Overview
This document provides a detailed overview of the security architecture we implemented for a medical service group on Amazon Web Services (AWS) and Microsoft Azure. It covers various facets of cloud server security - from initial setup to continuous monitoring and improvements, showcasing our comprehensive expertise in ensuring robust and secure cloud infrastructure.
Note: Information shared here are not confidential.
Private Virtual Private Network (VPN) Setup
We configured a private VPN using OpenVPN, a renowned open-source VPN software, allowing secure and remote access to the cloud servers. This VPN provides an encrypted tunnel, securing all the data in transit from potential eavesdropping.
Private Server and Public Server Local Area Network (LAN) Setup
We segregated the servers into two types: private and public, based on the nature of the data they handled and their exposure to the internet. We used AWS VPC (Virtual Private Cloud) and Azure VNet (Virtual Network) to establish these LANs.
Firewall Configuration
We set up network firewalls using AWS Security Groups and Azure Network Security Groups, controlling inbound and outbound traffic based on predetermined security rules. Furthermore, we installed host-based firewall solutions, like iptables, on each server for an additional layer of security.
Server and Network Traffic Hardening
All servers were hardened following industry best practices, including the least privilege principle, disabling unused services, securing SSH access, etc. For network traffic hardening, we utilized AWS Shield and Azure DDoS Protection Standard, offering seamless DDoS protection and mitigation.
Penetration Testing and Vulnerability Assessment (VA)
Regular penetration tests were performed using tools like Metasploit and Nessus, identifying potential vulnerabilities in the infrastructure. Upon discovery, the issues were fixed promptly.
Anti-Virus Software Installation
We installed server-grade anti-virus software on all servers. In AWS, we used AWS Managed Antivirus based on Trend Micro's technology. For Azure, we used Azure Security Center's Antimalware solution.
Whitelist IP Setup for Server and Web Service Communications
We utilized AWS Security Groups and Azure Network Security Groups to establish a whitelist of IP addresses. This method ensures only trusted entities can communicate with our servers and web services.
Access Log Server Configuration
To permanently store all access logs, we set up a separate server with Elasticsearch, Logstash, and Kibana (ELK stack). This setup not only stores logs but also enables advanced data visualization and analysis.
Backup Server and AWS Image Snapshot Setup
We configured a separate backup server to store application and database backups. The backup process leveraged Secure File Transfer Protocol (SFTP) for data transfer, ensuring secure and reliable backups. AWS's built-in EC2 Image Snapshot feature was used for daily image backups, providing another layer of data protection.
Secondary Cloud Infrastructure in Azure
To ensure high availability and disaster recovery, we mirrored the entire infrastructure setup on Microsoft Azure. The data synchronization was done using a secure FTP connection, safeguarding the data in transit.
Handshake Protocol Configuration
We implemented custom handshake protocols using AWS Lambda and Azure Functions, checking server health and database status. These protocols are capable of detecting potential attacks within 10 seconds, providing us with rapid incident response capability.
Conclusion
The successful implementation of this comprehensive cloud server security architecture showcases our profound expertise and ability to create robust, secure, and highly available infrastructures. We stand ready to leverage our skills to address your unique security needs and challenges, ensuring your cloud journey is safe, efficient, and fruitful.