[This article was originally written by Kim Singletary.]
Unlike traditional servers, cloud servers are pretty susceptible to outside attack if the right preparations are not made. The art of Feng Shui looks at ways to harmonize existence with the surrounding environment. In many ways this ancient art can be applied to cloud servers, harmonizing the workloads for their cloud environment through secure configurations.
Starting a cloud server workload without proper configuration is like putting out a beacon alerting hackers to an easy mark. In fact, a CloudPassage study called The Gauntlet showed that even a novice hacker can compromise a poorly configured cloud server in a matter of hours.
There are five important considerations in providing the common guidance for configuration of cloud servers.
1-Verify tight hardening. Most cloud providers have a marketplace or catalog where master images can be obtained. These master images have usually been vetted and advertised as pre-hardened, but additional verification is always recommended.
2-Watch out who and what is at the helm. Disable and limit account access on servers, always limit root access. Monitor use of server accounts.
3-Configure out slack. Disabling unnecessary services and ports reduces the opportunity for exploits.. Keep a lean profile.
4-Watch for drift. Manage drift from hardened configurations by tactfully patching. For even better cloud efficiencies, some companies forego patching altogether and rely on refreshing from completely new server images each time.
5-Be on the continuous lookout for anomalies. Even when we are as diligent about security hygiene as possible, sometimes threatening situations still occur. Monitoring for file changes and configuration changes, like adding a user account, gives a more streamlined approach for anomalous behavior that can be thwarted quickly.
Whether you believe in Feng Shui or not, sometimes the best advice comes from practical experience. You can end up being on the side of creating exertion or receiving the exertion. With a little diligence, creating the exertion to start from and keep secure configurations will be much better than being on the receiving side of what could happen if these workloads get exploited.