Being called super-picky is usually not a compliment. Super-picky implies that one is scrutinizing, making assessments, and has high standards to such a degree deemed to be unreasonable. Usually, no one wants to be around a super-picky person because they would likely feel judged and develop paranoia and insecurities on multiple fronts. Being super-picky often creates toxic environments – just think of a time when you were micromanaged for an extended period or when you were unfairly assessed based on just being different from what another person expected.
Super-Picky is often used as a negative term. However, I would like to broach a topic in which being super-picky is not only vital, it is Best Practice and the only approach that we should offer to our clients: Data Center and Cloud Security
Data center and cloud security considerations and implementation is absolutely the place to be super-picky! The following phrases echo in my mind as I consider security within data centers and on the cloud:
Need to know only
Principle of least privileged
If you can’t access it, you can’t hack it
These phrases should be the mode of operation when it comes to security. Super-Picky Security in data centers and on the cloud is absolutely vital for very good reasons; we have extremely valuable data and services to protect. A few ways that super-picky security is implemented is through how we approach Authenticate, Authorization and Accounting (AAA), how we configure Subnet and Server Security and utilization of Demilitarized Zones
Authenticate, Authorization and Accounting (AAA)
Every person in an organization should be scrutinized for what permissions and access they really need. All employees don’t need to access every service or server within the organization. Consequently, employees should only have access to what they absolutely need to do their jobs. Employees can be grouped based on their job functions and these groups can be given access to specific services and servers. Employees who periodically need certain permissions can be granted temporary permissions as needed for certain roles. When an employee is not acting in a particular role, permissions should be terminated. Being super-picky when managing AAA can prevent unwanted or accidental actions that would likely have negative affects or consequences on an organization’s network.
Subnet and Server Security
Borders that isolate portions of our system like subnets and borders around our servers can be configured to only allow in the traffic that is wanted. There isn’t a good reason to allow all traffic into a subnet and into a server if we already know which traffic needs access. Awareness is needed to consider and check that these borders are configured in a way which provides super-picky security.
For example, if we have a web server that is open to the public, we should only allow web traffic to enter. We should specify that Http/Https traffic on Ports 80/443 is the only traffic allowed. When we have virtual machines that are not open to the public but we want to access them from our home computer, we should specify this by only allowing SSH traffic on Port 22 from our IP Address. Setting up super-picky configurations for our subnets and servers decreases the chance that our servers will be hacked and is absolutely Best Practice.
Demilitarized Zones
Demilitarized zones are public subnets that we can create for specific traffic only. Consider that the use of Virtual Private Networks (VPNs) for employees to access an organization’s network has become ordinary and vastly utilized. Super-picky security can be provided for VPN users by using Internet Protocol Security (IP Sec). IPSec traffic can be confined to a demilitarized zone by configuring the security of the public subnet to only allow IPsec traffic on the appropriate Port(s). Demilitarized Zones can be used in many other ways as well. As in the example above, all of the web traffic could also be directed into a public subnet and configured to only allow Http/Https traffic on Ports 80/443. With careful consideration and planning we can use demilitarized zones to provide for super-picky security.
In our transforming world, where many of our clients will add to their data center infrastructure, migrate to hybrid cloud and multicloud environments, Super-Picky Security is not only Best Practice, it is the only approach that we should take to secure our clients’ networks.
-written 3/13/22 -revised 3/17/22