I. Cloud hardening
Identity and Access Management (IAM)
- Least privilege — each user, service, and system has minimal necessary access.
- MFA enforced for all production access — see Access Control.
- No long-lived static credentials in production where SSO + workload identity is possible.
Data storage and management
- Encryption at rest and in transit — see Cryptography.
- Private endpoints / VPC endpoints for internal services.
- Backups configured for customer data repositories — see Operations Security → Backup.
Network security
- VPC + subnets to isolate environments and segment networks.
- Cloud-native and third-party firewalls and DDoS protection — AWS Shield Standard (always-on at AWS edge) and Vultr Firewall + Vultr DDoS Protection (always-on at Vultr edge), plus Cloudflare WAF + Cloudflare DDoS (via Cloudflare One, including Cloudflare Gateway egress filtering and Cloudflare Access for ZTNA) sitting in front of both clouds.
Monitoring and logging
- Logging configured to write-once-read-many storage to prevent tampering.
- Alerting via CloudWatch and Better Stack for real-time response.
II. Container hardening
Image security
- Base images come from Neuroscale-authorized base images or repositories — distroless / Chainguard images.
- Minimal base images to reduce attack surface.
Runtime security
- Runtime threat detection is performed by Falco (CNCF graduated project), deployed as a DaemonSet on every Vultr Kubernetes Engine (VKE) and AWS-resident node pool, and as a systemd service on every production VM (Vultr Cloud Compute, AWS EC2) and Vultr Bare Metal host. Falco also consumes the Kubernetes audit log source on both VKE and AWS K8s clusters to cover the K8s control plane (suspicious
kubectlactivity, RBAC changes, exec-into-pod). Falco rules cover the CNCF default ruleset plus Neuroscale-tuned rules for unexpected outbound network egress, unexpectedexecinto pods or hosts, sensitive-mount access, and privilege escalation. Falco events are streamed to Better Stack, where they trigger on-call alerts per the Incident Response Policy. - Cloud-provider control-plane threat detection is provided by AWS GuardDuty for AWS-resident workloads and by Vultr cloud audit logs for Vultr-resident workloads, both ingested into Better Stack alongside the Falco event stream.
Network security
- Network policies via Kubernetes NetworkPolicy.
Orchestration security
- API server protected with firewalls, IAM controls, and secure communication channels.
- RBAC enforces least-privilege; reviewed quarterly per Access Reviews.
CI/CD security
- Minimize access to CI/CD pipelines; role-based access controls; audit trails enabled.
- Dependency scanning during build.
III. Servers and VMs
- Aligned with industry-standard baselines (CIS Benchmarks, NIST guidelines).
- Vendor defaults — especially passwords — changed before network integration.
- One primary function per VM where practical.
- Patch-management strategy meets defined SLAs (see Vulnerability Management).
IV. Network standards
- All network changes follow Change Management.
- Production network rules enforced and revisited at least annually.
- Remote access controlled, audited, and logged.
- Inbound traffic limited to system components providing authorized publicly accessible services.
- Insecure services and protocols prohibited without justification and documented mitigations.
- Remote-access sessions enforce idle timeout after 12 hours and absolute timeout after 24 hours, requiring re-authentication.
Cloud providers
Production runs on AWS (primary) and Vultr (secondary, for compute and databases). Each provider’s shared-responsibility matrix is reviewed annually, and Neuroscale-side controls — applicable to whichever cloud hosts the workload — are tracked in the Controls Inventory (mirrored to Vanta for continuous testing). Per-cloud notes:- AWS. Identity Center / IAM, KMS, EBS/RDS/S3/DynamoDB encryption, GuardDuty, CloudTrail, AWS Shield Standard, AWS Backup are the canonical Neuroscale-controlled surfaces.
- Vultr. Vultr Cloud Compute, Vultr Bare Metal, Vultr Object Storage, Vultr Block Storage, Vultr Kubernetes Engine (VKE), and Vultr Firewall are the canonical Neuroscale-controlled surfaces.
- Cross-cloud. HashiCorp Vault is the secrets-of-record for both clouds (see Secrets Management). Vault Transit is the application-layer envelope-encryption surface for both clouds (encrypt-as-a-service; key material never leaves Vault). AWS KMS is cloud-native at-rest only — it encrypts AWS-resident EBS / RDS / S3 / DynamoDB. Vultr platform encryption is cloud-native at-rest for Vultr-resident block and object storage (including the Block Storage volumes that hold Vultr-hosted Postgres data). Confidential customer data is wrapped at the application layer with Vault Transit in addition to the provider’s at-rest layer (see Cryptography).
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |