TonyWhite

FileMaker <-> Amazon Web Services best practices XPOST

Discussion created by TonyWhite on Feb 1, 2012

Hi all,

 

I'm working for a client on 2 FileMaker <-> Web applications.

 

The first involves hosting a web stack (most likely LAMP) for the External

SQL Sources (ESS) portion of the application.

 

The second involves migrating a custom Web publishing application based on

FX.php to a security compliant platform with a minimum amount of code

changes.

 

This client recently had their web applications tested by a security

scanning company and wants to ensure that all their Web applications are PCI

compliant on an ongoing basis.

 

At the moment I'm planning on hosting on the Amazon Web Services (AWS)

platform for the following reasons

 

  • The client already has a web application hosted at Amazon.

 

  • The research that I've done regarding the Amazon Web Services platform

indicates that there is a robust security model in place.

 

  • Amazon Web Services seems to be a platform with a lot of momentum and

therefore presents a relatively safe commitment for the client as well as an

interesting platform to become familiar with.

 

The Amazon Web Services platform seems full-featured. Along with that comes

a learning curve in figuring out how to set things up properly.

 

One of the most interesting aspects of the Amazon Web Services platform

pertains to the security implementations framework they offer.

 

In reading through the Amazon Web Services documentation I came across the

following:

 

  • "AWS Web Hosting Best Practices" PDF

http://aws.amazon.com/whitepapers/

There are 2 interesting diagrams (page 3 and page 6) that show the

framework.

 

  • Well-done network diagrams (AWS Reference Architectures)

http://aws.amazon.com/architecture/

 

  • AWS_Security_Whitepaper PDF (In-depth treatment of security topics)

http://aws.amazon.com/security/

 

The security architecture that Amazon describes is more complex and more

granular than the traditional web hosting implementation. For example, the

3 tiers of the application: Web server(s), application server(s), and

database server(s) are deployed on separate virtual machines (EC2

instances). Each of the instances is protected with a virtual machine level

firewall, etc. This high level of security comes at a price. The machines

are so locked down that access often requires skill with the command line,

SSH, SSH tunneling and the management of a variety of different types of

credentials.

 

It also seems possible to deploy a Web server platform on AWS in a less

granular fashion although this is not documented by Amazon as far as I know.

 

My inclination is to go with their more robust and more complex deployment

as it represents a best practice implementation that can be used in both

simple and complex deployments. It seems to me that using different virtual

servers with individual firewalls does create a more secure platform. This

plays to the strengths of the Amazon Web Services platform.

 

One of the more interesting aspects of Amazon Web Services ecosystem is the

existence of Amazon Machine Images (AMIs). AMIs are essentially computer

disk images that are used to create "EC2 Instances" that run as virtual

machines. In addition to the AMIs provided by Amazon, there are a large

number of third-party AMIs.

 

It occurs to me that there would be a benefit to FileMaker, Inc. in creating

collections of AMIs that would facilitate the process of setting up and

optimizing various stacks for ESS deployments and/or FileMaker Server

deployments.

 

For example, one specification of a collection of AMIs would include the

following:

 

  • A version of MySQL that is compatible with FileMaker ESS.

 

  • A version of PHP that is sufficiently modern to pass security scans.

 

  • An operating system that is compatible with the versions of MySQL and PHP

specified above. My preference would be a Linux based distribution in order

to minimize the cost of the stack and maximize the value available to the

project.

 

  • A version of Apache compatible with all of the above.

 

  • Additional software as needed to facilitate and support a robust

full-featured ESS implementation. For example, a version of sendmail might

be useful, etc.

 

Others might have different preferred AMI specifications.

 

There would be a number of benefits to FileMaker Pro Inc. in providing

Amazon Machine Images.

 

  • FileMaker, Inc. would be empowering the developer community in the

implementation of "hybrid" FileMaker <-> ESS solutions thereby retaining

customers who might otherwise migrate towards a solution that is exclusively

web-based.

 

  • FileMaker would achieve branding within that portion of the developer

community that's involved with Amazon Web Services, either using Amazon Web

services or in the process of evaluating AWS use along with other

alternative technologies.

 

I would be interested to hear thoughts on any of the above.

 

All the best,

 

 

Tony White

Tony White Designs, Inc.

44 Butler Place, 6G

Brooklyn, NY 11238

Tel: 718-797-4175

Tel: 718-398-2428

tony_white@twdesigns.com

http://www.twdesigns.com

iChat: tonywhitelive@aim.com | skype: tonywhitelive

Outcomes