Home > Data Protection > Data Protection (general) > DDVE In-cloud Retention Lock Compliance: Best Practices to Secure In-cloud Deployments > Best practices
An important part of the shared responsibility approach to reiterate is that proper cloud services configuration is required to increase the overall APEX Protection Storage security. This section will focus on the key configuration pillars that are recommended for a secure APEX Protection Storage deployment.
Public access or access from outside the cloud provider’s network should be blocked for the S3 bucket/container configured for the APEX Protection Storage instance. All operations should be contained within the Virtual Private Cloud (VPC) network defined.
The bucket/container level access policy should be configured to restrict S3 access to only one instance of APEX Protection Storage at any point of time. The virtual machine instance unique id, the virtual machine security principle, or any equivalent identity can be configured in the bucket access policy to achieve this recommendation.
The native S3 object locking should not be enabled on the buckets attached to APEX Protection Storage configurations, as that would lead to undesirable and unsupported behavior. Any solution that utilizes the native S3 object locking feature of cloud providers would come with a drastic reduction/trade-off in the dedupe factor.
Configure security groups or equivalent firewall rules to restrict access to the APEX Protection Storage instance. The security group should only allow inbound SSH access on port 22 from a specific IP. This will ensure that none of the management/control ports of DDVE are exposed outside the cloud VPC network.
Each cloud provider provides monitoring services to report suspicious activity. For example, in AWS, Guard Duty or CloudTrail can be used. On Azure, Security Center can be used. On Google, the Cloud Security Command Center service is available.
Enable only the required routes to/from your APEX Protection Storage instance and the on-premises or cloud native applications by taking advantage of routing options available on virtual private cloud (VPC) configurations or private link services.
Leverage key vault services such as AWS Key Management Service (KMS), Azure Key Vault, or GCP Cloud Key Management to securely store the keys associated with your APEX Protection Storage deployment.
Integrate cloud native threat detection and regularly audit your cloud deployment following security frameworks such as the Center for Internet Security (CIS) or the National Institute of Standards and Technology (NIST). This functionality is available on Azure Microsoft Defender for Cloud and AWS using Security Hub service.
The complete list of Microsoft Azure’s top 10 best security practices can be found here.