Information Technology Reference
In-Depth Information
the cloud-based SOE, does it mean that the business partners of an
enterprise enforce such policies. In the same way that other vulnera-
bilities at instance level need to be protected, the same applies to the
prevention of malicious programs being allowed to penetrate and
infect the service. Each instance should ideally be checked with the
latest signature file every time that it is executed to maintain maxi-
mum protection. This does create a significant overhead for services
that are in frequent use, and therefore a cloud-based antivirus/mal-
ware service may be more appropriate. Such a service ensures that
the latest signature files are present, without using the execution of a
service to trigger an external check.
In summary, the concept of instance security for cloud services does not so
much rely upon new technology, but more a rethink in terms of how existing
solutions are deployed.
19.3.5 Application Architecture
A common approach to application architecture is that of separating the
architecture into tiers, whereby communication access between tiers is
tightly controlled. This serves to constrain any problems in one tier without
adversely affecting the other. For instance, a Web application tier might be
kept separate from the back-office system tier. In between the tiers would be
a firewall that restricts the network traffic between the two tiers.
As mentioned earlier in the chapter, the multitenant environment of a pub-
lic cloud prevents physical network infrastructure from being inserted. At
best, an enterprise could create VLANs, albeit that the network traffic is still
physically intermingled. One approach is to seek out a cloud provider who
is willing to allow the user to define subnets as part of the rented infrastruc-
ture. This would permit an enterprise to replicate some of its more tradi-
tional architecture within a virtualized environment and achieve its desired
network topology. Another approach would be to persist with instance-level
management and implement tier separation at the instance firewalls. This
increases complexity somewhat, but it could be argued that it fits more cohe-
sively with the
instance approach
to managing security in a robust way by
treating each appliance as a discrete service provider.
An alternative option is to adopt the services of a cloud provider to help in
the management of security. Some cloud providers are now offering security
layers that mimic instance-level firewalls. Such layers are convenient to use,
though they have the potential to increase vendor lock-in until more open
security standards are developed.
19.3.6 Patch Management
Patch management refers to the constant checking and maintenance of soft-
ware during its use. As bugs and vulnerabilities are discovered, the corrections
Search WWH ::
Custom Search