Security Measures guidelines
Personal data, and any other data that is subject to licenses/policies, need to be protected from threats in accordance with applicable legislation.
ONDA users shall make sure that critical data are fairly and lawfully processed, obtained for specific purposes only, and processed in a manner that is compatible with those purposes.
ONDA provided protection tools
ONDA users are provided with some tools that allow them to easily provision public cloud resources while being able to apply security measures appropriately:
- The default access mechanism provided to users cloud instances is exclusively via the provisioning of an SSH key handshaking, and only the user owns the private key. This enforces the protection against unwanted access to users systems even from the cloud provider personnel.
- Provisioned instances are protected by default by a security group functionality that provided traffic filtering. Security groups can be further customized by users for their resources in order to additionally create filtering rules based on their needs.
- Users are also provided with the possibility to provision private networks, allowing to self-provision applications within a private network infrastructure where segmentation of any type can be configured at the user choice (i.e. north-south vs east-west network security zones for multi-tier applications and controlled traffic).
- Access to ONDA datasets through the Advanced API usage (ENS) is only granted via the provisioned cloud resources, allowing to avoid credentials management from the user side, while enforcing for restricted access to the data to allow for and availability. Data is accessed via the use of a read-only exposed NFS protocol.
ONDA business support
ONDA users also have access to a series of pre-packaged or customizable support services for the operations of their provisioned resources. Support services can also include security related services such as engineering support for the design of a secure infrastructure that leverages on the available tools of the public cloud environment, and with the use of best practices for provisioning security protection functionalities within the customer environment.
Specific controls are to be implemented to manage and control remote access to user provisioned cloud resources.
In order to ensure protection of systems and private networks, users shall identify all the measures that need to be applied to make sure that systems and private networks are well protected.
Here are some suggested guidelines to be followed in order to achieve this:
- Vendor default accounts and passwords shall not be left unchanged before a system can be made accessible over Internet.
- Access to provisioned resources shall be made through secure communication protocols.
- Host based malware detection and protection software shall be enabled in order to detect, prevent and recover from malicious code or from unauthorized access attempts.
- Software patching shall be applied at least for security patches of used software in accordance with the risk to which the software vulnerability is exposing.
ONDA by Serco® is a registered trademark of Serco Italia S.p.A.
- Critical data and information should be backed up and ensure that restore procedures function correctly.
- Private networks should be configured with proper separation in case of sensitive data handling, and made not accessible from untrusted networks.
- Custom applications shall be developed in compliance with secure development principles.
- Firewall filtering rules shall be enabled to keep control over the allowed communication flows.
- Provisioned systems and resources shall be used in accordance with the purposes for which they are provisioned.
- An efficient approach in handling access credentials is to be used by enforcing passwords robustness and making credentials hard-to-guess.
- Particular attention should be paid with the use of the credentials for API accesses, as the same credential pairs are used for the handling of the cloud resources purchases. Measures should be applied to protect these credentials as they are the same ones with which a user can make purchases and cloud resources provisioning on the ONDA web portal.
- Access to provisioned resources shall be allowed to authorised personnel only.
Users are free and required to customize the set of rules and guidelines to apply in order to protect provisioned resources.