It used to be a good design to not only run applications in different tiers, but also physically separate them on different network switches. Network devices have since improved (security wise) and some folks seem to be alright with virtual switches. And then came the cloud infrastructure where security is mostly limited to host based firewalls, passwords or keypairs. And the super-smart network admins (and the larger organizations selling them the hardware) who have been doing an excellent job to protect your applications from the "bad guys" are not needed anymore :)
So here are my questions about what is the recommended practice for securing applications in the cloud.
1) Should we abandon n-tier application model ?
2) Is it enough to setup host based firewall ?
3) If answer for 1,2 is yes, does it mean that we could have solved
this problem without costly/smart network devices even without cloud ?
4) Why isn't anyone talking about host-based intrusion detection on the cloud yet ?
5) Or are we confident we don't need IDS anymore ?
6) Even though the bar has dropped to develop and launch a website, has the bar to develop secure applications increased because of lack of implied security which developers used to have in the old model ?
7) What security practice do you have for building/hosting your application on the cloud ? (other than blocking unused ports)
February 3, 2010 1:01 PM
March 2, 2010 2:01 AM