Security in Compute Engine

Instructions regarding secure configuration

System hardening

The security of your virtual machines (VMs) is paramount to ensuring the integrity of your infrastructure. The following are recommended measures to harden the security of your VMs:

Installation: Install only the packages required for your use case. Reduce the number of running services and use a minimal installation image if possible.
User management: Disable root login and use sudo for administrative tasks instead. Implement strong password policies and remove or disable unused users and groups. For secure authentication, we recommend using SSH keys.
File permissions and ownership: Verify permissions for system files and directories using tools such as chmod and chown. The sticky bit should be set for global directories, such as /tmp, and ensure that there are no non-root files in directories such as /bin, /usr/bin, and /sbin.
Firewall and ports: Use a firewall, for example with iptables or firewalld, and allow only necessary ports. Deny all access by default and whitelist only the necessary services. You can also use STACKIT Security Groups to allow only necessary ports.
Service management: Disable and stop services that are not needed. Run services only with the minimum required rights.
SSH hardening: Change the default SSH port and disable root login via SSH by setting “PermitRootLogin no” in the sshd\_config. Use SSH keys instead of passwords and disable empty passwords by setting PermitEmptyPasswords no.

You can find additional recommendations and guidelines at the following links:

Network isolation

The right network architecture is an essential aspect of ensuring the security of your virtual machines (VMs). An important part of this architecture is network isolation. When VMs are properly isolated in separate network segments, the risk of cross attacks and potential security breaches is significantly reduced.

Network isolation basics: Network isolation means that data traffic between VMs located in different segments is restricted or monitored. This is often achieved by setting up different virtual networks.
Importance of segmentation: By placing VMs with different security requirements on separate network segments, you prevent a compromised VM from easily accessing other VMs. This is especially important if some of your VMs handle sensitive data while others serve public web traffic or less secure applications.
Planning and implementation: When segmenting your network infrastructure, consider:
- Which VMs have the highest need for protection? Which ones could serve as entry points for attackers?
- Use virtual networks to separate traffic between VMs.
- Define clear rules about which VMs are allowed to communicate with each other and which are not. STACKIT Security Groups are a powerful tool for this.

Once implemented, network isolation should be regularly reviewed and adjusted. Monitor network traffic for anomalies and perform regular security checks to ensure that segmentation is still effective. For example, a common scenario might be one VM for payment traffic and another VM for an online store’s general web application. It makes sense to isolate these VMs on different network segments to prevent an attacker who gains access to the web application VM from easily accessing the payment VM. Network isolation is a powerful tool to increase the security of your VMs. It significantly restricts the movement of potential attackers within your network, protecting your most valuable and sensitive data.

Access control

Access control is a key element in ensuring the integrity and security of virtual machines (VMs). Without careful control mechanisms, sensitive data could be compromised or systems sabotaged.

Key aspects of access control: At its core, this is about ensuring that only authorized users can access resources and perform actions, while unauthorized users are restricted accordingly.

VM Management Console (Portal):
- Access restriction: Strictly limit access to the management console. This is the heart of your VM environment from which all VMs are managed.
- Multi-factor authentication: Consider implementing multi-factor authentication (MFA) for access to the VM and the STACKIT Portal . More on this in chapter: Authentication mechanisms
VM creation and modification (Portal Permissions):
- User roles: Ensure that only specific users are allowed to create, delete, or modify VMs. This prevents inexperienced or unauthorized users from making critical mistakes.

In the area of Training and Awareness, it is essential to ensure that all users involved in VM management are properly trained and understand the importance of access control. It is also advisable to conduct regular reviews of access rights and adjust them as necessary. Careful access control is essential to ensure the security and proper operation of VMs. It protects not only against external threats, but also against internal errors or misuse.

Data encryption

Encryption of data is an essential tool to ensure confidentiality and integrity in VM environments. It protects data from unauthorized access and ensures that only authorized entities can read or modify it.

Basics of data encryption: The idea is to convert data into a form that cannot be read without a special key. Only with this key can the data be restored to its original state.
Encryption of data at rest (at-rest): For optimal protection of your data, consider volume encryption technologies such as LUKS or BitLocker. This allows you to encrypt entire volumes or individual partitions, protecting data on stolen or lost VMs. In addition, some operating systems offer file system encryption, which allows you to individually encrypt specific directories or files. This is especially recommended for very sensitive data. STACKIT always uses encryption of VM volumes of data at rest (at-rest). This encryption is transparent to the VM.
Encryption of data during transmission (in-transit): To ensure security when transferring data over networks, especially on the Internet, it is recommended to use protocols such as TLS. In addition, for secure remote access to VMs and connecting VMs over insecure networks, a virtual private network (VPN) or zero trust concept is particularly advisable.
Key management: A crucial aspect of data encryption is the secure handling of encryption keys. It is essential to store keys securely and allow access to them only to trusted individuals. In addition, you should change keys regularly, always making sure to securely delete old keys.

Backup and restore

Continuous backup and the ability to recover quickly are key aspects of ensuring the integrity and availability of your virtual machines (VMs). Here are some recommended practices:

Backup planning: It is critical to set a schedule for regular backups. Depending on your business needs, this could be daily, weekly or monthly backups. You should distinguish between full and incremental backups. While a full backup creates a complete copy of all your data, incremental backups only record changes made since the last backup.
Backup objectives: It is advisable to store backups in multiple physical locations to guard against site-specific disasters. In addition, consider the benefits of cloud backup. This offers not only flexibility, but also scalability and could therefore be ideal for your requirements.
Recovery process: It is essential to define clear recovery objectives. These include the Recovery Time Objective (RTO), which describes the target recovery time, and the Recovery Point Objective (RPO), which defines the acceptable data loss. To ensure the reliability of your backup solution, you should perform regular tests. These will ensure that recovery is not only successful, but also within the established objectives.
Security Considerations: When implementing backups, it is essential to pay attention to appropriate security mechanisms. Encrypt your backups to ensure optimal protection of your data during both storage and transfer. In addition, access control is essential: only authorized users should have access to backup data and the associated tools.

An efficient backup and recovery strategy is essential to ensure the continuity and integrity of your VMs. It not only protects against data loss, but also enables fast recovery in the event of a system failure or other unexpected events.

Monitoring and Logging

When working with VMs, monitoring and logging are crucial. They help us quickly identify problems and security risks. Below are guidelines for effective VM monitoring and logging:

Continuous monitoring: a robust monitoring system should be implemented that constantly checks the status and activities of VMs. This enables early detection of problems and optimal system performance.
Comprehensive logging: All relevant activities and system events within the VMs should be accurately recorded. Complete documentation makes it possible to determine in retrospect which actions were performed and when.
Secure storage of logs: The logs created should be stored securely and protected from unauthorized access. This ensures that the data in the logs remains unchanged and confidential.
Regular review: A process should be established to review the logs on a regular basis. This helps identify early signs of security anomalies or technical errors.
Automatic notifications: Your monitoring system should be able to send automatic notifications when critical or suspicious events occur. This allows for immediate response and prevention of potential damage.

With these policies, you can not only increase the security of your VMs, but also proactively respond to potential risks and ensure the integrity of your data.

Patch Management

Patch management should be an integral part of any IT security strategy, especially in the context of virtual machines (VMs) and their guest operating systems. Here are some recommendations for effective patch management:

Automatic updates: Some guest operating systems offer automatic update features. Enable them to benefit from continuous security improvements. But beware: automatic updates are not always ideal for critical systems or applications. In such cases, manual review and approval of patches is recommended.
Test environment: Implement a separate test environment similar to the production environment. Test all patches here before applying them to the live environment. This minimizes the risk of system failures or incompatibilities after patching.
Patch rating: Not all patches are equally critical. Therefore, evaluate the urgency of each patch based on the information provided by the vendors and your system environment. For example, critical security patches should have the highest priority.
Scheduled updates: Set fixed times for patching to minimize disruption during working hours. Inform users and stakeholders in advance about planned downtime or possible restrictions. Also, consider a zero-downtime architecture to completely prevent any negative impact on users.
Logging and documentation: Keep detailed records of all patch activities, including date, time, affected systems and possible incidents. This facilitates future audits and remediation.
Backup: It cannot be stressed enough how important it is to back up before patching. This provides a safety net in case a patch has unwanted side effects or causes problems. An appropriate rollback strategy should be in place for this.
Continuous training: Technologies and threats are constantly evolving. Therefore, invest in regular training for your IT team to ensure they are aware of the latest patch management best practices.

Consistent patch management is an essential part of your security strategy and helps secure your VMs against current and future threats.

Anti-Malware

In today’s networked world, VMs (virtual machines) are constantly exposed to security risks and malware attacks. Therefore, solid anti-malware protection is essential. In addition to basic installation, you should follow best practices for anti-malware strategies. Here are some recommendations for effective implementation and maintenance:

Select the right solution: choose anti-malware software specifically designed for use in virtual environments. This ensures minimal performance impact while still providing reliable protection.
Automatic updates: Enable the automatic definition updates feature to ensure your VMs are always protected from the latest threats, or use anti-malware software that constantly communicates with the anti-malware backend via an agent for detection.
In general, it is recommended to rely on a modern EDR/XDR (Endpoint Detection & Response) solution.
Regular scans: In addition to real-time protection, you should run regular, scheduled malware and vulnerability scans to ensure that no infections or vulnerabilities go undetected.
Isolate infected VMs: When malware is detected, isolate the affected VM to prevent the threat from spreading.
Quarantine and reporting: Ensure that your solution automatically quarantines malicious files and provides detailed reports on malware detection and treatment.
Integration with other security tools: Some anti-malware solutions offer integration capabilities with other security tools, such as intrusion detection systems or security information and event management (SIEM) systems. Leverage these capabilities for a comprehensive security architecture.
Training and education: The human element is often the weakest link in the security chain. Regularly educate your team about the risks of malware and how to avoid it, for example, by being careful with email attachments or visiting insecure websites.
Backup strategy: ensure regular backups of your VMs. This will allow you to return to a clean state more quickly in the event of a serious malware attack.

A well-thought-out anti-malware strategy is essential to ensure the integrity and security of your virtual environments and not compromise business operations.

Guidelines and Documentation

Ensure that you have clear security policies for VMs and that these policies are regularly reviewed and updated. Document all security measures and procedures.

Practical implementation examples for system hardening (Linux)

OpenSCAP (Open Security Content Automation Protocol) is a set of open source tools to automate security policies and regulations in IT systems, especially in Linux environments. It provides means for evaluating, auditing, and complying with security policies.

Here are basic instructions on how to use OpenSCAP for some common operating systems:

Installation of OpenSCAP

Red Hat Enterprise Linux (RHEL)/CentOS:

sudo yum install openscap-scanner scap-security-guide

Fedora:

sudo dnf install openscap-scanner scap-security-guide

Debian/Ubuntu:

sudo apt-get install openscap-utils scap-workbench

Selection of a safety guide

For RHEL/CentOS and Fedora, you can use prebuilt profiles from the scap-security-guide package. For example:

ls /usr/share/xml/scap/ssg/content/

This will show you a list of available security policies. You can find more examples and information here:

Carrying out a safety assessment

Use the oscap command to perform an evaluation. Example for RHEL 7:

sudo oscap xccdf eval \--profile xccdf\_org.ssgproject.content\_profile\_standard --results results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Here is:

--profile: The requested security profile.
--results: The location where the results should be stored.

Analyze results

The results are stored in XML format that can be analyzed with various tools, including OpenSCAP Workbench, a GUI tool that visually displays the results.

Automatic compliance with security policies

Some profiles also provide remediation scripts that can automatically perform corrections. However, caution is advised because such scripts can change system settings and potentially affect services or applications.

More information

The OpenSCAP documentation is an excellent resource and provides detailed guidance on all available features and how to use them.

In summary, OpenSCAP allows administrators to automatically assess and maintain security policies in their systems. Through regular reviews and adjustments, you can ensure that your systems remain compliant and secure.

Information sources on known vulnerabilities and update mechanisms

Sources

Common Vulnerabilities and Exposures (CVE) . Here, known security vulnerabilities are recorded centrally and assigned a unique number (CVE ID).
National Vulnerability Database (NVD) . The NVD is a database maintained by the U.S. government that enhances CVEs by analyzing, evaluating, and providing additional information.
BSI - Bundesamt für Sicherheit in der Informationstechnik . The BSI provides regular warnings and information on current security vulnerabilities and risks.
CERT-Bund Meldungen . The Computer Emergency Response Team for Federal Agencies provides regular alerts and information on current security vulnerabilities.

Update mechanisms

Most modern operating systems and software applications have built-in update mechanisms that automatically check for updates. Examples are “Windows Update” for Windows systems or package managers like “apt” for Debian-based Linux distributions.

Patch Management Tools

There are several tools and systems specifically designed to automate and facilitate patch management. Examples are WSUS (Windows Server Update Services) for Windows environments or tools like Red Hat Satellite for Red Hat-based systems.

Error handling and logging mechanisms

Automated monitoring and alerting: Use system monitoring solutions such as Prometheus (for example, together with STACKIT Observability) to monitor system states in real time and send notifications when problems occur.
Graceful degradation: a system should be designed to continue to function (at least to a limited extent) even in the event of partial failures.
Retry mechanisms: For intermittent failures, such as network problems, the system should automatically retry before reporting an error.
Exception handling: In software applications, any possible error condition should be detected and properly handled to avoid a complete system crash or data loss.
Backup and recovery strategies: Regular backups and tested recovery processes are essential to prevent data loss.
Centralized logging: use centralized logging solutions such as ELK Stack (Elasticsearch, Logstash, Kibana) or Grafana Loki (for example, together with STACKIT Observability) to collect, analyze and display logs from different systems in one place.
Detailed logging: Log both successful and failed actions to have a complete overview of system activities.
Log rotation: Ensure that log files are regularly rotated and archived to avoid storage space issues, but also to have a history for forensic analysis.
Secure storage: log files often contain sensitive information. Make sure they are stored securely and protected from unauthorized access.
Time synchronization: use services such as NTP to ensure that all systems on the network are time synchronized. This is essential for accurate logging and error analysis.
Anomaly detection: advanced logging solutions can point out anomalies or unusual patterns in logs, which is often an indicator of security breaches or system failures.
Regular Review: It is not only important to collect logs, but also to review them regularly to determine if there are any undetected problems.

It is important to emphasize that both error handling and logging mechanisms should be regularly reviewed and updated to adapt to ever-changing requirements and threats. In addition, every employee should be informed about the processes and protocols in case of a detected error or security incident.

Authentication mechanisms

Authentication is an important process to ensure that only authorized users have access to resources. In the context of virtual machines (VMs), several authentication mechanisms are available. Here are some common methods:

Username and password: This is the most common authentication mechanism, where a user enters a username and password to gain access. It is especially important to use a secure and appropriately complex password here. Each password should only be used for a single access.
SSH keys: Especially for Linux VMs, it is common for users to authenticate themselves with SSH keys instead of passwords. A user creates a key pair (public and private key) and deposits the public key on the VM. The private key is used to securely log in to the VM.
Multi-factor authentication (MFA): This requires two or more authentication methods. This could be a combination of something the user knows (password), something the user has (token or smartphone app). MFA can be implemented with centralized network-based authentication services, for example.
Role-Based Access Control (RBAC): In this method, users or groups are assigned specific roles. Each role has defined permissions. This helps control access to VMs based on the user’s role. RBAC can be implemented with a central network-based authentication service, for example.

The following authentication mechanisms can be used on the management interface of STACKIT, the portal:

Username and Password: The standard approach for the customer account and management dashboard.
Multi-factor authentication (MFA): STACKIT offers the ability to connect a customer IDP, which can then be configured to use MFA.
API Tokens: For developers who wish to use the STACKIT API, API tokens are available and are used to authenticate to the API.

Role and rights concept, including risky combinations

STACKIT Portal

The role and rights concept that is applied within the STACKIT Portal can be found under the following links:

Project permissions

Management of service accounts and API tokens is described here:

Access to service accounts and API tokens can be managed according to the role and rights concept.

It is important to identify and prevent potential risky combinations of roles and rights. Some examples are:

A user with both Owner, Admin and Member roles could inadvertently impact productive systems.
The combination of application user and developer rights can lead to unwanted changes in the production environment.

To avoid such risks, role crossing should be avoided and regular audits should be carried out.

Compute Engine

The present role and rights concept serves as an example of effective and secure management of users and resources on virtual machines at the operating system level.

User roles

The following roles could be defined for managing the VMs at the OS level:

Root/Administrator:
- Full access to the entire system and all files.
- Can manage user accounts and rights.
- Responsible for system maintenance and updates.
Standard User:
- Has limited access to the system.
- Can only manage your own files and applications.
- No access to system-critical resources.
Guest Users:
- Very limited access, mostly read only.
- Cannot make changes to the system or files.

Rights assignment

Root/Administrator: Full access (CRUD – Create, Read, Update, Delete) to the entire system.
Standard user: Read, Limited-Create (for example personal files), Limited-Update (own files only).
Guest User: Mostly read access only.

Risky combinations

Risky combinations at the OS level could include:

Excessive root access: Using the root or administrator account for everyday tasks increases the risk of unintentional system changes.
Uncontrolled elevation of privileges: Granting too many privileges to standard users can compromise system security.

It is recommended to follow the principle of least privilege: users should only be granted the minimum necessary rights for their tasks. An effective role and rights concept at the OS level is essential for the security and integrity of virtual machines. It is important to conduct regular audits and ensure that user roles and rights match actual needs.

Services and functions for administration of the cloud service by privileged users

Various services and functions are available within the administration of STACKIT. STACKIT offers the ability to create service accounts specifically intended for privileged users. These accounts are used to use the STACKIT APIs automatically. By using User Access Tokens (UAT), it is possible to administer the infrastructure and interact directly with the IaaS layer (OpenStack). UATs can also be created and managed by privileged users.

Information about service accounts and UATs: