Use a Firewall with security policy rules allowing only trusted IP addresses and ports; Block all othertraffic by default. This way unknown sources won’t be able to reach serverthrough network. In this scenario, we can just permit outbound ftp (tcp21) tothe accounting server IP addressCreate a site to site VPN tunnel with highestlevel of encryption and hashing algorithmbetween datacenter and corporateoffice. The unencrypted XML/CSV files can now besafeguarded through an encrypted VPNtunnel.
Setup both server and mySQL database with a 2 form authentications such a way that user has to providehis own key and also get an RSA token keyto log in. This way if we notice the server is stolen from data center we can immediately disable RSA token forthe user so that he cannot login.If the server detects multiple failed logins itshould disable the user access andrequire admin credentials to unlock. Multiple failed attempts for admin credentials should erase the databaseDisable read and write access for externalmemory drives so that databaseadministrators won’t be able to transfer information from the server.In addition to further strengthen the securitywe can use IDS/IPS device from detectingand preventing non trusted IPs/users. Install anti-virus, anti-ransomwareapplications on server.
Have a log collectorto analyze and alarm unusual activities on the server.