Security Best Practices

This guide provides practical recommendations to help you secure your Bamboozle infrastructure. While Bamboozle secures the underlying platform, following these practices ensures your workloads, data, and accounts are protected.

Account security

• Enable two-factor authentication on your Bamboozle account immediately. This single step dramatically reduces the risk of account compromise even if your password is stolen.
• Use a strong, unique password for your Bamboozle account. Use a password manager to generate and store complex passwords.
• Create API tokens with the minimum required scope. Use read-only tokens where possible. Set expiry dates on tokens and rotate them regularly.
• Review team member access regularly. Remove access for team members who no longer need it. Follow the principle of least privilege — grant only the permissions needed to do the job.
• Monitor your account activity and investigate any unfamiliar logins or API calls promptly.

Virtual machine security

• Use SSH keys instead of passwords. Disable password-based SSH authentication entirely and rely on key-based access. Generate a separate key pair for each administrator.
• Disable root login over SSH. Create a non-root user with sudo access and disable direct root SSH access in your sshd_config.
• Change the default SSH port from 22 to a non-standard port to reduce automated brute-force attempts.
• Keep the operating system patched. Apply security updates promptly. Enable automatic security updates for unattended-upgrades on Debian and Ubuntu systems.
• Run only what you need. Disable or remove services and software that are not required. Every unnecessary service is a potential attack surface.
• Use a firewall. Apply Bamboozle Cloud Firewall rules and configure the on-host firewall (UFW or firewalld) to restrict access to only necessary ports and source IPs.

Network security

• Use a VPC to isolate resources that do not need direct internet access. Place databases, internal APIs, and other backend services in a private network.
• Restrict inbound traffic with Cloud Firewalls. Allow only the ports your application requires from the IP addresses that need access. Block everything else by default.
• Never expose database ports to the internet. Databases should only be accessible from within your VPC or from specific whitelisted IP addresses.
• Use TLS for all services. Serve all web applications over HTTPS. Use Let's Encrypt or your own certificates. Redirect all HTTP traffic to HTTPS.
• Use a Load Balancer in front of your web servers so backend VMs are not directly exposed to the internet.

Data protection

• Encrypt sensitive data at the application level in addition to relying on Bamboozle's storage encryption. Use AES-256 or equivalent for data at rest within your application.
• Never store credentials in code or version control. Use environment variables, secrets managers, or Kubernetes secrets to inject credentials at runtime.
• Back up your data regularly using Bamboozle Advanced Backup or your own backup solution. Test your restores periodically to verify backups are working correctly.
• Apply the principle of data minimization. Only collect and store data you actually need. Delete data when it is no longer required.

Application security

• Keep dependencies up to date. Regularly update application libraries and frameworks to patch known vulnerabilities. Use dependency scanning tools to identify outdated or vulnerable packages.
• Validate all user input. Never trust data submitted by users. Validate and sanitize all input to prevent injection attacks including SQL injection, XSS, and command injection.
• Implement rate limiting on authentication endpoints and APIs to prevent brute-force attacks.
• Use security headers. Add HTTP security headers including Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security to all web applications.
• Log security events. Log authentication attempts, permission changes, and other security-relevant events. Ship logs to a central location outside the application server so they cannot be tampered with.

Monitoring and incident response

• Monitor your infrastructure. Use Bamboozle monitoring or a third-party tool to alert on unusual CPU, memory, network, or disk usage that could indicate a compromise.
• Enable Bamboozle EDR on all endpoints to detect and respond to threats automatically.
• Have an incident response plan. Know what you will do if a server is compromised — who to contact, how to isolate the affected system, and how to restore from backup.
• Review logs regularly. Periodically review authentication logs, firewall logs, and application logs for signs of suspicious activity.

Need help?

If you have questions about securing your Bamboozle infrastructure or need security advice, contact our support team at [email protected] or visit the Support Portal. For security-specific enquiries contact [email protected].