As new applications are developed based on the cloud model, developers are turning to Platform-as-a-Service (PaaS) to simplify application development and deployment. After all, babysitting the operating systems, data stores, messaging queues and application containers running below the application is complicated and costly. The promise of PaaS is the delivery of an application infrastructure, where the provider handles the care and feeding of the underlying stack.
Sounds great, until you consider how much control you are really giving up from a security perspective:
Visibility – In a PaaS environment users deploy applications and data. From the vantage point of the end-user there is no standard way to ascertain the patch level, collect system/server logs, or perform a vulnerability assessment (remote tests are generally prohibited). How do you know you are running on a solid foundation?
Portability/Interoperability – Unlike IaaS, where generally the virtual machine can be converted between different providers, PaaS involves custom APIs, specialty application containers and sometimes even language extensions. Will you be able to move your application if needed?
Security – For the most part, PaaS offerings do not provide the ability for customers to deploy network or host-based WAF, DAM, IPS, FIM, AV or DLP. Some platform service providers include built-in security services, but the end-user has little to no visibility or choice. Can you really afford to run your application ‘naked’?
These issues are resolvable, with work on the part of the platform providers.
Chris Hoff, a well known cloud aficionado, is working with a group on a general purpose security API that would supply the information needed for vulnerability scans, audit, configuration management and patch management. If adopted by the PaaS providers the API (known as A6 – the Audit, Assertion, Assessment, and Assurance API) would provide a much needed means of manual and automated verification.
Portability and Interoperability in the PaaS world may get better with service provider co-operation. There will be evolving standards, copy-cat service providers, conversion services and some day multi-provider abstractions where applications can run on a variety of services. It’s up to the customers to push for portability for their applications and data.
In order to have the control and flexibility with security in a PaaS environment, service providers need to offer standards based methods of plugging in security. This may be virtual appliances (using inline networking or advanced hypervisor-based introspection) or methods of deploying host-based security. Highly scalable cloud applications need best of breed security.
While the development department may be attracted to PaaS, until service providers can solve these issues, you may actually want to pass on PaaS.