Environment separation
Development, test and production environments are segregated, and production data is not used in test environments.
Hardened network surface
- Public network exposure is restricted: inbound access to compute instances is limited, public SSH access is denied, and database instances are IP-restricted.
- Unwanted traffic is filtered at the network edge.
- Intrusion detection is enabled across our cloud infrastructure, with notifications configured so our team is alerted.
- Network flow logging is enabled, and access to logging storage is restricted to authorised users.
Secure configuration
- Infrastructure is built against documented secure configuration baselines.
- A password policy is enforced for infrastructure access.
- The cloud root account is not used for day-to-day operations, and root access requires multi-factor authentication.
Logging & retention
Server logs are retained for at least 12 months to support investigation and audit.