When working on cloud infrastructures, the users’ primary concern is mostly about getting applications up and running smoothly. However, while setting up and deploying the enterprise databases, it is also important to build extensive and robust security measures to safeguard your system and applications before being accessed by the users or public.
In this article, we will discuss the essential security measures to consider before deploying your applications to ensure your server infrastructure’s safety. It is also important to ensure that any application you run on this infrastructure has a secured configuration instead of the ad-hoc measures, which you must employ post-deployment.
This guide will focus on the most practical security measures to take while you set up your database server infrastructure. It is not an exhaustive list of all the things you need to do to safeguard your servers, but it can offer a baseline standpoint on which you can further build on.
With these fundamentals ready, you can develop a much more custom-tailored security approach over time, which meets your enterprise environment and applications’ specific needs.
SSH Keys
Secure shell or SSH is the encrypted protocol that is used to interact with the servers securely. While working on a given database server, you may be spending most of the usage time on the terminal sessions connected to the server through SSH.
Another alternative way of secured access is the usage of password-based server logins. The SSH keys will use customized encryption to offer a secured login to your server and are recommended for all users.
Using the SSH keys, we may create a public and private key pair for authentication purposes. Among these, the private key is kept as a secret and secured by the user, whereas the public key is shared.
Diagram of SSH Keys
To configure the SSH key authentication, one must first place the public SSH key on the database server directory. While the client connects to the server for the first time, the server will demand proof which the user has with the related private key. This is done by generating a random value and sending it to the associated SSH client.
The SSH client will further use this private key to encrypt the response and send an encrypted reply back to the server. The server will further decrypt the client’s reply by using its public key.
Once the server succeeds in decrypting the random value, it means that the client possesses the right private key, and the connection is allowed without entering a password.
Using SSH, you can encrypt any authentication type, including password authentication, which is completely encrypted. When we allow password-based logins, it is also possible that the malicious users may try to make repeated attempts for server access, specifically when there are public-facing IP addresses. With a higher computing power than modern-day systems, it is also possible to automate these attempts and try various combinations until they get the passwords.
Setting the right SSH key authentication will let you disable the password authentication process. SSH keys are more secured as they have more data bits than the passwords, which means that there are more possible combinations included in SSH, which the attacker may have to run through many combinations to crack.
Many standards SSH algorithms are strong enough not to be cracked by malicious automated codes. For an appropriate choice of security administration modalities, you can also avail yourself of the services of external consultants.
Using Firewalls
Firewalls are hardware or software devices that help control how network users access database services. It controls what types of traffic are allowed in and out of the servers. An appropriately configured firewall will ensure that only those available publicly can be reached from outside of the server network.
On a typical DBMS server, there may be many default services running. We may categorize these into the below groups.
• Public services are accessible to the public over the internet, which may often be used anonymously. Web servers are an example, which may allow access to the website. • Private services to be accessed only by a limited group of users who are authorized to access the database servers or fragments at specific locations. PhpMyAdmin type of database control panels is an example. • Internal services are accessible only from within the server. In this case, the service is not exposed to the public or over the internet. A database is made only available for the accepted local connections.
Firewalls will help ensure that the database access is restricted as per the custom settings above. The public accessible services can be left open over the internet, and the private services to be restricted based on various criteria like the connection types.
The internal services can also be made accessible over the internet, and the ports which are not being used the access can be blocked in the configuration. A firewall, which is configured properly, can restrict access to everything related to database servers except those left open.
Exposing the needed pieces of software will reduce the possibility of attacks on your DBMS servers and limit the vulnerable components to exploitation.
There are various types of firewalls available on Linux systems; you need to select the one which works best. The setting up of the firewall may only take a few minutes and may only need to be done during the server’s initial setup. For example, UFW is installed by default in many Linux distributions.
Along with these measures, you can use Virtual Private Cloud networks, too, with the infrastructure resources. VPC networks will enable a more secured connection among the resources as these network interfaces are made inaccessible from the internet and other parallel VPN networks in the cloud environment.
Using private networks instead of public networks for internal communication is the most preferred choice, given a choice between these two.