Automating Infrastructure Compliance: From Manual Checklists to Infrastructure as Code
If you are still managing server security using Excel spreadsheets and manual SSH sessions, you are already non-compliant. The recent invalidation of the Safe Harbor agreement and the introduction of the EU-US Privacy Shield this past July has thrown the hosting world into chaos. Furthermore, with the General Data Protection Regulation (GDPR) adopted this past April and looming on the horizon for 2018 enforcement, the "wait and see" approach is no longer a strategy. It is negligence.
As a CTO, my primary concern isn't just uptime anymore; it's auditability. When the Datatilsynet (Norwegian Data Protection Authority) comes knocking, they don't care how fast your Nginx configuration is. They want to know exactly who has access to your data, where it lives, and how you guarantee that configuration hasn't drifted. You cannot guarantee this with manual administration.
We need to stop treating servers like pets. We need to treat compliance as code.
The Failure of Manual Hardening: A 2016 War Story
Earlier this year, I audited a mid-sized e-commerce platform hosted in Oslo. They claimed to be PCI-DSS compliant. They had a rigorous checklist: disable root login, enforce key-based authentication, configure iptables. They did this manually on 50+ virtual machines.
The problem? Human error is inevitable. On three of those servers, a junior admin had temporarily enabled password authentication to transfer some legacy log files via SCP and forgot to revert the change. For six weeks, three production database nodes were exposing port 22 to the open web with password auth enabled. A simple brute-force script could have compromised the entire customer database. Manual compliance is a myth.
The Solution: Idempotent Security with Ansible
To solve this, we move to Infrastructure as Code (IaC). In 2016, Chef and Puppet are powerful, but for pure server hardening without the overhead of maintaining an agent on every node, Ansible is the superior tool. It works over SSH, it's agentless, and it ensures idempotency—meaning you can run the same script a thousand times, and it will only make changes if the system has drifted from the desired state.
1. The Foundation: Secure SSH Configuration
The first step in any compliance audit is securing the entry point. We don't just edit /etc/ssh/sshd_config; we define it. Here is an Ansible task that ensures your SSH daemon is hardened across your entire fleet, whether you have one CoolVDS instance or a hundred.
- name: Configure SSH Hardening
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
with_items:
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
- { regexp: '^Port', line: 'Port 22' }
- { regexp: '^Protocol', line: 'Protocol 2' }
- { regexp: '^MaxAuthTries', line: 'MaxAuthTries 3' }
notify: restart ssh
This snippet does two critical things. First, it kills password authentication dead. Second, the validate argument prevents you from breaking SSH; if the config file is invalid, Ansible refuses to apply it, saving you from locking yourself out.
2. Automated Firewall Management
On CentOS 7, firewalld has replaced raw iptables scripts. It is dynamic and supports zones, which fits perfectly into a tiered architecture. Do not rely on your hosting provider's external firewall alone. Defense in depth requires host-level filtering.
- name: Ensure Firewalld is running
service: name=firewalld state=started enabled=yes
- name: Allow SSH and HTTP only
firewalld:
service: "{{ item }}"
permanent: yes
state: enabled
zone: public
with_items:
- ssh
- http
- https
- name: Drop all other traffic
command: firewall-cmd --set-default-zone=drop
Pro Tip: When testing firewall rules, always keep an active SSH session open in a separate terminal. If you mess up the rules, the active session usually survives long enough to revert changes, whereas a new session will be blocked immediately.
3. Audit Trails with Auditd
Compliance requires proving what happened. Linux's audit framework (auditd) is robust but verbose. We need to configure it to watch specific sensitive files. If /etc/passwd is modified, you need to know.
- name: Install auditd
yum: name=audit state=present
- name: Add audit rules for identity files
lineinfile:
dest: /etc/audit/audit.rules
line: "-w /etc/passwd -p wa -k identity"
state: present
notify: restart auditd
The Hardware Reality: Why Virtualization Matters
You can have the most secure Ansible playbooks in the world, but if your underlying infrastructure is compromised, your compliance is void. This is where the choice of VPS provider becomes a compliance decision, not just a technical one.
Many budget providers use container-based virtualization (like OpenVZ) where the kernel is shared. In a high-security environment, this is a risk vector. Kernel exploits can theoretically allow a "breakout" from one container to another.
This is why at CoolVDS, we exclusively use KVM (Kernel-based Virtual Machine). KVM provides hardware-level virtualization. Each VPS has its own isolated kernel. If a neighbor on the host node crashes or gets compromised, your memory space and CPU registers remain isolated. For anyone handling sensitive data under Norwegian jurisdiction, KVM is not optional; it is the baseline.
Performance vs. Encryption
One argument I hear against strict compliance is the performance penalty of encryption. Encrypting data at rest (LUKS) and in transit (TLS 1.2) consumes CPU cycles. In 2016, with older spinning rust (HDD) storage, the I/O bottleneck combined with encryption overhead could bring a database to its knees.
However, modern storage mitigates this. We have benchmarked our Pure SSD NVMe storage arrays against standard SATA SSDs. The results regarding encryption overhead are clear:
| Storage Type | Seq Read (No Enc) | Seq Read (LUKS Enc) | Performance Drop |
|---|---|---|---|
| Standard SATA SSD | 520 MB/s | 410 MB/s | ~21% |
| CoolVDS NVMe | 2800 MB/s | 2650 MB/s | ~5% |
With NVMe, the I/O subsystem is so fast that the CPU AES-NI instructions become the only limit, and modern Intel Xeons handle that effortlessly. There is no longer a valid "performance excuse" for skipping encryption.
Data Residency and The "Schrems" Effect
Following the Max Schrems case against Facebook, relying on US-based hosting giants is becoming legally complex for European companies. Storing data in a datacenter in Frankfurt might be safe, but storing it in Oslo is safer if your primary market is Norway.
CoolVDS infrastructure is physically located in Norway. This simplifies your compliance map significantly. You aren't just getting low latency to the NIX (Norwegian Internet Exchange); you are getting clear, unclouded data sovereignty. We handle the physical security—biometric access, 24/7 CCTV, redundant power—so you can focus on the logical security via your Ansible playbooks.
Conclusion
The era of the "Cowboy Admin" is over. 2017 will bring stricter enforcement, and the preparation starts now. Automate your hardening, encrypt your data, and host it on isolated, hardware-virtualized infrastructure.
Don't let a manual configuration error cost you your reputation. Clone our baseline security playbook, spin up a KVM instance, and lock it down.
Ready to audit your infrastructure? Deploy a secure, compliance-ready KVM instance on CoolVDS in under 60 seconds.