Back to list
Re: AWS and security
Jul 11 2012 04:23PM
Warner Tabor (pneusolematic me com)
You are absolutely correct, PCI is s security standard. What I failed to mention in my previous post is that we don't keep sensitive CC data on server in the cloud, which is why I haven't give the subject much thought and can't really speak on it. The reason I mentioned HIPPA and the like is that they are for more strict and cover more points of data than just billing info. We are talking about just a few data point for PCI, where I would assume there is far more to consider when it comes to HIPPA, etc.
On Jul 10, 2012, at 8:35 PM, Sean Simpson wrote:
> Again, thanks for the insights!
> On Jul 10, 2012, at 5:32 PM, Warner Tabor wrote:
>> No problem. Glad to be of some help. Seem my responses in-line below;
>> On Jul 10, 2012, at 8:04 PM, Sean Simpson wrote:
>>> Hi Skip, thanks for your insights. Some specifics:
>>> On Jul 10, 2012, at 6:41 AM, Warner Tabor wrote:
>>>> We've been using AWS for 3 years now to host our web and app servers without incident. If you make proper use of EC2 Security Groups you can lock things down pretty tightly. I think that as long as you do your due diligence as far a security is concerned and make sure you are using known good AMI's (ones that are provided by Amazon, for example,) I don't think that you'll be at any higher risk for attack than hosting in a co lo.
>>> My main concern is that the "due diligence" is different, and will require a learning curve. For instance, we don't normally worry about inter-host communications when they only exist on our trusted network. Better to know that kind of stuff in advance...
>> This is true and there is a bit of a learning curve, but their web UI makes things pretty simple, and most tasks can be completed this way. There are certain things that you'll have to refer to the API tools for, but these are few and far between (attaching ephemeral storage, etc.) One thing that I can suggest to help with the learning curve and your investigation, is that you launch some Amazon Linux micro instances. These instance are free and will allow you to play with inter-instance communications, security groups, etc. If you don't want to go the Amazon Linux route, micro instances for other Linux distros and windows are so cheap per hour that they might as well be free (I think you'll pay $18 to keep one running 24/7 for a month). A quick aside; for all intents and purposes the Security groups act as routers/firewalls allowing only specific instances or IPs, subnets, etc access to instances within that group.
>>>> You have the ability to launch, test, provision and scale your app in a very fluid and dynamic way.
>>> This is the big draw, particularly since we can re-architect (adding a memcached layer, for instance) with "practice" servers before changing a live system.
>> Absolutely. I haven't played with memcachd, but I do know that AWS even offers a service called ElastiCache for in-memory caching that I believe utilizes memcachd
>>>> Services like ELB with Sticky Sessions allow you to load balance your app very easily without worrying about a whole lot of configuration, extra SSL certs, etc. AWS has certainly allowed us to move far more quickly than we would have if we were hosting on site or in a co lo.
>>> Have you found that you become "tied" to their services? I'm a bit worried that management will change it's mind again, and then we will be sent scrambling to handle services in yet another way. With a colo solution, we take our service solutions with us wherever we go.
>> Aside from using ELB, there is nothing that I can't replicate elsewhere. And we could certainly implement similar round-robin load balancing witout too much trouble using another solution if we had to. The rest of our architecture is all very portable using pretty standard stuff. There are certainly services that they offer that are tempting that would "tie" is to their service, but we haven't gone that route yet. Note that you do have the ability to export you images as well as import external images. This would allow you to move your machines to another virtualization environment, cloud computing service or to baremetal perhaps, but I haven't tried it. If you Google AWS VMI Import / Export you should turn up some results.
>>> Sean Simpson
>>> Senior Server/Web Developer
>>> sean (at) stitcher (dot) com [email concealed]
> Sean Simpson
> Senior Server/Web Developer
> sean (at) stitcher (dot) com [email concealed]
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
[ reply ]
Jul 16 2012 05:54PM
Jude Cwalenski (judenator gmail com)
Jul 16 2012 08:37PM
Ansgar Wiechers (bugtraq planetcobalt net)
Jul 16 2012 06:34PM
Florian Rommel (frommel gmail com)
Jul 16 2012 08:44PM
Michael Sturtz (Michael Sturtz PACCAR com)
Copyright 2010, SecurityFocus