Core Security (root360)

Component description

The core security principles of all cloud environments implemented on root360's hosting platform closely follows AWS security principles as described in the "AWS Security Best Practices". This includes a strict "shared responsibility" models for all AWS services between “security of the cloud” and “security in the cloud”. See https://aws.amazon.com/compliance/shared-responsibility-model/

This includes, but is not limited to:

Scope

Security of the cloud

Security in the cloud

Responsibility

AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

root360' responsibility will be determined by the AWS Cloud services that are taken in managed service. This includes configuration work the of root360 as part of their security responsibilities. 

Details

  • Integration of secure global AWS infrastructure using

    • Regions,

    • Availability Zones and

    • Service Endpoints

  • AWS Load Balancers with implemented

    • detection and

    • prevention techniques

  • PCI-DSS readiness of several AWS Cloud services

  • Secure access strategy for multiple AWS accounts

  • Strong authorization policies for IAM users, groups, and roles e.g. use of instance profiles (IAM Roles) for EC2 instances

  • Protection of stored data by using standard encryption for e.g. S3, EBS, RDS

  • Protection of transferred data by enabling HTTPS by default

  • Only allowing encrypted OpenSSH access to each environment via a dedicated Bastion host.

  • Communication out of or into the cloud environment is through controlled security groups and network access control lists (NACL)

  • Permanently protected operating systems through strict security patch management policy based on master AMI (Amazon Machine Image) from OS vendors with long term support (Ubuntu 20.04 LTS or newer LTS version)

  • AWS Load Balancers with implemented detection and prevention techniques

  • Network-side separation of externally reachable and unreachable systems

  • Restrictive firewall rules between services

  • Restrictive network ACLs between network segments

  • PCI-DSS readiness (see https://root360.atlassian.net/wiki/spaces/KB/pages/2014351453)

 

 


Related tutorials