Security Hardening Principles

This section provides you with the information necessary to configure security hardening. It is important to understand the security hardening principles rather than simply following the procedures described in this document, as otherwise your services may be adversely affected.

Security hardening is an ongoing process. It is not a set-and-forget process, nor can it be achieved overnight. Relying on a single policy or a one-off security hardening configuration will end in failure. Before carrying out security hardening procedures, complete the following tasks:

1. Understand service requirements. Security is always service-oriented. An appropriate security policy can be developed only after the security protection requirements of the service system are clearly understood.
2. Evaluate risks. Analyze the security threats that face the service system, identify the system's weak points, balance the system's value against security hardening costs, and comprehensively evaluate security risks in real time. Provide defense measures against unacceptable security risks, treat acceptable risks as remaining risks, and periodically review them throughout the service system lifecycle to determine whether to escalate them.
3. Design security hardening solutions. On the basis of comprehensive risk evaluation, design appropriate and cost-effective security hardening solutions that meet service requirements and bring desired benefits. Ensure security through design rather than through configuration. Each security hardening engineer should have a sound understanding of this principle.
4. Implement security hardening policies. Before implementing security hardening, evaluate the impact of the security hardening policies on services. A thorough evaluation helps prevent service loss.

After security hardening is complete, the service system needs to be monitored and maintained continuously to ensure that security policies continue to achieve the desired effect. Continuous monitoring and maintenance can also help detect potential problems so that security policies can be adjusted accordingly.