Important steps to improve your infrastructure security
Unfortunately, security issues, are not always a high priority, especially at the initial stage of the development of a startup and software product. The first functionality deployment, collection, and processing of the first statistical data, choosing of provider, type, and regional location of the cloud infrastructure (databases and file storage) all often happen spontaneously and bring chaos to the development of the infrastructure.
As a result, it becomes difficult to control key areas of responsibility and restrict access to critical projected data. You’ll have to return to the security improvements sooner or later, but usually after some negative experience.
In this post, we collected 7 simple, but very important steps for improving the basic security level of your infrastructure. They can be done both at the early start of the project development or at any stage and save your nerves, time, and money. 🙂
1) Use VPC(Virtual Private Cloud)
Although public cloud platforms are usually well protected, you can’t flexibly manage access to infrastructure elements, databases, analytics, logs, IP addresses by default that may be needed for different employees with different levels of access. To get these resources, it is better to use a secure VPN server.
VPC, on the other hand, allows you to isolate your infrastructure from public resources, organize a hierarchy of accounts, limit access to logs, analytics, file storage, configurations, and secrets, only for a narrow circle of specialists. In addition, you will be able to flexibly manage routing and private subnets and have a higher level of configuration flexibility.
2) Do not run processes from root user inside containers
One more warning! This is a common bad habit among cloud users. Using root users inside containers, even for debugging and configuring some services, in a dynamic cloud environment, you won’t be able to control the number of containers with its presence. And these security holes can become a reason for the close attention of hackers.
3) Use image scanning for vulnerabilities directly in Continuous Integration
Creating a script that scans container images for vulnerabilities at the test execution stage in Continuous Integration increases the stability of the entire program. A lot of images and their versions are accumulated in the repository, therefore the automation of this process is extremely important to avoid errors and instability of the code itself and the service as a whole.
You can also use the paid service of the cloud registry of container storage and include the function of checking them for vulnerabilities as an additional measure for detecting ones, missed during the main tests.
4) Protect all accounts with two-factor authentication
Attackers know about all the key entry points and endlessly test them for strength. So the cloud, GitHub, GitLab, and others should have the maximum level of protection.
5) Use encryption for your backups
It is worth noting that most file repositories (S3, Google Cloud Storage, etc.) already offer encryption as a basic feature. For example, AWS (S3) recently started automatically encrypting all new objects added to storage with the default AES-256 cipher. Backup encryption is a must for any commercial and business project today.
They back up the configuration, databases, files, system logs, analytics data, and secrets. It is not necessary to talk much about the risks associated with the access of attackers to such data. On the background of mass leaks of confidential information from social networks and cloud services, which we periodically learn about from the news, we understand that today not only corporate clients and businesses keep the accent on the protection of confidential data, but even ordinary users encrypt their home photos and videos. Even if encryption is not activated at the cloud object storage level, it can be done at the file level, for example, using OpenSSL.
6) Use SSO (Single Sign-On) — servers to control internal management panels
It is convenient and safe to enter all admin panels of services using one credential provider. SSO authentication allows you not to keep any credentials in the services, they are stored by the SSO server. Single sign-in allows users to log in just once and then access all admin areas without re-authenticating. It reduces the number of entering secret attributes, and authentication points to only one. And it makes control much easier. Services don’t store user passwords in any form but use authentication data on the SSO-server side.
7) Use API Gateway — which is a gateway for REST API to an external service
Today, most of the network interaction on the Internet is carried out through the Application Programming Interface — API. The growing number and complexity of APIs themselves lead to the need of managing calls to them. It requires a new type of infrastructure. And it is handled by API Gateway. An API gateway architectural solution serves as a single point of entry for specific clients or applications that want to access your API. Gateway APIs help you scale and efficiently manage API traffic and can be especially useful if you use more than one microservice. Security is greatly enhanced by the use of API Gateway because this system is placed at the entrance to infrastructure, where security issues arise.
Various cloud-based solutions such as Azure API Management, Amazon API Gateway, etc. are convenient and significantly save development time. They receive and process client requests for various services, manage service functions, and implement business logic. Cloud API Gateways can monitor the frequency of requests for each HTTP method and create a cache with configurable keys and a timeout in seconds. Usually, API Gateway cloud systems allow you to monitor various indicators and show, for example, the number of errors or call delays in a user-friendly interface.
Taking into account these 7 important basic tips, you will significantly increase the security level of your cloud infrastructure and stabilize its operation. These are only the first points of a large work scheme. With the growth of infrastructure and the popularity of services, the next steps should be considered individually for each case, depending on the specifics and requirements of the project.
So if it makes sense to you, let us know. We will be glad to help.
