Have you considered firewall and IDS/IPS as it relates to moving IT applications onto a virtualized environment...
(such as IaaS other than Amazon)? Would the deployment consist of an appliance-based firewall effectively "sliced up" for multi-tenancy/multi-domain in case of single-tenant, or would deployment as a virtual firewall be an option to consider?
This is a great question and one that many people moving applications to the cloud and using Infrastructure as a Service (IaaS) are probably working through as well. When using IaaS, all of the vulnerabilities associated with Platform as a Service (PaaS) and Software as a Service (SaaS) models are present, along with any vulnerabilities related to the IaaS model. When utilizing IaaS, however, users enjoy the most flexibility, since they have control over the entire stack: infrastructure, platform and software.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send him an email today! (All questions are anonymous.)
With IaaS, however, the responsibility of security rests with the customer, not the provider. Using a network-appliance-based firewall/IPS requires the ability to manage the security in your IaaS provider's network. As you might expect, not all IaaS providers allow customers to add devices ad hoc to their networks; many see it as a network operations headache and a security risk they'd rather live without. How you'll manage this is the first thing you need to figure out before heading down this road.
As an alternative, companies often buy a managed service from the IaaS provider so that they can still have the functionality a multifunction security appliance offers, even if it's not possible to host their own hardware in the provider's data center. Personally, I don't believe this allows companies the freedom of making changes when they need to; I've always felt handcuffed when a provider has control over changes or updates that affect my security posture.
That being said, I think creating a virtual firewall is definitely a viable option to consider. Since you would already be hosting the rest of your infrastructure in the cloud, it would make sense to take the extra step and create that virtual firewall. If you've made the decision to host your data, applications and/or OS with a cloud provider, I believe that having complete control over your security is a no brainer.
Dig Deeper on Application firewall security
Related Q&A from Matthew Pascucci
Google Cloud KMS is a new encryption key management service available for Google customers. Expert Matthew Pascucci discusses how this service works ...continue reading
Flaws in AirWatch Agent and AirWatch Inbox allowed rooted devices to bypass the software's security measures. Expert Matthew Pascucci explains how ...continue reading
Universal second factor devices can be used to strengthen authentication on major websites such as Facebook. Expert Matthew Pascucci explains how U2F...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.