Skip to main content

Defense in Depth

Xloud Cloud Platform enforces security at every layer of the stack. From hypervisor isolation and encrypted data channels to role-based access control and audit logging, the platform is designed so that no single control failure exposes workloads. This layered approach — commonly called defense in depth — means each security boundary operates independently and reinforces the others. The sections below cover every security domain: infrastructure TLS, VM isolation, API authentication, data encryption, network segmentation, compliance frameworks, pre-deployment hardening, and troubleshooting.

Infrastructure Security

Infrastructure Security

TLS configuration for all platform services, certificate management, HAProxy termination, and endpoint hardening.

Hardening Guide

Pre-deployment OS hardening, service minimization, database and message queue hardening, and a step-by-step checklist.

Virtual Machine Security

VM Security

Hypervisor isolation, security groups, vTPM, encrypted volumes, Secure Boot, anti-affinity, and live migration TLS.

Network Security

Security groups, FWaaS, port security, anti-spoofing, VLAN/VXLAN segmentation, and VPN as a Service.

API and Data

API Security

Token authentication, application credentials, rate limiting, CORS, RBAC policy enforcement, and mutual TLS.

Data Security

Volume encryption (LUKS), object storage encryption, key management integration, encrypted backups, and secure deletion.

Compliance and Operations

Compliance and Auditing

Audit logging, log retention, SOC 2 / ISO 27001 / HIPAA / PCI-DSS / GDPR frameworks, and incident response.

Security Troubleshooting

TLS errors, 401/403 authentication failures, security group rule issues, audit log gaps, and encryption failures.

Security Tools

Wazuh

Host intrusion detection, file integrity monitoring, vulnerability assessment, and compliance reporting — deployed across all VMs.

Lynis

OS security auditing with a hardening index score, actionable remediation suggestions, and fleet-wide sweep support.

OpenSCAP

SCAP-based compliance scanning against CIS Benchmarks, DISA STIGs, PCI-DSS, and HIPAA profiles with automated remediation playbooks.

Security Architecture

The following table summarizes the security controls enforced at each layer of the Xloud platform.
LayerControls
HypervisorProcess isolation, seccomp profiles, AppArmor confinement, dedicated service users, live migration TLS
NetworkingSecurity groups (stateful), FWaaS, port security, anti-spoofing, VLAN/VXLAN isolation
Control PlaneTLS on all APIs, token-based authentication, RBAC policy enforcement, rate limiting
StorageLUKS volume encryption, Ceph encryption at rest, key management via Xloud Key Management
AuditCADF event logging, centralized log aggregation, immutable audit trails
Host SecurityIntegrated security platform (intrusion detection + FIM), system auditing, SCAP compliance scanning
Xloud follows a shared responsibility model. The platform enforces infrastructure-level controls. Workload owners are responsible for securing applications running inside virtual machines.

Xloud Security Platform Capabilities

Xloud-Developed — This capability is developed by Xloud and ships with XAVS.
The following security capabilities are built into the Xloud platform and deploy automatically as part of XAVS. Each capability is production-ready and requires no third-party licensing.

Integrated SIEM

Full security information and event management built into the platform. Agent-based monitoring on all nodes with real-time alerting and log correlation.

Triple Compliance Scanning

Three independent scanners running in parallel: SCA benchmarks, system audit, and SCAP profiles. CIS Level 1 and Level 2 benchmarks included.

OS Hardening (CIS Benchmark)

Automated CIS benchmark hardening: SSH controls, audit logging, Docker security benchmarks, AppArmor profiles, and SSH allowlisting.

Security Operations Dashboard

Auto-deployed monitoring dashboard with panels for agent status, API health, credential recovery events, certificate expiry, scan results, and cluster health.

Self-Healing Credentials

Three-layer automated credential recovery: post-deployment enforcement, periodic watchdog (5-minute intervals), and filesystem guardian (10-minute intervals). Recovery time under 5 minutes with zero human intervention.

Active Response

Automated threat response: firewall blocking, host denial, and account disabling on SSH brute force detection.

Certificate Expiry Monitoring

Automated certificate lifecycle monitoring with 30-day warning and 7-day critical alerts across all platform services.

Custom Detection Rules

Platform-specific detection rules for container lifecycle events including start, stop, crash, and resource limit triggers.

Default Alert Rules

12 pre-configured alert rules across 4 groups: node alerts (disk, memory, CPU), service alerts, storage alerts, and infrastructure alerts.

SBOM CI Pipeline

Supply chain security: container image vulnerability scanning, software bill of materials generation (SPDX and CycloneDX formats), and cryptographic image signing.

Quick Links

Enable TLS

Configure TLS for all platform services

Security Groups

Create and manage stateful firewall rules

Encrypt Volumes

Enable LUKS encryption for block storage

Hardening Checklist

Pre-deployment security verification