0 Replies Latest reply on Feb 1, 2012 4:05 PM by TonyWhite

    FileMaker <-> Amazon Web Services best practices XPOST

    TonyWhite

      Hi all,

       

      I'm working for a client on 2 FileMaker <-> Web applications.

       

      The first involves hosting a web stack (most likely LAMP) for the External

      SQL Sources (ESS) portion of the application.

       

      The second involves migrating a custom Web publishing application based on

      FX.php to a security compliant platform with a minimum amount of code

      changes.

       

      This client recently had their web applications tested by a security

      scanning company and wants to ensure that all their Web applications are PCI

      compliant on an ongoing basis.

       

      At the moment I'm planning on hosting on the Amazon Web Services (AWS)

      platform for the following reasons

       

      • The client already has a web application hosted at Amazon.

       

      • The research that I've done regarding the Amazon Web Services platform

      indicates that there is a robust security model in place.

       

      • Amazon Web Services seems to be a platform with a lot of momentum and

      therefore presents a relatively safe commitment for the client as well as an

      interesting platform to become familiar with.

       

      The Amazon Web Services platform seems full-featured. Along with that comes

      a learning curve in figuring out how to set things up properly.

       

      One of the most interesting aspects of the Amazon Web Services platform

      pertains to the security implementations framework they offer.

       

      In reading through the Amazon Web Services documentation I came across the

      following:

       

      • "AWS Web Hosting Best Practices" PDF

      http://aws.amazon.com/whitepapers/

      There are 2 interesting diagrams (page 3 and page 6) that show the

      framework.

       

      • Well-done network diagrams (AWS Reference Architectures)

      http://aws.amazon.com/architecture/

       

      • AWS_Security_Whitepaper PDF (In-depth treatment of security topics)

      http://aws.amazon.com/security/

       

      The security architecture that Amazon describes is more complex and more

      granular than the traditional web hosting implementation. For example, the

      3 tiers of the application: Web server(s), application server(s), and

      database server(s) are deployed on separate virtual machines (EC2

      instances). Each of the instances is protected with a virtual machine level

      firewall, etc. This high level of security comes at a price. The machines

      are so locked down that access often requires skill with the command line,

      SSH, SSH tunneling and the management of a variety of different types of

      credentials.

       

      It also seems possible to deploy a Web server platform on AWS in a less

      granular fashion although this is not documented by Amazon as far as I know.

       

      My inclination is to go with their more robust and more complex deployment

      as it represents a best practice implementation that can be used in both

      simple and complex deployments. It seems to me that using different virtual

      servers with individual firewalls does create a more secure platform. This

      plays to the strengths of the Amazon Web Services platform.

       

      One of the more interesting aspects of Amazon Web Services ecosystem is the

      existence of Amazon Machine Images (AMIs). AMIs are essentially computer

      disk images that are used to create "EC2 Instances" that run as virtual

      machines. In addition to the AMIs provided by Amazon, there are a large

      number of third-party AMIs.

       

      It occurs to me that there would be a benefit to FileMaker, Inc. in creating

      collections of AMIs that would facilitate the process of setting up and

      optimizing various stacks for ESS deployments and/or FileMaker Server

      deployments.

       

      For example, one specification of a collection of AMIs would include the

      following:

       

      • A version of MySQL that is compatible with FileMaker ESS.

       

      • A version of PHP that is sufficiently modern to pass security scans.

       

      • An operating system that is compatible with the versions of MySQL and PHP

      specified above. My preference would be a Linux based distribution in order

      to minimize the cost of the stack and maximize the value available to the

      project.

       

      • A version of Apache compatible with all of the above.

       

      • Additional software as needed to facilitate and support a robust

      full-featured ESS implementation. For example, a version of sendmail might

      be useful, etc.

       

      Others might have different preferred AMI specifications.

       

      There would be a number of benefits to FileMaker Pro Inc. in providing

      Amazon Machine Images.

       

      • FileMaker, Inc. would be empowering the developer community in the

      implementation of "hybrid" FileMaker <-> ESS solutions thereby retaining

      customers who might otherwise migrate towards a solution that is exclusively

      web-based.

       

      • FileMaker would achieve branding within that portion of the developer

      community that's involved with Amazon Web Services, either using Amazon Web

      services or in the process of evaluating AWS use along with other

      alternative technologies.

       

      I would be interested to hear thoughts on any of the above.

       

      All the best,

       

       

      Tony White

      Tony White Designs, Inc.

      44 Butler Place, 6G

      Brooklyn, NY 11238

      Tel: 718-797-4175

      Tel: 718-398-2428

      tony_white@twdesigns.com

      http://www.twdesigns.com

      iChat: tonywhitelive@aim.com | skype: tonywhitelive