Security-First Hosting: The Infrastructure Checklist That Keeps Enterprise Clients and Auditors Happy

For any software company selling to enterprise customers, the security review is now a standard part of the sales process. Procurement teams send security questionnaires. IT departments conduct vendor risk assessments. Legal teams review data processing agreements. The questions asked in these processes are largely predictable — and the answers to most of them are determined by the infrastructure decisions made long before the enterprise deal was in the pipeline.

Companies that built their infrastructure with security controls from the start answer these questionnaires in an afternoon. Companies that built fast and deferred security work spend weeks scrambling to implement controls that should have been in place for years — sometimes losing the deal in the process.

The network architecture of a production application is the foundation of its security posture. The baseline requirements that enterprise procurement teams and auditors check for are well-defined: private subnets for application and database tiers (no direct internet exposure for anything except load balancers), security groups configured with least-privilege ingress rules, network ACLs providing a second layer of defence, VPN or private connectivity for administrative access rather than SSH over the public internet, and WAF rules protecting against OWASP Top 10 attacks at the edge.

None of these are technically complex — they are configuration decisions that should be made when the infrastructure is first provisioned. The cost of implementing them retroactively is disproportionately high because the blast radius of any change to a production network is significant.

IAM misconfigurations are the most common cause of cloud security incidents. Overly permissive IAM roles, long-lived credentials stored in environment variables, and service accounts with administrative privileges are present in the majority of cloud environments that have not been specifically hardened.

The principle of least privilege means every service, function, and human user has exactly the permissions required for their specific job — no more. In practice: service roles are scoped to specific resources and actions; no IAM user has static long-lived credentials for production access (all human access goes through role assumption with MFA); access is reviewed quarterly and revoked when no longer needed; and secrets are stored in a secrets manager (AWS Secrets Manager, HashiCorp Vault) rather than environment variables or configuration files.

Three additional controls appear in nearly every security questionnaire. Encryption at rest: all production data must be encrypted, typically using cloud-native KMS-managed keys. Encryption in transit: all service-to-service communication must use TLS 1.2 or above; TLS termination must happen inside the trust boundary, not at an external proxy. These are table stakes and can be verified by auditors in minutes.

Patch management is the control most often neglected in self-managed environments: OS packages and application dependencies must be kept current, with a documented process for applying critical security patches within a defined window (typically 72 hours for critical CVEs). Audit logging — CloudTrail in AWS, Cloud Audit Logs in GCP — must be enabled and retained for a minimum of 12 months with tamper-evident storage, providing the forensic trail that investigators need if an incident occurs.

The most expensive version of compliance is retroactive compliance — applying controls to an infrastructure that was not designed with them in mind. Retroactive encryption migrations require downtime windows. Retroactive network segmentation requires rewriting Terraform that wasn't designed for it. Retroactive audit logging enablement leaves historical gaps that auditors note.

Infrastructure provisioned with compliance controls from the outset — network segmentation, encryption, IAM hardening, audit logging, patch management processes — is not significantly more expensive to build than infrastructure without these controls. The delta is days of initial configuration time. The payoff is months of time saved when the first enterprise security review arrives.