Cloud Security Best Practices

Arcane Strategies takes security seriously and may be obliged, by state and/or federal law, to enforce cloud security best practices for the protection of PII and PCI data. This may be required but is not limited to sites accepting credit card payments, personal identification information, healthcare and patient data, bio-pharmaceutical and FDA regulated data, or subject to government compliance and GDPR compliance. Arcane Strategies will make no exception, by client request or otherwise, toward ensuring compliance with regulations such as HIPAA, PCI, FDA CFR-21, Govt 508, or otherwise. As a service provider, Arcane Strategies does not accept responsibility for the hosting provider’s responsibilities to the aforementioned compliance laws and regulations nor ISO, RFC, IA/IEC or ISA99 standards. Arcane Strategies is not an ISO certified cyber security service provider.

We understand that our clients often do not require the expensive services that accompany an airtight security plan for cloud security best practices. Where legally responsible, Arcane Strategies will require our security protocol, inclusive of your system and your services agreement with Arcane Strategies, to comply with regulations. Where not legally accountable, Arcane Strategies will not require any additional security standards but may recommend best practices, to be provided in written communication by email and/or support ticket response.

In environments were regulatory compliance is required (ie. SOC1, SOC2, PCI-DSS), proper InfoSec Policies will be drafted accordingly.  For all other sitautions, at minimum, Arcane Strategies guarantees your system is secured by the following methods:

• Secure Keys and Passwords:  Private/Public Keys and all passwords are only shared within Arcane’s network, through an encrypted password vault behind Arcane’s VPN and Arcane’s DevOps tool and/or your provider’s password vault (such as AWS Secrets Manager).
• Secure Handling of Data and Communications:  Email communication which may contain PII data is communicated through Arcane’s private mail server, which may be downloaded to encrypted mail clients on computers which maintain realtime security scans (product names hidden for your security) and access mail only over private and secured networks, through Arcane’s VPN.  Application databases which may contain PII data are only accessed manually by authorized engineers on these same environments.  Database backups containing sensitive data will never exit your network or hosting provider.  Databases for non-sensitive data such as informational websites may be stored on Arcane Strategies’s central server, which is accessible only through Arcane’s VPN, BitBucket (security measures: https://www.atlassian.com/trust/policies/cloud-security), or an authorized staging server, where production data may be acceptable and containing no sensitive information, and which employs 100% of the recommended and required security protocols, detailed on this page.  Arcane’s AWS environments are protected by Amazon Web Services’ data center security measures, as defined here: https://aws.amazon.com/security/
• Stack and Codebase Auditing:  Our proprietary devops tool will run daily checks of your system’s entire server stack, to determine security flaws in services, components, database, and backend codebase, to offer recommended resolution, where feasible.
• Configure Security Group / Firewall:  At minimum, your provider should offer a firewall where Arcane will be able to restrict access only to required ports.  Arcane will identify all unused ports and secure them through your security group, firewall, and/or IP Tables.
• Install Security Monitoring Services:   Arcane will install remote monitoring, intrusion detection, and vulnerability scanning security services both on your server and through our remote monitoring server, which will alert our team in the event of an exploit and/or provide logs of vulnerabilities and exploits for future investigations.  For your security, we will not publish this list but your representative may provide you more information upon your request.
• Configure Monitoring and Alerts for Service Downtime:  This will keep our team notified, to take immediate action.  In addition to monitoring through Nagios, we also employ frontend host tracker scanners, and host-specific up-time monitors such as AWS CloudWatch for automated event triggers.
• DDoS Prevention via IP Throttling:  Arcane Strategies will configure your firewall to track and block IP’s attempting brute force or denial or service attacks on vulnerable ports.

Arcane Strategies will recommend the following cloud security best practices and security methods

As the client, you accept responsibility for any security breaches resulting from declining any of the following methods:

• Key authentication only:  Arcane recommends disabling password authentication and permitting only key authentication for server access on applicable platforms (SSH/SFTP).  Password authentication may be enabled temporarily (or permanently) at the client’s (your) request.
• Disable FTP Access:  As SFTP access provides the same protocol with greater security, we recommend not permitting FTP access.
• Secure Sockets Layer (SSL) encryption:  Arcane recommends securing client web application with SSL certificates (min SHA-256) for each public facing FQDN and will handle the installation and configuration of such.
• IPTable / Firewall management:  Arcane recommends restricting server and database access (SSH/SFTP/RDC and SQL) only to recognizable and secure sources by IP.
• Port Obfuscation:  Arcane will recommend changing SSH/SFTP and RDC to run on non-standard ports.
• Disable Pingbacks:  Many modern frameworks (ie. Drupal and WordPress) use pingback services which may result in DDoS attacks on your system, we recommend that permissions on these files are reduced to 000, to prevent execution.
• Use Remote Mail Servers Where Necessary:  Using local mail services for applications expecting to send mass mailers may result in black-listing (spam server) and proxying mail is a vulnerability likely to result in spamming exploits.  We recommend using a mail service (ie. SendGrid) for your mailers.
• Password Standards:  Root passwords should be restricted in use and not used by the application (ie. database user).  No passwords should be the same (SSH, MySQL, CMS) and all should meet Microsoft’s security standards: https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
• Maintaining an Updated Stack:  Vulnerabilities are often publicized on legacy systems through release/upgrade notes/logs.  Maintaining an updated system will ensure reduced vulnerabilities.
• Directory and File Permissions:  Applications may require HTTPD user:group ownership of application files.  Read/Write/Execute permissions of users, groups, and others on your files and directories is an important security factor.  Arcane Strategies recommends no higher than 755 permissions on directories, and 644 on files.  Permissions may change on a case-by-case basis.

Application Recommendations

• Password Encryption + Salt (where applicable):  Arcane recommends always securing passwords with a proper encryption method, at minimum md5 hash plus a unique salt.  As a hosting support service, we accept no responsibility for improper storage or handling of passwords on your site.  We will gladly offer recommendations to your development team but accept no responsibility in implementation.
• API Authentication:  Arcane recommends requiring, at minimum, basic authentication for all API requests, disallowing API accessibility from unauthenticated POST/GET/PUT requests.

The details of some monitoring services have been kept private for your own benefit, as hackers with a knowledge of the system are able to more easily exploit those systems’ vulnerabilities.  Only existing clients with an active agreement may receive this information by phone.  To learn more about our systems, or if you have questions about these cloud security best practices, please speak with your representative.