One of the key aspects to secure cloud hybrid applications is a secure connection from the cloud based services to the on premise base ones. With Windows Azure this is quite easy. You can use Windows Azure Connect to establish a secure IPV6/IPSec based tunnel from the individual role in Azure, to the individual service( s ) on premise. Channel 9 has a short video on this topic:
Something that tends to be a misunderstanding is that Azure Connect is not a VPN from your network, to the Internet. The connections are configured to go from a specific server, and services on your network, to a specific Role hosted in Azure. It is point to point and secured with IPSec. You aren’t exposing your network to the entire Internet over a VPN type connection.
There are a couple key benefits I see to this from a security angle.
- You can move the UI and Business layer off to the Azure servers. This prevents potential hackers from touching infrastructure connected to your network. The Azure Connect tunnel will provide secure encrypted communications between the Business layer worker roles and the specific service or DB on premises. The unwashed masses can not touch the interface of the services or DB on your network. It will only talk to the Role you have defined in Azure. This provides another layer between you and the bad guys.
- This will allow you to create hybrid applications where all of the sensitive data is still kept safely on premises in your data centre. You don’t have to push a lot of data out to the web. The UI and Business layers are already being accessed from over the Internet anyway so there is little benefit to them being hosted on premises other than the desire and perception of control.
Hybrid applications over Azure Connect provide an excellent means to create highly scalable and robust form filing, and data publication applications for public consumption. Definitely have a look at it.