Security Concerns with Horizontal and Vertical Cloud Scaling

June 3, 2013 by Diana Nolting

What to Expect When You’re In the Cloud: First year tips, tricks and tutorials is a series of posts appearing weekly that highlights the unique experiences, questions and successes individuals have their first year in the cloud. Posts are based on clients and non-clients alike. To submit your question, or story, tweet @Bluelock.

Last week we covered how to leverage horizontal and vertical scaling when it comes to cloud, but this week we’ll tackle a user-asked question that falls right in line with scaling.

"What are application security considerations when you scale horizontally and vertically?"

This is a great question that falls right in line with considerations for architecting your initial designs to enable easier vertical and horizontal scaling down the line.

As a review, when you’re scaling vertically you are expanding the size and capacity of already existing virtual servers. You may be expanding it to include 20-30 processors with 50 GB of RAM from 10 processors with 10 GB of RAM.

“Because the servers are just getting bigger, they already have the patches, intrusion prevention agents and security policies enabled,” explains Bluelock CTO Pat O’Day. “When you add RAM or CPUs for vertical scaling, all those policies stay in place. When you shrink the devices, it all stays in place as well.”

Security when you are scaling horizontally, however, requires a slightly different check of systems. As a review of horizontal scaling, this requires the adding more servers, rather than just adding resources.

“When you’re dealing with a horizontal scaling model, especially when you’re automating that horizontal scaling, they will need to come up and be secure before they are exposed to the internet,” explains O’Day.

O’Day explains that if you bring up a brand new web server in a horizontal model into your load balancing pool, but it’s not patched because you pulled it out of a brand new template, it will need to get patched, have the policy, have the operating system secured, the intrusion prevention agents installed and software firewall installed before it can process traffic.

“But, you can do all of that by scripting it with automation,” O’Day continues. “You can have the template prepare itself automatically before it starts taking traffic.”