..
Secure Infrastructure Design Interview Cheat Sheet
This is a rough checklist of the things to look out when securing an infrastructure. It is by no means a definitive guide and is meant to serve as a checklist for interview prep. Some would call this a 1000 ft view of the security of an infratructure. Additions to this checklist are welcome.
Disclaimer: I wrote this back when I was just starting out in the industry. Please point out stuff that you feel isn’t relevant given today’s security landscape.
Network
- Segment the network based on specific use cases/teams/applications/permissions.
- Establish L4 and L7 layer firewalls.
- Enable L4 DDoS protection.
- Add appropriate rules to filter the traffic.
- Add HTTP load balancing.
- Utilize Shared VPC or VPC peering for better segmentation.
- Protect Public DNS. Explore DNSSEC.
- Avoid creating massive subnets.
- Set up VPN access to cloud / private networks.
- Set up and monitor internet requests through a NAT gateeway.
- Restrict and monitor cross-environment communication.
- Make sure TLS >= 1.2 is deployed and correctly used across HTTP services.
Identity
- Bind roles to groups.
- Follow the principle of least privilege.
- Avoid using wildcards to assign permissions.
- Set up a managed identities system like AD or AWS IAM. Do not manually manage identities.
Data Protection
- Protect data using encryption. Avoid broken or deprecated ciphers and libraries.
- Control the access and usage of data via ACLs/Permissions/etc.
- Prevent and track data exfiltration. Deploy tools or VPC controls to track this.
- Deploy tools and measure that indetify and redact PII.
- Enforce the use of tools such as secrets manager (or others) to protect secrets.
- Make sure your code/secrets isn’t vulnerable to Google dorking.
- Create a secure data lifecyle policy (Storage -> Retention -> Versioning -> Deletion).
Security Operations / Vulnerability Management
- Deploy software scans for vulnerabilities.
- Setup appropriate logging, monitoring, and alerting mechanisms.
- Promote secure by default practices such a secure terraform modules, etc.
- Allow scanning or other security packages in CI/CD pipelines.
- Enable static analysis of code and IaC.
- Promote secure package and container image deployments via managed artifactories.
- Set up a standard suite of security integration tests.
- Enforce hardened OS images and secure boot.
- Create a mechanism to review audit logs.
Compliance
- Verify authN and authZ practices and access control.
- Review key management practices.
- Monitoring of compliance violations.
- Monitoring of network, identity, permissions, etc violations.