Certified: The Security+ Prepcast

In our previous episode, we explored the hardening of mobile devices, workstations, switches, and routers. In this follow-up, we shift our attention to more complex and often misunderstood parts of the technology ecosystem—cloud infrastructure, server environments, and specialized systems like industrial control systems and supervisory control and data acquisition platforms. While each of these areas brings unique challenges, the goal remains the same: reduce the attack surface, enforce consistent configurations, and build resilience against threats.
We start with cloud infrastructure. The rise of cloud computing has transformed the way organizations store data, run applications, and deliver services. However, this flexibility also brings security risks—many of which stem from misconfigurations or a lack of visibility into cloud resources. Hardening cloud infrastructure begins with encrypting data at all stages—whether it is at rest in cloud storage, in use by a virtual machine, or in transit across a network. Encryption protects sensitive information from unauthorized access, even if the storage medium or communication channel is compromised.
Beyond encryption, identity and access management controls are foundational to securing cloud environments. Unlike traditional networks where security can be physically enforced, cloud environments rely heavily on permissions and roles. Properly configured identity and access controls ensure that users, applications, and services only have access to the resources they need. Role-based access, multifactor authentication, and detailed logging are critical parts of a hardened cloud deployment. For example, developers should not have administrative access to billing information, and storage buckets should not be open to the public by default.
One of the most common security issues in cloud environments is misconfiguration. These can include public access to private storage, overly permissive access roles, exposed application interfaces, and outdated software images. These weaknesses are often unintentional but can have serious consequences. Mitigating these risks starts with regular auditing and monitoring. Many cloud providers offer tools to scan for misconfigurations and recommend best practices. Another strategy is to use infrastructure-as-code tools that allow organizations to define secure configurations up front and apply them consistently across environments.
In practical terms, cloud hardening includes steps like disabling unused ports, rotating access keys, and tagging assets for easier inventory and policy enforcement. Many organizations also implement guardrails—predefined policies that prevent users from making insecure changes, such as creating resources in unapproved regions or turning off encryption on storage volumes. These measures help enforce security by default and reduce the chance of accidental exposure.
Next, we look at servers. These are the workhorses of the network, handling critical functions such as hosting websites, managing databases, and supporting applications. Hardening a server begins with the operating system. Applying security patches and software updates regularly is the first line of defense. Every unpatched vulnerability is a potential doorway for attackers. To manage this at scale, many organizations use centralized patch management systems that automatically deploy updates according to predefined schedules.
Beyond patching, it is important to disable unnecessary services. A typical operating system may install dozens of services by default, many of which are not needed in a given server role. Each running service introduces additional complexity and potential risk. By turning off what is not used, administrators reduce the number of ways an attacker could gain a foothold. This principle is known as minimizing the attack surface.
Permissions are another crucial consideration. Whether the server is hosting files, applications, or databases, access should be granted based on role and responsibility. Users and services should only have the permissions they need to perform their functions. For instance, an application might need to read data from a directory but should not be allowed to modify system files. Controlling these permissions carefully helps prevent both accidental and intentional misuse.
In real-world environments, server hardening scenarios often involve enforcing secure shell access, disabling root login, and using firewall rules to control inbound and outbound traffic. Some organizations also implement intrusion detection agents on servers to monitor for suspicious behavior. Logging is essential here as well. Every significant action on a server—from user logins to configuration changes—should be logged and reviewed. This creates an audit trail that is invaluable for investigations and compliance reporting.
Another real-world example involves using configuration management tools to enforce a hardened state. These tools allow administrators to define a secure configuration for each server type and ensure it remains consistent over time. If a change is made outside of policy, the system can automatically revert it or alert an administrator. This helps guard against configuration drift, which can erode security over time.
Finally, we come to industrial control systems and supervisory control and data acquisition platforms. These systems are used in critical infrastructure, manufacturing plants, utility providers, and other specialized environments. Unlike modern information technology systems, these devices often use legacy hardware and software. This makes them difficult to patch, upgrade, or replace. Many were not designed with cybersecurity in mind, and introducing standard security tools can disrupt their operation. As a result, hardening these systems requires a different approach.
Isolation is one of the most effective strategies for protecting industrial control systems. This means placing them on separate networks that are not directly accessible from the internet or from less trusted internal systems. Network segmentation using firewalls and access controls can limit who can interact with these systems and how. In many cases, access to these systems is limited to a small number of known and trusted devices.
Another strategy involves strict monitoring and logging. Because you may not be able to install endpoint protection on legacy devices, you need to rely on network-level monitoring to detect unusual activity. This can include sudden traffic spikes, unexpected protocol usage, or connection attempts from unauthorized sources. In addition, physical security plays a large role in protecting industrial systems. These devices often reside in remote or lightly monitored facilities, making tamper-proof hardware and access controls vital.
A secure configuration for a supervisory control system might include features such as disabling remote access when not needed, ensuring only strong authentication is allowed, and reviewing communication protocols for known vulnerabilities. Administrators may also apply read-only settings to critical control interfaces and implement strict change control procedures. Even minor adjustments to these systems can have significant real-world impacts, so any changes must be carefully reviewed and tested.
When preparing for the Security Plus exam, here are some key points to remember about hardening these types of computing resources. First, recognize that each type of system—cloud, server, and industrial—requires a tailored approach. You will likely see scenario-based questions that describe a type of system and ask which hardening strategy is most appropriate. Be prepared to match tools like encryption, identity controls, patching, isolation, and configuration management to the right context. Second, focus on the risks unique to each environment. Cloud systems often suffer from misconfigurations, servers from inconsistent updates or privilege abuse, and industrial systems from unpatched legacy hardware and poor segmentation.