The adoption of agile methods of development led to general speeding of development cycle. As developers try to roll out new features to production faster, security and penetration tests lag behind functionality and usability, which in turn exposes information assets to higher security risks. In this dynamic, it is no surprise that most servers, applications, databases and operating environments need additional measures of security hardening to prevent them from being compromised.
Security hardening refers to a set of measures aimed to secure the infrastructure against attacks and eliminate as many risks as possible. It involves specific guidelines that are applicable to different infrastructure components, namely:
Server hardening: ensure physical safety of your servers by choosing a top-tier datacenter with a highest security level; remove all excessive services and applications unless they are needed for the server to function; use a secure remote administration access to manage the server; use only secure protocols for processing requests; monitor login attempts and lock accounts after certain failed attempts; make sure that your backups are done regularly and automatically, etc.
Application hardening: remove all functions and components that are not in use; apply user roles policy and restrict application access according to user privileges; remove all sample files and change default passwords; set up a web application firewall, check incoming data and variables, etc.
Operating system hardening: ensure OS updates and patch management are performed regularly; remove excessive functionality; configure firewall to deny all not permitted traffic; configure operating system to log all activity, errors, and warnings, etc.
Database hardening: create admin restrictions to control users deeds on database; enable valid node checking to prevent malicious connections; encrypt database information; enforce password policy; implement access control by introducing role-based privileges, etc.
Network hardening: restrict ingoing and outgoing traffic by firewalls with configured rules and exceptions; locate public services in separate demilitary zones; use proxy services to control users’ access to Internet; use mail security gateway to protect corporate mail from spam emailing; enable secure VPN-connection for remote access, create strong password and encryption for all wireless networks, etc.
Moving IT-infrastructure to the cloud can also be considered a security hardening measure as cloud providers implement most of security policies by default. Clouds have all the services required by security regulations available and easily set up, including OS updates, network firewalls, traffic encryption, monitoring and logging, backups, etc. The way cloud security is organized depends on the particular cloud provider and the service level that they offer to their customers. With reputable providers this includes enhanced resilience against DDoS attacks, security compliant network architecture and top-tier datacenters to store customers’ data. Moreover, all security needs related to Saas, including databases, webservers and data storage systems, are also handled by the provider.
In SHALB, security matters are considered by default at the stage of infrastructure planning. This involves sensitive data exchange, encryption requirements, intercommunication between product components, etc. When on-boarding customers with already operating environments, we always conduct a comprehensive audit to check the configuration of services and investigate possible vulnerabilities within existing systems. Based on the risks identified, we create a plan for system hardening.
As part of security guidelines, we set up bastion hosts to ensure secure limited access to the customer’s network. The bastion hosts are then used as SSH proxy to manage customer’s services within intranet and can be accessed by private keys only.
In SHALB, we provide security hardening both for on-premise and cloud-based environments. We implement best practices of security hardening while customizing them for your infrastructure. Employ our services to secure your systems from data breaches, unauthorized access, hacking or malware intrusion.