Document on how to secure a Data-Center with non-internal people?

[dlots]

We are looking at making a cloud-based system that people can sign up for that I would consider a high value target system, and I am trying to figure out how to secure it. I know basic stuff like VRFs, Firewalls, ACLs, routing/VRRP authentication, Control Plane Policing, etc, but I would really like a document from people who are "Good" at security that would give me a check-list or something.

[wintermute000]

Put cloudflare or similar in front for ddos scrubbing. Then make sure you have good layer 7 firewalls/IPS in front. Put the dns on your load balances via gslb do you can scale out redundant active sites. The load balancers can actually act as a second layer of application level filtering
Have active monitoring on the ips/fw and hourly updates for signatures. The good vendors will push out zero day signatures that quick
Make sure the ips is tuned, the more Nazi, the better.
Backend behind second layer of firewalls, no direct connectivity allowed from internet zone, all comms to dmz must be encrypted and preferably originate from inside only, again ips that layer if you can. Some will say different vendor too.

[AnthonyC]

I'd second the layer 7 firewall/WAF comment, your web services & applications are probably going to be among the biggest attack vectors.

[deanwebb]

Mix vendors so that a SSH vuln in one doesn't bring down the house.

Also, you will need tools for securing intellectual property, such as things that will alert on or block traffic that includes information from files that should not be copied.