Shostack + Friends Blog Archive


Pulling A Stiennon: In The Cloud, The DMZ Is Dead

Calling something in the cloud a DMZ is just weird. Realistically, everything is a DMZ. After all, you are sharing data center space, and if your provider is using virtualization, hardware with all of their other customers. As such, each and every network segment you have is (or should be) isolated and have only a very small set of allowed ports/protocols/ips etc. So in a very real sense, in public cloud every network segment is a DMZ. And when everything is a DMZ, then calling anything a DMZ becomes pointless.

It’s better to call the segments by their function, e.g. web, app server, db, cache, mq whatever it is that the services in that security group are doing. It had the advantage of being easier to understand, closer to self-documenting and doesn’t imply a level of non-existent security like a term like DMZ does. Also by calling segments by their purpose, it points the security practitioner towards the right mindset of what types of traffic should or shouldn’t be allowed. All in all a very Jericho project kind of mentality.

[ETA: I had completely forgotten that Hoff covered this same issue in his Commode Computing talk last year. In particular see]

One comment on "Pulling A Stiennon: In The Cloud, The DMZ Is Dead"

  • Stiennon says:

    One of the first things I ever wrote for Gartner was on the DMZ. The gist of my argument then was that the idea of a De-Militarized zone was silly even in 2001. The original DMZ’s were populated with sacrificial hosts exposed to the Internet. By 2001 the network segments containing webservers, databases, DNS, etc had become the most protected segments: in other works Highly Militarized Zones. I proposed calling those segments Transaction Zones. It never caught on obviously. 🙂

Comments are closed.