Cybersecurity attacks are costly—very costly. Start adding up the financial damage in lost business, operational downtime, ransoms paid, loss of reputation, legal consequences, the cost of prevention itself—and you quickly hit trillions of dollars worldwide.

And today, the cost and impact of cybercrime is felt more widely than ever before as more and more of the attacks are against cloud-based services.

It’s no surprise that cloud platforms have become prime targets for cybercriminals. The bad guys know that all they need to do is find that poorly secured S3 bucket on AWS and, bingo, they can win big. Three of the most damaging cybersecurity breaches in recent years have all involved cloud services: the attacks on the Snowflake data warehouse solution (numerous companies impacted including AT&T and Ticketmaster); the Change Healthcare technology services company (thousands of hospitals affected with total losses of $2.87 billion) and the MoveIT data transfer app (2,600+ organizations breached).

What may come as a surprise is that the methods used to attack these systems were decidedly old school—techniques such as stolen login and remote access credentials or outsmarting flimsy user authentication practices.

Given that cloud services are clearly in the cross hairs of cybercriminals, does it make sense to move privacy-sensitive applications onto bare metal servers that are isolated and dedicated to your needs? Well, if done the right way (we’ll get to what “the right way” means in a moment) and as part of an overall hybrid approach to IT infrastructure—the answer is yes.

As noted in a recent blog post, “What’s Cloud Repatriation Really All About?,” once workloads become highly predictable, a major value of hosting them in the cloud—it’s on-demand scalability—becomes less valuable. So why keep paying for it? Switching to bare metal can boost performance and deliver significant cost savings. Now add enhanced security as another reason to strongly consider bare metal.

The bare metal security advantage

From a security point of view, bare metal comes with several advantages:

More control/no “noisy neighbors”: Instead of relying on a virtualized server set up in the cloud, the separation offered by bare metal gives you full control over hardware and software security. Organizations can customize firewall rules, encryption, OS security and network segmentation to fit specific security needs. And unlike shared, multi-tenant cloud environments, bare metal servers eliminate risks from “noisy neighbors” or cloud-based, side-channel attacks.

Less risks via APIs: Application Programming Interfaces (APIs)—commonly used in cloud environments to handle data exchanges between applications—are a beloved entry point for attackers. Publicly accessible by design, APIs are easy to scan and attack. Many lack proper access and validation controls making them very susceptible to SQL injection attacks and query manipulation. Attackers can overload APIs with millions of requests, causing service failures.

Custom firmware & BIOS security: To reduce low-level hardware attacks, bare metal users can make system startup processes more secure, implementing strict firmware verification rules and disabling unnecessary features while closely managing stored passwords and boot logs.

Meet strict regulatory requirements: Bare metal hosting allows organizations to physically control where data is stored, helping deliver compliance with GDPR, HIPAA, PCI DSS and other regulations.

For all of these reasons, organizations that regularly deal with highly sensitive or classified data (finance, government, healthcare) routinely opt for bare metal.

The ‘right way’ to do bare metal security

However, going bare metal is not a security strategy in and of itself. As noted earlier, because bare metal has its own risk profile, security must be done right. In our bare metal service, Zenlayer specifically addresses these vulnerabilities, such as the risks posed by not fully erasing data left on hard disk drives (HDDs).

Whenever a bare metal server is repurposed, reassigned or decommissioned, the previous user ‘s data must be completely and thoroughly erased to prevent recovery. Simply deleting files or reformatting a drive is not enough—data can still be recovered. A major investment bank discovered this the hard way in 2020 when it decommissioned servers without properly wiping data, exposing sensitive financial records.

At Zenlayer, we approach the data erasure from both the network and server perspective:

Network

On the network side, we remove all configurations and disable IP transit—effectively taking the server offline to close any windows for attacks/breaches. We also take advantage of the Nessus vulnerability assessment tool to do penetration testing. Nessus scans devices, hosts and applications for known security vulnerabilities including software flaws, missing patches, malware, misconfiguration errors and default passwords remaining in use.

Server

On the server side, we rely on encryption and extensive scrubbing:

• Hardware encryption: Our data centers use enterprise-class HDDs, supporting full hardware encryption. (Software encryption, while less expensive, consumes precious CPU overhead and is vulnerable to OS malware.) The entire drive is encrypted before storing data. When the time comes for customers to migrate off the server, encryption keys are deleted (making data unreadable forever), and file tables are deleted and replaced with junk code, effectively overwriting any previous data to ensure that the original data is replaced and irretrievable.
• Scrubbing the data: To fully remove data, we scrub more than once, writing/rewriting HDDs multiple times. While this reduces the lifespan of these devices, it’s a cost we bear to ensure maximum privacy. Finally, after wiping multiple times, we confirm the erasure was successful using routine vulnerability scans, as well as employing 3^rd party penetration tests such as Nessus and (for internal vulnerability scans) OpenVS.

4 steps to keeping your data secure

Just like the cloud, bare metal systems are vulnerable to attackers who successfully steal user IDs, passwords and other credentials. That makes security a shared responsibility. While we do all we can to protect the data of customers who use Zenlayer’s bare metal services, customers must also take preventative action.

Here are four key steps to secure your server system:

Note: For more details and screenshots of all of these procedures, go to Securing your Linux server. While these steps are for Linux servers, they apply to other operating systems as well.

1. Configure the appropriate login method: When creating your bare metal instance, Zenlayer provides three login options: (1) A system-generated root password; (2) SSH keys; or (3) Set up your own password. We encourage customers to use SSH keys to block malicious password login attempts, including brute force attacks.
2. Implement firewall and network security measures: To control incoming and outgoing traffic, you need to put the appropriate firewall and network security measures in place. There are several options for implementing a firewall, with the most commonly used software being iptables and firewalld. Firewalld is more user-friendly in terms of its language and explanation. You can assign different interfaces to different zones and apply rules to the corresponding zone.
3. Keep software up-to-Date: As noted above, cyber criminals are not typically very sophisticated. They follow a path of least resistance, scanning for outdated software with unpatched security flaws. That’s why regularly updating software is one of the most effective cybersecurity measures. A popular option for keeping on track is taking advantage of Ubuntu. This popular Linux distribution provides a “message of the day” when you login, letting you know right away if there are any updates to install.
4. Set up automatic system updates: If applicable, consider setting up automatic updates. This will ensure that security patches, including emergency updates, are applied as soon as they’re released, reducing exposure to cyberthreats. Updates also resolve software glitches and performance issues, preventing crashes, freezes and conflicts with updated applications. They often contain better memory management and CPU efficiency improvements.

You can also check out our instructions for doing manual updates in Securing your Linux server.

Implementing these best practices can significantly improve the security of your servers. However, it’s important to remember that cyberattacks happen every day and there’s no single solution to prevent them. In addition to technical configurations, other policies and procedures are required for long-term security, such as regular security audits, backups and user ID management procedures.

Using a hybrid strategy to address security

As a global digital infrastructure service provider, we know that Zenlayer is an active target for cybercriminals around the world. That’s why we’re constantly refining our processes for data security. And this is especially the case with the solutions we offer for bare metal services, which are an ideal way to address performance, cost, and security requirements.

Staying safe is a multi-faceted undertaking today and it will be tomorrow. Organizations will always want to seek the right balance of performance, cost and protection. That’s why we strongly encourage customers to always consider a hybrid approach to IT infrastructure utilizing bare metal, VMs and the cloud as appropriate.

A hybrid infrastructure gives you options for moving workloads based on the needs of both your business and the specific application, matchin  the solution to the challenge while also taking steps to address the unique security profile of each kind of infrastructure.