For most organizations, moving to the cloud has become a requirement, not an option. In the cloud, many of the same security controls are required but how they are delivered needs to change in order to fit into the agile cloud environment and DevOps methodologies. In the data center, security controls are delivered at the perimeter either using hardware security appliances for Firewall or Intrusion detection & prevention (IDS/IPS); or delivered through software (agents) on the servers themselves, such as Anti-Malware or File Integrity Monitoring. In the cloud, security is a shared responsibility which means that both the cloud provider and the cloud user share responsibilities for providing protection. Cloud providers like AWS provide immense physical data center security and processes, which is great for cloud users as it takes a lot of work off their plate. But it also means that cloud users can’t bring the hardware firewall or IPS devices to the cloud as they don’t have access to the physical servers. That leaves two options for controls like IPS:
  1. Gateway or virtual appliance
  2. Host-based with security software (agent) running on each workload
  To get a better idea of the different approaches let’s dive into an example of IDS/IPS architecture in the cloud, as it is one of the security controls that most organizations have and it is often required for compliance.  

Intrusion Detection and Prevention (IDS/IPS) Overview

Intrusion Detection Systems (IDS) were the first generation of network security controls. A reactive control, it would alert you when a breach or attack occurred so you could investigate. Intrusion Prevention Systems (IPS) overtook IDS in popularity because of the ability to proactively block attacks, not just react to them. IDS/IPS systems for data centers were network-based and consisted of dedicated hardware appliance with the performance and throughput being based on the size of the network interface, CPU and memory.  

Virtual Appliance (Gateway) Approach

Using the security virtual appliance deployment model there are two methods in which IDS/IPS can be used. Method 1 requires software to be deployed to each instance in order to send a copy of the network traffic to the appliance for inspection. Method 2 requires routing configuration changes to be made in order for the security virtual appliance to inspect the traffic. Figure 1 illustrates both deployment scenarios.   FIgure 1 - hostvgateway   Figure 1: Security Virtual appliance  

Host-based Approach

The other option is to deploy software (also known as an agent) onto each workload. This allows the security polices to be tailored to the specific software executing on that server. This removes the need to have generic or extraneous rules running and taking up resources. For instance, with Trend Micro Deep Security you can run a Recommendation Scan that quickly determines the specific rules needed to protect the instance, depending on the OS or patches applied. Additionally, the deployment of security software and policies can be automated for environments with auto-scaling requirements with configuration management tools such as Chef, Puppet or OpsWorks. This approach is illustrated in Figure 2. A host-based fits seamlessly with your existing deployment workflow.   Figure 2 - hostvgateway   Figure 2: Host based IPS from Deep Security    

Comparing Approaches

One of the biggest architectural problems with network-based IDS/IPS is the use of encryption to protect network traffic. This security practice protects the contents of network traffic but it makes it difficult or impossible to analyze traffic and detect exploits. With host-based IDS/IPS, network encryption is less of an issue as the host decrypts traffic before it is analyzed. The following is a summary comparison of the different methods, which can be used to deploy IDS/IPS protection for cloud instances.      
  Virtual Appliance (Method 1 Inline) Virtual Appliance (Method 2 Tap) Host-based
Scaling Parallel to the workload In proportion to the workload With the workload
Protection Detect Generic protection Customized protection


Although both security virtual appliances and host-based software can be used to deliver IDS/IPS in the cloud, there is a strong argument that a host-based approach is easier and more cost effective.
  • Host-based security can be deployed with automation tools like Chef or Puppet.
  • Host-based controls seamlessly auto-scale to thousands of instances without requiring additional virtual appliances or managers to be added.
  • A host-based approach reduces resource requirements as there is no duplication of traffic and no specialized instance is required for a virtual appliance.
  • Eliminates the requirement to configure SSL/TLS to decrypt and analyze network traffic.
  • Host-based controls enable security controls and policies to be customized for each workload.