Automating Compliance: Surviving Schrems II and CIS Benchmarks with Infrastructure-as-Code in Norway
If you are still manually SSH-ing into servers to run apt-get upgrade or check file permissions in July 2022, you have already failed the audit. In the current regulatory climate—specifically with the fallout from the Schrems II ruling and the aggressive enforcement we are seeing from Datatilsynet (The Norwegian Data Protection Authority)—security is no longer about installing a firewall. It is about provenance and state enforcement.
I recently audited a fintech setup in Bergen where the CTO was convinced they were GDPR compliant because their database was encrypted. Yet, their backups were being piped to an S3 bucket in a US-east region. Under current EU law, that is a data transfer violation waiting to happen. Compliance is not a checkbox; it is an architectural decision.
This guide ignores the marketing fluff and focuses on the engineering reality of building a compliant, hardened infrastructure stack using Infrastructure-as-Code (IaC) on Norwegian soil. We will use Ansible for configuration management and OpenSCAP for continuous auditing, running on the high-performance KVM architecture provided by CoolVDS.
1. The Physical Layer: Sovereignty is Not Code
You can write the most secure Terraform code in the world, but if your physical layer is subject to the US Cloud Act, your legal footing in Europe is shaky. This is the primary reason we migrate high-risk workloads from hyperscalers to local providers like CoolVDS.
Architect's Note: When you deploy a VPS in Norway with CoolVDS, you aren't just getting low latency to Oslo IX (though 2ms ping times are nice). You are securing data residency. The drive never leaves the jurisdiction. This solves half the GDPR battle before you even touch the command line.
2. Automated OS Hardening with Ansible
We do not rely on default installation images. Whether it's Ubuntu 22.04 LTS or Rocky Linux 8, the default posture is designed for compatibility, not security. We need to enforce CIS (Center for Internet Security) benchmarks.
Here is a snippet from our production Ansible playbook that enforces SSH hardening. This goes beyond simple password disabling; we are restricting ciphers and preventing privilege escalation abuse.
# roles/security/tasks/ssh.yml
- name: Secure SSHD Configuration
lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
loop:
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regexp: '^X11Forwarding', line: 'X11Forwarding no' }
- { regexp: '^MaxAuthTries', line: 'MaxAuthTries 3' }
- { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300' }
- { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax 2' }
notify: restart sshdApplying this ensures that even if a junior sysadmin tries to open a hole for "easy access," the next Ansible run closes it immediately.
3. Kernel-Level Hardening
Applications are only as secure as the kernel they run on. To mitigate IP spoofing and Man-in-the-Middle attacks, we must modify the network stack variables in sysctl.conf.
On high-performance NVMe VPS instances like those from CoolVDS, we can afford aggressive packet inspection without introducing noticeable latency. Add the following to /etc/sysctl.d/99-security.conf:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Log Martians
net.ipv4.conf.all.log_martians = 1Apply these changes with sysctl -p /etc/sysctl.d/99-security.conf. If you are running high-traffic web servers, monitor your dmesg logs after applying this to ensure you aren't dropping legitimate traffic due to misconfigured upstream routers.
4. Continuous Auditing with OpenSCAP
Deploying secure configurations is step one. Verifying them continuously is step two. OpenSCAP is the standard tool for checking compliance against the Security Content Automation Protocol (SCAP).
In 2022, manual checklists are obsolete. We use the oscap tool to scan our CoolVDS instances against the standard SSG (SCAP Security Guide) profile for Ubuntu 20.04/22.04.
Installing the Scanner
apt-get install libopenscap8 ssul-scap-security-guide
Running a Scan
This command evaluates the system against the standard profile and generates a report:
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level2_server \
--results-arf arf.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xmlThe resulting HTML report will show you exactly where your system deviates from the CIS Level 2 benchmark. A score below 80% on a fresh install is common; your goal is >95% via Ansible remediation.
5. The Encryption Trade-off: Why NVMe Matters
Compliance usually demands encryption at rest (LUKS) and encryption in transit (TLS 1.3). The problem? Encryption eats CPU cycles and I/O throughput.
In older SATA SSD environments, enabling Full Disk Encryption (FDE) could drop your IOPS by 15-20%. This is where the underlying hardware of your provider becomes a compliance tool. CoolVDS uses enterprise-grade NVMe storage. The I/O overhead of LUKS on modern NVMe drives is negligible because the bottleneck shifts from the disk to the CPU, and modern AES-NI instruction sets handle the math efficiently.
Nginx TLS 1.3 Configuration
Ensure your web server only talks to modern clients. Drop TLS 1.0 and 1.1 immediately.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;6. Local Redundancy and Backups
Compliance also requires availability. The "3-2-1" backup rule applies, but with a twist: the offsite copy must still respect data sovereignty. We utilize CoolVDS's snapshotting feature to keep local recovery points, while using rsync over a WireGuard VPN tunnel to push encrypted backups to a secondary Norwegian datacenter location.
| Compliance Requirement | Traditional Solution | Modern Strategy (2022) |
|---|---|---|
| Data Residency | "Select Region: EU" | Explicit Norwegian Hosting (CoolVDS) |
| Access Control | Manual User Management | SSH Keys + Ansible Enforcement |
| Audit Trails | Log checking | OpenSCAP + ELK Stack |
Final Thoughts
Security compliance in 2022 is a discipline of automation. If you rely on humans to remember to close ports, you will eventually be breached. By combining the raw performance and jurisdictional safety of CoolVDS with rigorous IaC practices, you build a fortress that satisfies both the auditors and your engineering team's need for speed.
Don't let legacy infrastructure compromise your legal standing. Deploy a hardened, compliant NVMe instance on CoolVDS today and secure your data where it belongs.