These are basic user-level security best practices, that all users of SSC are expected to follow. It is your responsibility as a user of the IaaS services that you understand these recommendations. Contact our support if you have questions.
Username and passwords for instance access is not allowed. All users should use SSH keys.
- Generate key-pair using the Horizon cloud interface; or
- Locally generate the key-pair and import the public key
- Keep your private key safe.
- In case of managing passwords and secrets in the VM use Vault (https://www.vaultproject.io/) or similar projects.
- If you need help, contact at firstname.lastname@example.org.
Make use of “Security Groups” to restrict access to your VMs.
- By default all ports should be closed. This is the base state if no rules are defined.
- Try to restrict port access to smaller network ranges.
- Avoid the use of common standard ports (80, 8080, or mongoDB ports).
- Understand the requirements and only open ports for Egress (outgoing) or Ingress (incoming) as appropriate.
- if you need help, contact at email@example.com.
Keep your instances updated
- Update distribution packages regularly.
- Patch your VMs regularly.
- Avoid libraries, modules and packages that create problems with updates.
- Distro-sourced software packages may be old/unmaintained, compare with actual project.
- Use images with currently supported OS versions as much as possible (Ubuntu 14.04 -> Ubuntu 16.04).
- Avoid long running VMs
- Only use official distributions of the containers.
- Avoid untrusted third party containers
- Before starting the container read the container “composed” file.
- Patch your containers regularly.
- If possible avoid running privileged containers.
Network design for different applications in the same tenant
- If several distinct projects exist in the same tenant – create distinct private networks and switches to insulate them from each other.
- Prefer using internal networks for internal instance services, only expose something on the public network if it needs to be accessed from the outside.
- Keep your data separate from you compute units (VM or containers). This way you will not lose the data if the VM gets compromised.
- If required, it is possible to encrypt the data volumes in SSC. Important: it is not allowed to use SSC for sensitive data.
- The object storage in SSC allows to create private and public data buckets/containers. Unless required create private data buckets/containers.
- Restrict the exposed capabilities of outward-facing databases and APIs.
- Lock access down not only with security groups but also use non-default API credentials.