Have you considered firewall and IDS/IPS as it relates to moving IT applications onto a virtualized environment (such as IaaS other than Amazon)? Would the deployment consist of an appliance-based firewall effectively "sliced up" for multi-tenancy/multi-domain in case of single-tenant, or would deployment as a virtual firewall be an option to consider?
This is a great question and one that many people moving applications to the cloud and using Infrastructure as a Service (IaaS) are probably working through as well. When using IaaS, all of the vulnerabilities associated with Platform as a Service (PaaS) and Software as a Service (SaaS) models are present, along with any vulnerabilities related to the IaaS model. When utilizing IaaS, however, users enjoy the most flexibility, since they have control over the entire stack: infrastructure, platform and software.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send him an email today! (All questions are anonymous.)
With IaaS, however, the responsibility of security rests with the customer, not the provider. Using a network-appliance-based firewall/IPS requires the ability to manage the security in your IaaS provider's network. As you might expect, not all IaaS providers allow customers to add devices ad hoc to their networks; many see it as a network operations headache and a security risk they'd rather live without. How you'll manage this is the first thing you need to figure out before heading down this road.
As an alternative, companies often buy a managed service from the IaaS provider so that they can still have the functionality a multifunction security appliance offers, even if it's not possible to host their own hardware in the provider's data center. Personally, I don't believe this allows companies the freedom of making changes when they need to; I've always felt handcuffed when a provider has control over changes or updates that affect my security posture.
That being said, I think creating a virtual firewall is definitely a viable option to consider. Since you would already be hosting the rest of your infrastructure in the cloud, it would make sense to take the extra step and create that virtual firewall. If you've made the decision to host your data, applications and/or OS with a cloud provider, I believe that having complete control over your security is a no brainer.
This was first published in March 2013