1) Should we abandon n-tier application model? 1. No. From a functionality standpoint it is still beneficial to have a tiered system as a way of resolving errors within a program and when trying to establish interoperability with another program. I liken this method to the half-split method of troubleshooting a connection issue. I feel that the n-tier model offers a flexibility which still holds importance that cloud computing does not usurp. 2) Is it enough to setup host based firewall? No. The simple answer is that just because great security was established between internal and external communications does not mean that a problem cannot come from within. This could result from any portable device accessing the network where it has been used outside of the firewall beforehand. An IDS would prove invaluable at this point; not only for saving the network but also for isolating the cause. This also answers #5. IDS is, as far as I know, the best way of managing security within a network. Granted, my knowledge of such things is limited, but I cannot see how providing the most secure practices to a network would hinder an organization. 4) Why isn't anyone talking about host-based intrusion detection on the cloud yet? If the service is host-based then it cannot be fully guaranteed (not that any service really could anyways). I also think that it is being spoken of just without finite resolve. The first company that finds a truly effective way of providing secure cloud computing at a reasonable price without sacrificing performance will find a good deal of business. 6) Even though the bar has dropped to develop and launch a website, has the bar to develop secure applications increased because of lack of implied security which developers used to have in the old model? Indeed. I think that as people are both trying to protect their own software and the work of those who purchased the software, security within applications has grown in importance. From a proprietary standpoint, a lack of proper security would result in a loss of profit. From a purchaser standpoint, people do not want their work modified or jeopardized because of a manipulated application. 7) What security practice do you have for building/hosting your application on the cloud? (Other than blocking unused ports) I do not have one. I would like to see others’ answers on this question.

1) Should we abandon n-tier application model? 1. No. From a functionality standpoint it is still beneficial to have a tiered system as a way of resolving errors within a program and when trying to establish interoperability with another program. I liken this method to the half-split method of troubleshooting a connection issue. I feel that the n-tier model offers a flexibility which still holds importance that cloud computing does not usurp. 2) Is it enough to setup host based firewall? No. The simple answer is that just because great security was established between internal and external communications does not mean that a problem cannot come from within. This could result from any portable device accessing the network where it has been used outside of the firewall beforehand. An IDS would prove invaluable at this point; not only for saving the network but also for isolating the cause. This also answers #5. IDS is, as far as I know, the best way of managing security within a network. Granted, my knowledge of such things is limited, but I cannot see how providing the most secure practices to a network would hinder an organization. 4) Why isn't anyone talking about host-based intrusion detection on the cloud yet? If the service is host-based then it cannot be fully guaranteed (not that any service really could anyways). I also think that it is being spoken of just without finite resolve. The first company that finds a truly effective way of providing secure cloud computing at a reasonable price without sacrificing performance will find a good deal of business. 6) Even though the bar has dropped to develop and launch a website, has the bar to develop secure applications increased because of lack of implied security which developers used to have in the old model? Indeed. I think that as people are both trying to protect their own software and the work of those who purchased the software, security within applications has grown in importance. From a proprietary standpoint, a lack of proper security would result in a loss of profit. From a purchaser standpoint, people do not want their work modified or jeopardized because of a manipulated application. 7) What security practice do you have for building/hosting your application on the cloud? (Other than blocking unused ports) I do not have one. I would like to see others’ answers on this question.