The adoption of agile methods of development led to general speeding of development cycle. As developers try to roll out new features to production faster, security and penetration tests lag behind functionality and usability, which in turn exposes information assets to higher security risks. In this dynamic, it is no surprise that most servers, applications, databases and operating environments need additional measures of security hardening to prevent them from being compromised.
Security hardening is a set of measures aimed to secure the infrastructure against attacks and eliminate as many risks as possible. The process of security hardening includes applying specific guidelines to different infrastructure components.
Applying security guidelines to system components
- Ensure physical safety of your servers by choosing a top-tier datacenter with a highest security level;
- Remove all excessive services and applications unless you need them for the server to function;
- Use a secure remote administration access to manage the server;
- Use only secure protocols for processing requests;
- Monitor login attempts and lock accounts after certain failed attempts;
- Make sure that your backups are automated and regular, etc.
- Remove all functions and components that are not in use;
- Apply user roles policy and restrict application access according to user privileges;
- Remove all sample files and change default passwords;
- Set up a web application firewall, check incoming data and variables, etc.
Operating system hardening
- Ensure OS updates and patch management are performed regularly;
- Remove excessive functionality;
- Configure firewall to deny all not permitted traffic;
- Configure the operating system to log all activity, errors, and warnings, etc.
- Create admin restrictions to control users deeds on database;
- Enable valid node checking to prevent malicious connections;
- Encrypt database information;
- Enforce password policy;
- Implement access control by introducing role-based privileges, etc.
- Restrict ingoing and outgoing traffic by firewalls with configured rules and exceptions;
- Locate public services in separate demilitary zones;
- Use proxy services to control users’ access to Internet;
- Use mail security gateway to protect corporate mail from spam emailing;
- Enable secure VPN-connection for remote access, create strong password and encryption for all wireless networks, etc.
Moving IT-infrastructure to a cloud is itself a security hardening measure as cloud providers implement most of security policies by default. Clouds have all the services required by security regulations available and easily set up, including OS updates, network firewalls, traffic encryption, monitoring and logging, backups, etc. Organization of cloud security depends on the particular cloud provider and the service level that they offer to their customers. With reputable providers this includes enhanced resilience against DDoS attacks, security compliant network architecture and top-tier datacenters to store customers’ data. Moreover, the provider also handles all security needs related to SaaS, including databases, webservers and data storage systems.
Security hardening at SHALB
Our engineers consider security matters at the stage of infrastructure planning, including sensitive data exchange, encryption requirements, intercommunication between product components, etc. When on-boarding customers with already operating environments, we always conduct a comprehensive audit to check the configuration of services and investigate possible vulnerabilities within existing systems. Based on the risks identified, we create a plan for system hardening.
As part of security guidelines, we set up bastion hosts to ensure that access to the customer’s network is secure, limited and by private keys only. The bastion hosts are then used as SSH proxy to manage customer’s services within intranet.
At SHALB, we provide security hardening both for on-premise and cloud-based environments. We implement best practices of security hardening while customizing them for your infrastructure. Contact us to secure your systems from data breaches, unauthorized access, hacking or malware intrusion.