Infrastructure hardening is extensive, and occurs at many levels of the hardware/software/network stack. This is documented in the Omegabit Internal Operations Wiki, and Client Wikis, where applicable and is private to each specific Client. Details are typically summarized in a policy statement supplied by Omegabit. compliant tennant.

All layers of the infrastructure are continuously hardened against evolving threats (Firewalls, VMWare, Storage, etc.).  Firewalls are updated hourly against an live DB of known threats.  We can optionally enable zero-day quarantine and Data Loss Protection filtering (they have some performance tradeoffs but are available to you if desirable).  Your provisioned infrastructure operates in a private VLAN "bubble" that is completely locked down.  Only SSH and HTTP/S are exposed to the Internet by default and we can restrict access to any service at the firewall on request.  

The OS VM containers that are provided are also pre-hardened and patched to the latest OS release on delivery.  Only necessary services are installed/activated.  All passwords are set (strong), and admin access is limited where applicable (e.g., root can only connect to MySQL from localhost by default).  We do not run OS level firewall services by default, except where applicable for special configuration.  However, they can be enabled if desirable (we recommend not, for best performance and given the nature of the isolated infrastructure and the hardware firewalls in-front; the VLAN is trusted).  All servers also actively watch/respond to intrusions using fail2ban to watch all connected services for brute-force and DDOS attacks.  Strong passwords are enabled and configured by default.  We do expect your team to maintain their own passwords.  However, we can enable password change restrictions to the OS on request.  We typically defer to you to set the security in Liferay as you require, but can certainly advise on best practices and how to use the Liferay password controls.  Because manning the systems is a joint responsibility, and both teams have access, we are continuously looking for changes that may imply risk and will advise.  E.g., perms changes, or, if the dev team decides to install new services, etc.  Our expectation is that you keep us informed of changes that occur outside of our control, so that we don't step on the efforts and can advise on any potential impact (security, or otherwise).  If you would like a more formal and automated means of documenting this, we strongly recommend considering a subscription to Dynatrace SaaS, which provides audible recording of environment changes as well as a fantastic set of performance analysis tools for your custom application.  Let me know if this is of interest and we can discuss in more detail.