6 Min read

In the new digital age, no business can function effectively without having applications that help them improve business efficiencies. This requires the businesses to rely on capturing and storing customers’ personal information in applications that are hosted on servers and which are connected to the internet.

The data so captured is not only crucial for the businesses but it is also their responsibility to manage the entire lifecycle of such data. The data stored resides on the servers (either cloud or bare metal) and it is an easy target for hackers if not managed correctly.

Some of the recent data breach incidents reported including the SBI Bank, in Mumbai, India, where customer phone numbers and bank account statements were leaked or the JP Morgan breach reported in San Francisco the US, which occurred in October 2014, where the hacker could transfer funds, disclose information and close accounts are cases which could have been easily avoided.

These attacks could have been prevented by implementing some simple standard practices along with automating the systems management and implementing strong monitoring systems.

At Kaleyra we take production data security as a key function across various teams and our various product lines. We process billions of data records every day, across our various platforms and it is very important for us to ensure that the data is protected.

The industry-standard data at rest and data at transit techniques ensure data security to some extent, but they do not guarantee complete safeguard of customers’ data. While there are a host of things that we implement at Kaleyra at various data plane levels to ensure data security, below are some of the techniques that could be used without much time and money investment, and which are very simple to implement.

1. Server hardening: This is one of the easiest approaches which can be followed to ensure a secure server environment. The server hardening broadly involves the following:

> Do not use default ports for any of the standard services.

> Do not enable root access on any of the servers. Always use a non-root user and create separate users for different purposes. Always follow the policy of least privilege while providing access.

> Audit software that is running on your server. Ensure that unnecessary software are uninstalled and all software is kept updated to their latest stable release version.

> Disable password-less and key-less login to servers.

> Ensure that the system firewalls (iptables) are configured.

2. Files and storage

> Ensure that the configuration files are always kept outside to the root folder of an application server.

> The configurations files should be stored encrypted.

> No connection or configuration details should be stored in any source control.

> The production disks including the file systems and database systems should be encrypted.

3. Automation and audit logging: One of the key essentials to managing a hybrid cloud application is to have a strong automation system implemented for all things related to server management. We have a homegrown tool that is used for activities like server management, deployments, scaling, etc. This has numerous advantages like

> Ensures that software and resources on all production systems have the same versions.

> Validates and enforces the correct configuration of standard system properties.

> Implementation and rollout of security considerations at scale.

> Performing regular audit checks on production systems at scale.

> Log each and every operation performed on production systems, with details including who made the changes, date, servers impacted, etc.

4. Automated scans and PenTesting: Regardless of what your security practice is, ensure that all production platforms go through a network penetration testing activity from a Cert-In impaneled 3rd party a few times a year. Set up an automated weekly scan on all production systems. The scans as a bare minimum should capture details related to TCP/UDP port scans, brute force password recovery, privilege escalations, etc.

5. Monitoring: Need to have a centralized monitoring system that tracks all system changes. System changes include software installations, uninstallation, updates, unauthorized login attempts to mention a few. This needs to be coupled with a notification mechanism that allows team members to act on situations quickly. Sending notifications on email or SMS may not elicit a quick response. These notifications need to be integrated with tools like a calling system or slack which draws immediate action.

Patch Management and Vulnerabilities: Setting up proper patch management is very important. Most of the recent vulnerabilities found are of critical severity and need immediate system upgrades. Some vulnerabilities likeSpectre, Meltdown,  Shellshock are not specific to a certain class of servers. The patch for these vulnerabilities needs to be applied across an entire production server farm. Having an automated patch management system in place is mandatory.

The above-suggested options are a good start towards achieving data security for the production systems of any organization. Organizations should consider data security as a key necessity irrespective of the nature of the business they are involved in. Having a dedicated budget and team is a need.