Best Practices for IONOS Cloud Server Security Products

Virtual Machines (VMs) form the backbone of Infrastructure-as-a-Service (IaaS) products, providing flexible and scalable computing resources in the cloud. Ensuring the security of VMs is paramount to protecting your applications, data, and overall cloud infrastructure.

When discussing VMs, it's important to understand that the reference is not only to the server instance that consists of CPU and memory but also the attached devices that give access to networks through Network Interface Cards (NICs), block storage volumes that host your application or data, and the image the VM is booting from. This topic applies to IONOS Cloud server products—Compute Engine and Cubes—including all attached devices that access networks through NICs, storage volumes, and boot images.

Service provider's responsibility

The service provider's responsibility in computing instances lies in maintaining the underlying infrastructure, including the physical servers, virtualization layer, and hypervisor. IONOS Cloud is responsible for ensuring the availability, reliability, and performance of these components.

The service provider is also responsible for offering a secure and compliant platform. It includes implementing security controls at the infrastructure level, such as network security, host-based firewalls, and intrusion detection systems. They should also ensure that the hypervisor and VM management systems are appropriately secured.

However, it's important to note that the service user is responsible for securing the actual compute instances, which include the following:

• configuring and managing access controls,

• securing operating systems and applications, and

• implementing proper security measures within instances.

By following best practices, such as regularly updating and patching compute instances, service users can mitigate security risks and maintain a secure computing environment within the public cloud infrastructure. The shared responsibility model ensures collaboration between the service provider and the service user, where each party contributes to the overall security of the compute instances and infrastructure.

Use secure and updated images

One crucial best practice for computing instances in a public cloud environment is regularly updating and patching your instances. This practice ensures that your instances have the latest security fixes and updates, minimizing the risk of exploited vulnerabilities. By staying up to date with patches, you enhance the overall security posture of your compute instances and reduce the potential for security breaches.

This routine always applies independently of using public images offered by the service provider or private images uploaded by the service user. It also does not matter if the instance booted from a block storage instance, ISO image, or network boot profile.

When provisioning VMs, start with secure base images provided by the IaaS provider or use trusted images from reputable sources. These images are typically preconfigured with security-hardened settings, reducing the attack surface. Regularly update the VM images to include the latest security patches and updates.

Stay vigilant about applying security updates and patches to your VMs. If VMs are not kept up to date, vulnerabilities can be exploited. Establish a patch management process to ensure timely updates, or consider utilizing automation tools for patch deployment.

Notably, this best practice applies not only to the operating system you are installing on your VM but also to all applications you are running on such an instance later. There is no difference between open source and commercial applications and applications developed by your organization. It is always advisable to address any security threat, regardless of its magnitude, immediately after a patch becomes available to minimize the risk of exploitation. Even when you are aware of a vulnerability within your image or application that does not have a fix available yet, you may need to consider a decision to pause or even decommission a service if the security risk is too high.

Apply least privilege access

The principle of implementing least privilege access controls also applies to VM operating systems and applications deployed on these systems, such as databases. Your VM is booting from an operating system, which requires setting up users who will enable them to log in to the VM operating system and continue further operation, configuration, etc.

1. Grant administrative access to trusted individuals who require it and use separate non-administrative accounts for day-to-day operations. Operating systems allow user accounts with basic credentials like username and password through remote desktop connection and login via terminal and Secure Socket Shell (SSH) keys.

2. IONOS Cloud offers a variety of public images. Each image will require at least one type of login - password for a root/ administrator account and/or a public SSH key. The root/administrator account password does not persist at IONOS Cloud, nor is it logged in any log files. It gets injected into the image and allows login to the VM as the root user. Since it uses the default root/administrator user of the respective image, it is recommended to create individual and personal accounts after initial setup and close the default user account.

3. While logging in via SSH key is the recommended way of accessing the VM, it is advisable to configure at least one user with a username and password, as your VM might not be accessible via the network. You need to access the VM through a remote console.

Enable firewall protection

Activate and configure the IONOS Cloud platform's built-in firewall capabilities to control incoming and outgoing network traffic to VMs. Remember the following:

• Define strict rules to allow only necessary connections and protocols, blocking all others by default.

• Restrict inbound network traffic to only essential ports and protocols, minimizing exposure to potential threats.

IONOS Cloud allows the configuration of firewall rules on each NIC individually.

For VMs that need to access the internet but shall not be accessible from the internet, it is recommended to set up a Source NAT Gateway that masquerades the private network and its connected VMs from the public internet while still allowing VMs to access services outside the cloud. IONOS Cloud offers NAT Gateway that allows individual and granular configuration of NAT rules, including selective enabling of IP endpoints and ports.

Regularly review and update firewall rules to align with your security policies. IONOS Cloud offers each VM NIC the option to configure Flow Logs. This service records network traffic and stores it in a configurable S3 Object Storage bucket. The service allows you to configure if incoming or outgoing (or both) network packets have been accepted or rejected (or both). Based on this information, you can analyze if your firewall rule is correct and efficient or if changes to the existing configuration are required to ensure verified access only.

Network segmentation

In combination with the aspects above, remember to carefully design your network between your VMs as private networks:

• Not every VM requires an interface to the public network.

• Create security by moving VMs into separate LANs so that only required applications can exchange data.

• Secure access through restrictive roles and firewall rules.

VM resilience

In today's digital landscape, where businesses rely heavily on the cloud for their computing needs, ensuring the resilience of VMs has become paramount. VM resilience refers to its ability to withstand and recover from disruptions, failures, and unexpected events while maintaining their critical functionalities. This topic explores the importance of VM resilience and provides valuable insights into enhancing the resilience of your VMs in a public cloud environment. When building and deploying VMs, adopting a "design for failure" mindset is crucial. Acknowledge that failures are inevitable, and plan your VM architecture accordingly.

You must make an important design decision when assessing the criticality or impact of your application downtime. The higher the impact, the more you will need to create redundancy in your application by distributing VMs across multiple availability zones or even in different data center regions to reduce the impact of failures. You can take advantage of the high availability features offered by your cloud provider. These features maximize uptime and resilience. They ensure that VM instances are distributed across fault domains, power sources, or data centers, minimizing the impact of localized failures on your applications.

IONOS Cloud gives you access to all its data center locations (list of data centers), which you can use to set up your infrastructure according to your requirements. Each data center listed in the document is a separate physical location within the metro region mentioned and, therefore, at a distance of several hundred kilometers apart from each other.

Each data center operates as a distinct entity without dependency on other physical data centers, such as power supply, emergency power, cooling, network connectivity, 24/7 operations, etc. It ensures the isolation of each data center from local elementary or extensive events like fire, flooding, regional power outage, regional network outage, etc. For security reasons, physical addresses are not published.

Each physical data center has a security building block architecture, which means that a set of physical hardware devices is built in blocks (clusters) to limit the risk of total failure. Distributing your workloads across building blocks is not possible. It is mainly for the cloud service provider's operational security purposes. For example, if a gateway fails in one building block, it does not create network issues in other building blocks. Each building block has redundancy of service equipment to buffer failures of service components. Also, each building block has spare parts installed and configured in hot standby to replace failing servers or storage components immediately. The cloud service provider is entirely accountable for frequent maintenance of the data centers, their building blocks, and service components.

IONOS Cloud Status publishes the uptime status and availability of all data centers. We recommend that you subscribe to this page to receive any updates. You can retrieve the status of every service available in that respective location, such as Compute Engine or IONOS Object Storage. The website also includes information on scheduled maintenance and current incidents, including an expected resolution time frame.

As a cloud service user, you may need to access if your workloads are deployed across multiple physical data center sites. Select data centers that fulfill your needs regarding security (closer or further distance) and which are suitable for your business. Create individual virtual data centers per location and set up required infrastructure (VMs, Storages, Network) individually. The user must establish connectivity across the data center locations through a public internet connection and secure traffic through a virtual private network (VPN) configuration.

Each data center allows the provisioning of VMs in different availability zones, ensuring that VMs remain separated from the host servers. The VMs will remain within the same region but are separated from each other so that failures on a single hardware (for example, server kernel issue, PSU breakdown) or server rack (for example, rack switch failure) can be mitigated by switching traffic to another instance running on different hardware within the same data center.

• For this scenario, IONOS Cloud allows you to apply IP Failover Configurations that announce the IP to multiple nodes and let you define the primary VM. For more information, see IP Failover configurations.

• The other VMs can be either in hot mode (up and running) or cold mode (shut down and de-provisioning):

  • In hot mode, you can announce to the gateway to switch traffic to another target. It can continue operations within seconds. Furthermore, it allows you to sync data from your primary instance to your secondary instance.

  • In cold mode, you need to start the VM before you can switch traffic by announcing the new route to the gateway. In this mode, data synchronization is impossible because the VM is shut down and, therefore, cannot receive data updates. A synchronization after the start may not be possible if the primary instance is not accessible. This mode is best suited for stateless applications and services.

Creating redundancy is not the only way to achieve resilience. Often, a VM becomes unresponsive because it handles too much workload and cannot process requests fast enough. In such cases, you can utilize auto-scaling capabilities to dynamically adjust resources based on demand, ensuring high availability even during peak loads.

There are two ways of auto-scaling.

1. You can scale vertically by adding resources like CPU and memory, which gives more power to your already running instance. IONOS Cloud allows you to add CPU and memory resources to almost all public and private images while the VM continues to run and does not have to be rebooted, which ensures your VM remains operational.

2. You can scale horizontally, adding further nodes with the same configuration to your infrastructure. IONOS Cloud provides a VM Auto Scaling capability that monitors the workload of your VMs. It lets you define threshold limits that trigger events to scale your infrastructure and add or remove instances from your setup.

Utilize load balancing

Load balancers are critical in distributing traffic across multiple VM instances, optimizing performance, and increasing availability. By evenly distributing workloads, load balancers improve resource utilization and enhance resilience by redirecting traffic away from unhealthy or underperforming VMs.

IONOS Cloud offers two Managed Load Balancers: Network Load Balancer and Application Load Balancer. VM Auto Scaling also features a Managed Application Load Balancer as part of its services. For more information about associating an Application Load Balancer with VM Auto Scaling, see Associate an Application Load Balancer.

Monitor and analyze VM Logs

Enable logging for VMs to capture system and application logs, including security-related events. Centralize and analyze these logs to identify anomalies, detect potential security incidents, and respond proactively. Utilize security information and event management (SIEM) tools or log analysis services to gain valuable insights.

IONOS Cloud offers a Logging Service that allows the collection of logs from your VM so that you can analyze all data running across multiple instances in a centralized repository and validate your security routines.

Enable intrusion detection and prevention

Deploy intrusion detection and prevention systems (IDPS) to monitor and protect VMs against malicious activities. IDPS solutions can detect and block unauthorized access attempts, malware, and other potential threats. Regularly update and configure IDPS rules to adapt to evolving security risks.

IONOS Cloud operates a Distributed Denial-of-Service (DDoS) protection service applied to all networks per default. It analyzes traffic and routes suspicious activity into a scrubbing service that filters malicious packets before they reach your virtual data center and its provisioned components, such as virtual servers. This service can be expanded by DDoS advanced protection, allowing you to permanently route traffic through the scrubbing platform and providing access to network security resources for further consulting proactive security monitoring and threat mitigation. For more information, see DDoS Protect.

Regularly conduct vulnerability assessments

Perform regular vulnerability assessments and penetration testing on your VMs to identify and address potential security weaknesses. Utilize automated scanning tools or engage third-party security experts to assess the security posture of your VMs and applications.

IONOS maintains a vulnerability register to publish known vulnerabilities in its platform and links to external vulnerability registers from third parties it uses to provide the cloud service. Frequently visit the page and check for the latest news and updates on mitigation and solution fixes.

Conclusion

Enhancing the resilience of your VMs is crucial to maintaining the availability, performance, and continuity of your applications in the cloud. By designing for failure, implementing automated monitoring, utilizing load balancing and fault-tolerant architectures, leveraging high availability features, and implementing robust security practices, you can ensure your VMs are resilient in the face of disruptions.

Remember, VM resilience is not a one-time task but an ongoing effort. Regularly review and update your resilience strategies to align with evolving business needs and emerging technologies. Investing in VM resilience builds a strong foundation for your cloud infrastructure, enabling your applications to thrive in the face of adversity.

Implementing these security best practices for VMs in your IaaS environment can bolster the protection and resilience of your cloud infrastructure. Secure base images, least privilege access, firewall protection, disk encryption, monitoring logs, patch management, intrusion detection, and vulnerability assessments are essential components of a robust VM security strategy. The next topic will delve into securing data storage in the public cloud.