Our application and database services are not accessible directly from the internet. A selected group of engineers has access to a VPN which provides access to our application servers. Two-factor authentication (2FA) is required on all accounts, strong passwords are enforced and the connection is automatically closed after a brief period of inactivity.
Communication with the application servers is only possible, once logged in to the VPN, over SSH. We use key-based authentication, keys are issued on a per-employee basis and managed via a centralised system and automatically deployed. Once revoked the keys are automatically removed from our application servers.