, just let our security team know and we will disable these after verifying your identity.

Login Notification

Once your account is ready, please log in to your cPanel and scroll down to the Preferences pane.

Once there, click on the Contact Information.

This interface to store contact information for your cPanel account and to set your contact preferences.

To change your contact information, enter the desired contact information in the available text boxes.

We recommend that you do not use an email address that your cPanel account owns as you may likely fail to receive messages when the server encounters problems.

For example, if your mailbox exceeds its quota or someone accesses your data, you will not receive any new email, including notices.

You can also use Pushbullet™ access tokens to receive alerts.

If nothing else, ensure that you have these enabled:

• 1. My account’s password changes. — Send a notification if someone changed your account password.
• 2. My preference for account password change notifications is disabled. — Send a notification if someone disabled the My account’s password changes setting.
• 3. Someone logs in to my account. — Send a notification when someone logs in to your account. This is useful if you suspect that someone else has your account password.
• 4. Send login notifications, even when the user logs in from an IP address range or netblock that contains an IP address from which a user successfully logged in previously. — Send a notification whenever someone logs in to your account successfully through any IP address.
• 5. My preference for successful login notifications is disabled. — Send a notification if someone disables the Someone logs in to my account setting.
• 6. An external account links to my account for authentication. — Send a notification when someone links your account to an external authentication provider.
• 7. My preference for external account link notifications is disabled. — Send a notification if someone disabled the An external account links to my account for authentication setting.

If you ever receive a notification that someone as accessed your account without you giving the consent or aware that such consent has been given, please do let our Security Team know at once.

Password Strength

The internet was never designed to be used by those outside a circle of trust.

That it took the whole by storm and changed it also means that adequate security measures weren't put in place to accommodate its explosive growth.

Password authentication, a relic of the era that try to overcome these shortcomings is still very pervasive even though new technologies are cropping up to replace it.

But until such time, it remains the primary authenticating mechanism for most online systems.

OCS Hosting Service enforces a minimum password strength for your cPanel, Webmail, Plesk, Billing system and other portals that customers have access to.

With password strength enforcement, our system measures the effectiveness of your password against guessing or brute-force attacks.

In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly.

When you add a password, the strength is indicated by a password strength meter.

The strength of a password is a function of length, complexity, and unpredictability.

But please do remember that this measure or feature is not a reliable guide to how likely it is that your password will be cracked but designed to nudge you in the direction of creating better, stronger passwords in general.

We should repeat this: using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls.

A good password practice dictates that you must at least:

• 1. use a minimum password length of 20- 26 characters.
• 2. that the password be made up of a combination of uppercase letters, lowercase letters, and symbols.
• 3. avoid using the same password twice (e.g., across multiple user accounts and/or software systems).
• 4. avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past) and biographical information (e.g., ID numbers, ancestors' names or dates).
• 5. avoid all personally identifiable information in your passwords.
• 6. avoid using information that is or might become publicly associated with the user or the account.
• 7. avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user.
• 8. and should not use passwords which consist wholly of any simple combination of the aforementioned weak components.

The best way to generate a truly good password is with a password generator.

Please do consider using any of these below:

1. 1Password
2. Dashlane
3. KeePass
4. RandomKeygen
5. GRC Password Generator

And even when you use these tools to either check your password strength or create a new passwords, do add additional symbols or letters or alphabets to the password you just checked if you intend to use it online just to be on the safe side.