At cloudexpo yesterday, I chatted with Allan Allison, after his session on cloud security. Subsequently, I read his blog post which advises organizations considering the cloud, how they can leverage compliance factors when selecting a cloud provider (for example if the customer’s data is subject to HIPAA, HITECH, PCI and similar regulations).
When you migrate to the cloud, compliance factors are one item to consider, security is another.
If your applications and data are hosted on physical servers in your datacenter, under your control, security can be achieved with in-line network appliances such as a firewall and intrusion detection/prevention (IDS/IPS) devices.
When you move to the cloud, using an Infrastructure as a Service provider, you no longer have physical control of the network – you are simply utilizing instances of Windows or Linux virtual machines provided by a cloud service.
Since network security in the cloud is not under your control, the case can be made for host-based security: protecting each instance with its own firewall and IDS/IPS. Thus, as an instance migrates within a cloud or is started or shutdown, it is instantly protected with its own firewall and IDS/IPS and does not rely nor require a network security device.
Of course, a central management console of the firewall, IDS/IPS on each instance is critical to manage policies. Even better would be an intelligent firewall, IDS/IPS that knows what applications and network services are running on each instance and can protect the instance accordingly.