Infrastructure & Application Security - Recommendations

Backups

All product databases must be regularly backed up to an offsite, at least once daily, to Azure or equivalent cloud location (not reachable from the same network and credentials, to protect from malware and ransomware attacks).

Network Security

All product installed VMs must be protected with secured Firewall, that allows only port 443 to internet
Only Hybr Website VM should have port 443 opened and accessible from outside (internet) via FireWall and FrontEnd Subnet and Load Balancer. No other port(s) of HYBR should be exposed via internet to outside such as RDP.
No other ports should be exposed to outside (internet), except in the following cases:
- Hybr using Console Connect Feature with multiple RDP Gateways (Guacamole)
  - List the specific ports required to be open for this and allow those only to the respective VM Ip Address
All product APIs must be inside a secured backend subnet, behind firewall. Only accessible to each other inside the secured backend subnet and from HYBR Website VMs from frontend subnet. No services or VMs from backend subnet should be reachable from outside (internet).
- Only Exception is when there is an external integration with HYBR API or Billing API. And in these cases, enable Access via external facing Load Balancer and Firewall to ONLY specific Remote IP Address and specific ports that needs access to these service APIs.
SQL Server VM(s) must be behind a secured firewall in the backend subnet.
- At NO circumstances ANY SQL VM Ports should be reachable from outside (internet). Ensure special consideration is given to review firewall rules to explicitly DENY ALL ACCESS TO SQL SERVER VM Ip Address from internet.
- Only specific IP Address from frontend subnet for HYBR Website VMs and specific IP Address from backend subnet for other services and APIs should be allowed to ONLY SQL SERVER PORT TCP 1433.

Secured Configuration

All APIs must be configured to use ONLY HTTPS
All web.config and application configuration settings must be encrypted
All secured settings stored in the database must be encrypted

Monitoring

Set up alerts for critical infrastructure and services such as
Disk Free Capacity for VMs and SQL Server Data
- Windows Service Status
- IIS Website Status for all web applications and APIs

SQL Server DB Maintenance

Ensure scheduled tasks exist for controlling Log file growth, in conjunction with backup tasks
Periodic review of SQL Server Disk free capacity and performance optimizations such as using SSD disks and so on
Cloud Assert Database and log files need to be stored in non-System drive
Failover cluster:
- SQL Server Failover Clustering must be configured for all production workloads and proper monitoring must be configured to take required action(s) when there is failover

PreviousCost Management

Last updated 1 year ago

Was this helpful?

Infrastructure & Application Security - Recommendations

Backups

All product databases must be regularly backed up to an offsite, at least once daily, to Azure or equivalent cloud location (not reachable from the same network and credentials, to protect from malware and ransomware attacks).

Network Security

All product installed VMs must be protected with secured Firewall, that allows only port 443 to internet
Only Hybr Website VM should have port 443 opened and accessible from outside (internet) via FireWall and FrontEnd Subnet and Load Balancer. No other port(s) of HYBR should be exposed via internet to outside such as RDP.
No other ports should be exposed to outside (internet), except in the following cases:
- Hybr using Console Connect Feature with multiple RDP Gateways (Guacamole)
  - List the specific ports required to be open for this and allow those only to the respective VM Ip Address
All product APIs must be inside a secured backend subnet, behind firewall. Only accessible to each other inside the secured backend subnet and from HYBR Website VMs from frontend subnet. No services or VMs from backend subnet should be reachable from outside (internet).
- Only Exception is when there is an external integration with HYBR API or Billing API. And in these cases, enable Access via external facing Load Balancer and Firewall to ONLY specific Remote IP Address and specific ports that needs access to these service APIs.
SQL Server VM(s) must be behind a secured firewall in the backend subnet.
- At NO circumstances ANY SQL VM Ports should be reachable from outside (internet). Ensure special consideration is given to review firewall rules to explicitly DENY ALL ACCESS TO SQL SERVER VM Ip Address from internet.
- Only specific IP Address from frontend subnet for HYBR Website VMs and specific IP Address from backend subnet for other services and APIs should be allowed to ONLY SQL SERVER PORT TCP 1433.

Secured Configuration

All APIs must be configured to use ONLY HTTPS
All web.config and application configuration settings must be encrypted
All secured settings stored in the database must be encrypted

Monitoring

Set up alerts for critical infrastructure and services such as
Disk Free Capacity for VMs and SQL Server Data
- Windows Service Status
- IIS Website Status for all web applications and APIs

SQL Server DB Maintenance

Ensure scheduled tasks exist for controlling Log file growth, in conjunction with backup tasks
Periodic review of SQL Server Disk free capacity and performance optimizations such as using SSD disks and so on
Cloud Assert Database and log files need to be stored in non-System drive
Failover cluster:
- SQL Server Failover Clustering must be configured for all production workloads and proper monitoring must be configured to take required action(s) when there is failover

PreviousCost Management

Last updated 1 year ago

Was this helpful?