7 Steps to Security at scale
Good security practises is non-negotiable for any online business. However if security measures are not comprehensive and configured inefficiently, it can lead to both performance problems and security issues.
In this week's newsletter, we will address the key tenets of security and how to secure your Infrastructure at scale.
The key vectors to achieve security is as follows
1 Host/Network Isolation
The first step in a security policy is to plan for isolation of server resources and the simplest way to do it is to implement VPC. A VPC isolates the entire infrastructure from any unintended consequences of a port being open, an un-authenticated service running like a memcache or elastic search without any passwords. Multiple VPCs can be used to achieve further isolation between different layers or parts of application(s).
Pro Tip : Use a NAT gateway for outbound connections from servers to
implement traffic controls for outbound traffic.
2 Perimeter Security Controls
Once a VPC is defined and network isolated, it's important to define ingress. An ingress is required for both customers to access the application and for internal users to access the servers.
A VPN is considered the perfect companion to VPC to allow internal users access to servers using SSH/RDP or to access internal applications like an admin panel etc. However a VPN for the end users doesn't scale and this is where a well-configured Load Balancer (LB) helps in security as well as performance. Typically, haproxy with no stick tables are a good tool for ingress control.
Pro Tip : Avoid firewall devices for incoming HTTP connections
at scale. They can slow down your traffic.
* Always rely on haproxy/nginx type software load-balancers
which can proxy traffic to the backend servers
3 Role Based Access Control (RBAC) for access to infrastructure
We have isolated network and established perimeter defence. We have also established a VPN to allow internal users access to servers. The big challenge now is all internal users are not equal.
The premise that all internal users are not equal is the fundamental design principle to establish Zero Trust Systems.
An important tool to achieve RBAC for access is to utilise Teleport, an open-source tool for providing zero trust access to servers and cloud applications using SSH, Kubernetes and HTTPS. Apart from access control, it also allows audit logs and session replay, both very crucial features to determine RCA in case of an issue.
领英推荐
Pro Tip : A combination of teleport with a VPN can give you a good
implementation of a zero trust security system.
4 Malware/Vulnerability Scanning
Virus scanning is absolute basic but security practises need to focus on package vulnerabilities and malware scanning. Maldet and OpenVAS are two open source tools which can generate malware and vulnerability reports. These tools give a lot of confidence at a server level.
Pro Tip: Use basic pentest tools like nikto to scan web servers
5 Static Code Analysis to detect security issues, bugs etc
Assuming you have a protected server environment, it's important to implement a secure development guide. This is important to ensure that developers don't use vulnerable libraries, use coding practises which can create memory leaks and in general leave the platform vulnerable to a compromise. Any open source code analysis tools can be used.
Pro Tip : Secure coding guidelines from owasp can be used as a reference.
6 Host IDS system for your server
Now that all the artefacts for security are present, it's still important to implement tools to identify in case something goes wrong and an intrusion happens. An IDS is supposed to identity any unforeseen security events from escalating into a full-blown security issue by early detection and remediation.
An opensource platform like wazuh is geared towards threat detection, prevention and to chart a response strategy
7 Monitor, Monitor, Monitor
A security policy is an iterative document where you monitor logs from all your components and fine-tune the policies. A security policy is as good as the monitoring of the components and policy
Conclusion
A security policy is a cornerstone of any online business and the 7 steps are a good building blocks of a comprehensive security policy
Disclaimer : All recommendations provided are as is and should be evaluated carefully before implementing. I don't recommend any particular tool and the tools mentioned are something which I have used personally to good effect. Please do test before implementing it in your production environments.