- All network communication must be encrypted. (Loopback is excluded.)
- Authenticate and authorize user.
- Authenticate and authorize application.
- Audit logging for everything money related or dangerous.
- Applications run without root/administrator privileges.
- Firewalls/security groups are nice, but can never be the only protection.
- Use principle of need-to-know for data access. I.e. applications shall not have access to data they don't need.
- Use several levels of security. Users can be compromised. Applications can be compromised. Users make mistakes. Developers make mistakes. Operations make mistakes. You get the point.