PaaSing the Buck? 8 Tips to Help Ensure Your PaaS Vendor is Looking Out For Your Security

In the first article in our series on security for IaaS, PaaS and SaaS we discussed the IaaS model, and provided tips on what to ask your IaaS vendor in order to ensure that your applications are secure. In this second post we’ll review the Platform as a Service (Paas) model.

The PaaS model allows you to deploy, develop and manage applications without having to buy and manage the underlying hardware and software. It sits right on top of the IaaS platform and focuses on the storage, transmission and delivery of data. It’s used by developers and system admins to develop and manage databases, applications, web services etc., allowing them to quickly spin up systems without having to worry about purchasing hardware and provisioning VMs.

We need to keep in mind that the higher up the stack you go in the cloud service model the less the customer is responsible for in terms of security and the more the vendor needs to own it. This is both good and bad for the consumer. It’s good that you don’t have to dedicate resources to securing the instances, but bad in that you have to trust (after verifying) the security of the PaaS provider.

The main thing to remember with a PaaS service model is that your data needs to be secure in the application that you’re housing it in. So you need to ensure that your PaaS vendor provides proper authentication, segmentation and data security. Here are a 8 tips to help you ensure your PaaS vendor is looking out for your security.

1. Understand the vendor’s Software Development Lifecycle (SDLC) processes: Speak with the development team at the cloud service provider (CSP) and get a better understanding of their development cycle especially their release processes. This can tell you quite a bit about the stability and security of the PaaS platform.
2. Understand the vendor’s vulnerability and risk management processes: The vendor should have review processes for open vulnerabilities on their platform during development as well as after the platform is in production. Understand how they perform vulnerabilities management and what the turnaround on remediating vulnerabilities is.
3. Understand the system patching process: Somewhat similar to vulnerability management, if there is a security patch available for the PaaS, what is the patching process and how quickly will it be applied?
4. Understand customer data segregation: Verify that your data, authentication and pretty much everything else is isolated from other customers. Check whether multiple accounts and/or customer data is being stored in one large database somewhere. Segmentation is huge in security, especially in the cloud.
5. Understand resource allocation: Will you have dedicated CPU, memory, I/O resources etc. on your platform? Is it possible that another customer could bring down your production systems due to increased resource allocation on their end? This is once again part of the isolation piece, but it’s more based off of who is consuming the resources and what dedicated resources you have.
6. Understand data protection: Since you don’t have ownership over the disk at this point (as you might with IaaS), you need to make sure that your data is encrypted. If a breach occurs and segregation wasn’t done properly you need to verify that all appropriate data was encrypted or tokenized for the security and privacy of your customers and business.
7. Understand regulatory compliance requirements: Bring your assessors/auditors into the mix before deploying any cloud service model. The last thing you want is to fail and audit and to have to re-architect your entire cloud strategy.
8. Understand your production vs. testing needs: Make sure you have both test and production environments for PaaS based applications. Just because this is the cloud it doesn’t mean that you can play with production data. Determine how you can integrate the two properly without risking the security or privacy of your production environment.

With the PaaS model, you need to think of your application as if you were hosting it within your network. This is somewhat different than how you relate to data in the Software as a Service cloud model which will be discussed in our next post in this series. Stay tuned.