Have you considered firewall and IDS/IPS as it relates to moving IT applications onto a virtualized environment...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
(such as IaaS other than Amazon)? Would the deployment consist of an appliance-based firewall effectively "sliced up" for multi-tenancy/multi-domain in case of single-tenant, or would deployment as a virtual firewall be an option to consider?
This is a great question and one that many people moving applications to the cloud and using Infrastructure as a Service (IaaS) are probably working through as well. When using IaaS, all of the vulnerabilities associated with Platform as a Service (PaaS) and Software as a Service (SaaS) models are present, along with any vulnerabilities related to the IaaS model. When utilizing IaaS, however, users enjoy the most flexibility, since they have control over the entire stack: infrastructure, platform and software.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send him an email today! (All questions are anonymous.)
With IaaS, however, the responsibility of security rests with the customer, not the provider. Using a network-appliance-based firewall/IPS requires the ability to manage the security in your IaaS provider's network. As you might expect, not all IaaS providers allow customers to add devices ad hoc to their networks; many see it as a network operations headache and a security risk they'd rather live without. How you'll manage this is the first thing you need to figure out before heading down this road.
As an alternative, companies often buy a managed service from the IaaS provider so that they can still have the functionality a multifunction security appliance offers, even if it's not possible to host their own hardware in the provider's data center. Personally, I don't believe this allows companies the freedom of making changes when they need to; I've always felt handcuffed when a provider has control over changes or updates that affect my security posture.
That being said, I think creating a virtual firewall is definitely a viable option to consider. Since you would already be hosting the rest of your infrastructure in the cloud, it would make sense to take the extra step and create that virtual firewall. If you've made the decision to host your data, applications and/or OS with a cloud provider, I believe that having complete control over your security is a no brainer.
Dig Deeper on Application firewall security
Related Q&A from Matthew Pascucci
Researchers found several Dnsmasq vulnerabilities that affect Google's Android operating system. Matt Pascucci explains how these flaws can be ...continue reading
After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci...continue reading
A major SAML vulnerability was found in Slack that granted expired login credentials permission into the system. Matt Pascucci explains how this '...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.