Cloud security is a partnership. As a secure cloud server company, we provide secure cloud hosting that takes care of physical security and the security of the platform that supports your virtual machines. If you use our management services, we also carry out security hardening and audits. But cloud users should also understand how to secure a cloud server to minimize the likelihood of security breaches and data theft.
In this article, we’re going to look at 9 steps you can take to improve cloud server security today.
See Also: Cloud Server Hosting
How to Secure A Cloud Server
Step 1: Complete a Cloud Server Security Assessment
Knowledge is power, and it’s impossible to secure a server unless you know what the risks are. The questions an assessment should answer include:
- Which software is the server running?
- How secure is the cloud platform?
- Which software versions are installed, and do they have any known vulnerabilities?
- What log-in and administration methods are used and are they secure: SSH, web control panels, and RDP all have potential weak-points
- Which data is stored on the server and does it reside on secure cloud storage? Particular attention should be paid to sensitive personal or commercial data.
- If a cloud server was compromised, how would you know? Automated malware and vulnerability scans can help.
The goal is to develop an understanding of potential security problems so that they can be addressed and mitigated.
Step 2: Implement Passwordless Logins
Even the most technically able people make mistakes where passwords are concerned. They choose easily-guessed passwords and often re-use passwords across websites and servers. Key-based logins are more secure, and they are not vulnerable to brute-force and dictionary attacks.
On Linux cloud servers, it is straightforward to configure SSH to use key-based logins. A key pair is generated on the server with the ssh-keygen command, and the public key copied to your local machine with ssh-copy-id. Once the keys are in place, disable password logins by adding the following line to the SSH configuration file (the location of this file depends on your distribution):
An additional step is disabling remote logins for the root account by editing the same file with:
Make sure you have an alternative non-root login account before disabling root logins, or you will be locked out of your server.
It is less straightforward to remove password logins from Microsoft’s Remote Desktop. However, it is possible to install an SSH server on Windows cloud servers and to use SSH key pairs for authentication. You may also want to consider using two-factor authentication.
Step 3: Shut Down Non-Essential Services
Each service that runs on a cloud server is a potential security vulnerability. Bad actors seek out services with zero-day vulnerabilities or out-of-date software to exploit, so it is more secure to shut down services that aren’t used. Why run a DNS service or a mail transfer agent you don't use.
On modern Linux distributions with the Systemd service manager, use the "systemctl list-unit-files --type=service" command to determine which services are running. Use "systemctl stop $nameofservice" to stop a service. Before disabling a service, research what it does to ensure that you don’t disable something vital.
Step 4: Encrypt Data at Rest
We have focused on cloud service security features and techniques to stop bad actors from compromising a server, but what if they manage to penetrate its defenses? The best cloud security has layers of protection, and encrypting sensitive data in secure cloud storage keeps it safe even if the server is breached.
There are two fundamental approaches to encrypting data in cloud storage solutions.
- Encrypt sensitive data before you upload it.
- Encrypt it on the server.
Most widely used databases are capable of encrypting data to a high standard. For example, MySQL offers field-level AES–256 encryption among other encryption techniques, and PostgreSQL offers a multitude of data encryption options.
Step 5: Encrypt Data In Motion
There is little benefit to encrypting data at rest on a secure cloud storage platform if you send it unencrypted over the network. Ideally, cloud users should employ end-to-end encryption and all data that travels to and from your cloud server should move over an encrypted SSL connection.
SSL—more properly known as TLS—uses SSL certificates and public-key cryptography to create a secure connection between points on the network. You can buy an SSL certificate from a certificate authority, or get one for free from Let’s Encrypt.
Step 6: Implement a Backup Solution
We don’t often think of backups in the context of security, but a reliable, automated, off-site cloud backup is the last line of defense against data theft, malware, and especially ransomware attacks. An attacker can’t hold your data to ransom if you can simply erase the compromised data and restore it from a backup.
ServerMania’s Cloud Backup Service is a secure and easy to use solution that can back up your entire server or specific storage devices and store your data in the cloud. All backed-up data is encrypted both at-rest and in-transit, and we offer record-breaking recovery times of 15 seconds or less.
Step 7: Regular Software Updates
Out-of-date software with vulnerabilities is the most common cause of security breaches. Updates can be inconvenient or even disruptive, but they are far less hassle than a hacked server. At the very least, cloud users should monitor their distribution’s security advisories—Red Hat’s, for example—and update as soon as fixes are available.
Step 8: Effective Data Deletion Policies
Data is a liability as well as an asset, especially given the strengthened data privacy regulations introduced in recent years, such as the EU’s GDPR and California’s CCPA. Even the most secure cloud storage is potentially vulnerable. If data stored in the cloud isn’t useful to your business, it should be deleted. And, you should be able to delete information quickly and efficiently if you receive a GDPR data deletion request or similar.
In the section on Cloud Server Security Assessment, we talked about the importance of understanding which data is stored on your server. That’s partly to ensure that it is adequately protected, but also so that you can delete it when appropriate.
Step 9: Secure Your Cloud Control Panel
Finally, don’t forget about your cloud control panel account. Ensure that you use a unique and hard-to-guess password because if an attacker gains access, they can bypass all of your security measures.
If you would like expert help with cloud-server security, consider our Empowered management package, which includes unlimited support requests, bi-weekly security scans, and proactive security patching.