All network communication must be encrypted. (Loopback is excluded.)
Authenticate and authorize user.
Authenticate and authorize application.
Audit logging for everything money related or dangerous.
Applications run without root/administrator privileges.
Firewalls/security groups are nice, but can never be the only protection.
Use principle of need-to-know for data access. I.e. applications shall not have access to data they don't need.
Use several levels of security. Users can be compromised. Applications can be compromised. Users make mistakes. Developers make mistakes. Operations make mistakes. You get the point.