Network Security Policy
The policy aims to:
Prevent unauthorized access, data interception, denial-of-service attacks, and other network-based threats.
Maintain secure connectivity for cloud-hosted game servers, APIs, databases, CDNs, and internal tools.
Support rapid development and publishing cycles for mini-games while minimizing risks to live services and player experience.
Comply with applicable regulations, international standards, and cloud security best practices.
Cloud-based infrastructure (e.g., AWS, GCP, Azure) hosting game servers, backend services, databases, caching layers, and CDNs.
Internal office networks, VPNs, developer workstations, build/CI/CD pipelines, and test/staging environments.
All wired, wireless, remote access (VPN), and internet-facing connections.
Network devices (firewalls, routers, load balancers, WAFs), virtual networks (VPCs, subnets), and network security groups.
Any systems transmitting or processing Company or player data (e.g., login credentials, behavioral analytics, monetization flows).
This policy does not cover player client-side networks or devices (handled by app stores or auto-updates), but the Company monitors public network threats affecting clients and recommends mitigations.
Network Segmentation: Logical or physical separation of networks to limit lateral movement (e.g., VPCs, subnets, security groups).
Zero Trust: "Never trust, always verify" – continuous authentication and least-privilege access.
Perimeter Security: Controls at network boundaries (firewalls, WAF, DDoS protection).
Encryption in Transit: Protection of data during transmission (e.g., TLS 1.3).
CTO / CISO / Security Lead: Overall accountability; approves network changes, exceptions, and annual reviews.
Security / DevOps / Network Team: Designs, implements, monitors, and maintains network security controls; conducts segmentation and hardening.
Development Team: Follows secure network practices in code (e.g., no hardcoded endpoints); tests network-dependent features in staging.
All Employees & Contractors: Use networks responsibly; report anomalies; do not bypass controls (e.g., no unauthorized VPNs or open ports).
Third-Party Vendors / Cloud Providers: Adhere to shared responsibility model; provide secure network services and notify of incidents.
Implement strong segmentation: Separate production (live game servers), staging/test, development, and administrative networks using VPCs/subnets, Network Security Groups (NSGs), and firewalls.
Use micro-segmentation where feasible for sensitive workloads (e.g., player data databases isolated from public-facing APIs).
Prohibit direct public internet exposure for sensitive backend services; use private endpoints, bastion hosts, or VPN-only access.
Deploy next-generation firewalls (NGFW), Web Application Firewalls (WAF), and DDoS mitigation (e.g., cloud provider services like AWS Shield, Cloudflare).
Enforce strict inbound/outbound rules: Deny by default; allow only necessary ports/protocols (e.g., HTTPS 443 for game traffic).
Protect against common threats: Block SQL injection, XSS, and exploit attempts via WAF rules.
Enforce Zero Trust principles: Require multi-factor authentication (MFA) for all remote/VPN access and privileged accounts.
Use least-privilege access: Role-based access control (RBAC) for network resources; temporary/just-in-time access for admins.
Secure remote access: Mandate company-managed VPN with strong encryption (e.g., IPsec/TLS); prohibit split-tunneling for sensitive sessions.
Mandate encryption in transit for all data flows: Use TLS 1.3 (minimum TLS 1.2) for game client-server communication, APIs, and internal traffic.
Encrypt sensitive data at rest where transmitted over networks (align with data protection policy).
Enable comprehensive logging of network traffic, firewall events, and access attempts.
Use centralized logging (e.g., SIEM or cloud-native tools) with real-time alerts for anomalies (e.g., unusual outbound traffic, port scans).
Conduct periodic network vulnerability scans and penetration testing (at least quarterly for production).
Secure Wi-Fi: Use WPA3-Enterprise with strong authentication; separate guest networks.
For remote work: Require endpoint protection, VPN, and device compliance checks.
All network changes (e.g., firewall rules, new VPCs) require approval, testing in staging, and documentation.
Harden default configurations: Disable unused services/ports; apply vendor security baselines.
Prohibited: Unauthorized network devices, personal hotspots, sharing credentials, bypassing proxies/firewalls, or installing unapproved remote access tools.
Acceptable use aligns with company policies; violations may result in disciplinary action.
Network security events feed into the Incident Response Policy.
For active threats (e.g., DDoS on game servers): Activate mitigation immediately; notify leadership and players if service impacted.
Any exceptions (e.g., temporary open ports for debugging) require documented risk assessment, compensating controls, and CTO approval.
Time-bound (max 90 days) and reviewed regularly.
Maintain records of network architecture diagrams, firewall rules, segmentation maps, and audit logs.
Provide quarterly reports: Key metrics (e.g., blocked threats, open vulnerabilities, compliance with segmentation).
Annual training for staff on network threats (e.g., phishing leading to credential compromise, secure remote access).
Review annually, after major incidents, cloud migrations, or regulatory changes.
Non-compliance may result in disciplinary action, up to termination.
Audits (internal/external) verify adherence.