Have you considered firewall and IDS/IPS as it relates to moving IT applications onto a virtualized environment...
(such as IaaS other than Amazon)? Would the deployment consist of an appliance-based firewall effectively "sliced up" for multi-tenancy/multi-domain in case of single-tenant, or would deployment as a virtual firewall be an option to consider?
This is a great question and one that many people moving applications to the cloud and using Infrastructure as a Service (IaaS) are probably working through as well. When using IaaS, all of the vulnerabilities associated with Platform as a Service (PaaS) and Software as a Service (SaaS) models are present, along with any vulnerabilities related to the IaaS model. When utilizing IaaS, however, users enjoy the most flexibility, since they have control over the entire stack: infrastructure, platform and software.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send him an email today! (All questions are anonymous.)
With IaaS, however, the responsibility of security rests with the customer, not the provider. Using a network-appliance-based firewall/IPS requires the ability to manage the security in your IaaS provider's network. As you might expect, not all IaaS providers allow customers to add devices ad hoc to their networks; many see it as a network operations headache and a security risk they'd rather live without. How you'll manage this is the first thing you need to figure out before heading down this road.
As an alternative, companies often buy a managed service from the IaaS provider so that they can still have the functionality a multifunction security appliance offers, even if it's not possible to host their own hardware in the provider's data center. Personally, I don't believe this allows companies the freedom of making changes when they need to; I've always felt handcuffed when a provider has control over changes or updates that affect my security posture.
That being said, I think creating a virtual firewall is definitely a viable option to consider. Since you would already be hosting the rest of your infrastructure in the cloud, it would make sense to take the extra step and create that virtual firewall. If you've made the decision to host your data, applications and/or OS with a cloud provider, I believe that having complete control over your security is a no brainer.
Dig Deeper on Application firewall security
Related Q&A from Matthew Pascucci
While there are no set rules, there are some security recommendations when it comes to virtual machines running on one host. Learn the best practices... Continue Reading
Poisoned search results have spread the Zeus Panda banking Trojan throughout Google. Learn what this means, how search engine poisoning works and ... Continue Reading
A report from CrowdStrike highlights the growth of malware-less attacks using certain command-line tools. Learn how to handle these growing attacks ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.