Trend Cloud Security Blog – Cloud Computing Experts
Developers: “IaaS? No thanks, I’ll PaaS”
Posted by Justin Foster in Securing the Cloud Jan 5th, 2010 | no responsesAs new applications are developed based on the cloud model, developers are turning to Platform-as-a-Service (PaaS) to simplify application development and deployment. After all, babysitting the operating systems, data stores, messaging queues and application containers running below the application is complicated and costly. The promise of PaaS is the delivery of an application infrastructure, where the provider handles the care and feeding of the underlying stack.
Sounds great, until you consider how much control you are really giving up from a security perspective:
Visibility – In a PaaS environment users deploy applications and data. From the vantage point of the end-user there is no standard way to ascertain the patch level, collect system/server logs, or perform a vulnerability assessment (remote tests are generally prohibited). How do you know you are running on a solid foundation?
Portability/Interoperability – Unlike IaaS, where generally the virtual machine can be converted between different providers, PaaS involves custom APIs, specialty application containers and sometimes even language extensions. Will you be able to move your application if needed?
Security – For the most part, PaaS offerings do not provide the ability for customers to deploy network or host-based WAF, DAM, IPS, FIM, AV or DLP. Some platform service providers include built-in security services, but the end-user has little to no visibility or choice. Can you really afford to run your application ‘naked’?
These issues are resolvable, with work on the part of the platform providers.
Chris Hoff, a well known cloud aficionado, is working with a group on a general purpose security API that would supply the information needed for vulnerability scans, audit, configuration management and patch management. If adopted by the PaaS providers the API (known as A6 – the Audit, Assertion, Assessment, and Assurance API) would provide a much needed means of manual and automated verification.
Portability and Interoperability in the PaaS world may get better with service provider co-operation. There will be evolving standards, copy-cat service providers, conversion services and some day multi-provider abstractions where applications can run on a variety of services. It’s up to the customers to push for portability for their applications and data.
In order to have the control and flexibility with security in a PaaS environment, service providers need to offer standards based methods of plugging in security. This may be virtual appliances (using inline networking or advanced hypervisor-based introspection) or methods of deploying host-based security. Highly scalable cloud applications need best of breed security.
While the development department may be attracted to PaaS, until service providers can solve these issues, you may actually want to pass on PaaS.
Stumble It!Subscribe
Trend Cloud Security Blog – Cloud Computing Experts
- Do You Encrypt Your Data? A Plea to Businesses from an Identity Theft Victim February 2, 2012
- How Big Data Got Here, and What’s Still Missing February 1, 2012
- A shiny new website, made just for you … January 21, 2012
- Savings with Cloud Security — A Look at the Numbers January 19, 2012
- Government Data Seizures is Only One Type of Data Loss January 18, 2012
- Patriot Act is not the first (nor likely) last law of its kind January 16, 2012
- The USA PATRIOT Act is Bad for Business January 12, 2012
- Why the Cloud Kills Hardware January 10, 2012
- The Cloud Ate My Homework January 6, 2012
- The Link Between Browser Share, Cloud Computing, and Security January 4, 2012