Thirty-six percent of businesses don't have a centralized cloud-security policy, according to a recent survey by the Ponemon Institute, a research and consulting firm. In addition, 45% don't police employee activity in private clouds, according to the survey of nearly 675 IT and security professionals. Such lack of oversight in Platform as a Service (PaaS) and other cloud environments can lead to potentially catastrophic data failures.
So what's involved in crafting a cloud-security policy, specifically for use with a PaaS provider? Start by determining which assets you want to migrate to the cloud and why you want to move them, said Scott Hazdra, principal security consultant at Neophapsis Inc., a Chicago-based consulting company specializing in mobile and cloud security services. It's also important to understand your organization's culture, know what kind of PaaS provider would offer a good fit, seek your peers' opinions and review any existing cloud standards or policies.
"Lastly, take your newly created policy and allow the different stakeholders in your organization to comment," Hazdra says. "If you follow these guidelines, the better prepared you'll be when that first packet of data moves from your servers out into your provider's trusted cloud."
Familiar risks -- and some new concerns
The threats and risks involved with using a PaaS provider are similar to those involved with hosting in-house. Your applications still face the Internet; they will still be subject to constant exploitation attempts and potential denial of service attacks. They still need be hardened, with no unnecessary ports open.
Lack of oversight in cloud environments can lead to potentially catastrophic data failures.
Be sure to incorporate consistent code-security reviews into the software development lifecycle. Pay attention to vulnerabilities in software that need to be patched or mitigated. In addition, Hazdra recommends performing -- or hiring a security expert to do -- an application-security test against each app to help expose any vulnerabilities before they can be exploited.
It's also important to closely examine the differences in what various PaaS providers' services, including what you, as the tenant, can control. Typically, the PaaS provider controls much of the stack -- from hardware and network to hypervisor, database, storage and application framework -- and any risks to those systems are borne by the provider.
With PaaS, tenants aren't always segmented at the hypervisor level. But no matter how segmentation is accomplished, cross-tenant access creates vulnerabilities that present a risk that simply doesn't confront an in-house deployment the same way. The insider threat to any cloud provider presents a greater risk to the PaaS provider, though not necessarily to the tenant.
However, as a tenant, be aware that you may have contractual responsibilities about any breaches, attacks or security events involving their applications. Be sure you understand those requirements and the potential consequences for failing to notify the PaaS provider.
Assessing PaaS security
PaaS providers offer varying levels of maturity in terms of platform availability, security architecture and design and openness about their platform stack. The biggest challenges lie in making sure you get enough information to completely satisfy your company's stakeholders and ensure that everyone's needs and requirements will be met, Hazdra said.
Here are some additional tips for assessing PaaS provider security capabilities:
- Know who's responsible. Be clear about whether you, the PaaS provider or some third party is accountable for particular activities or functions.
- Know the boundaries. Be certain that you clearly understand where the demarcation points are between your software and the PaaS provider's software.
- Know the terms. Be sure you completely understand the service-level agreement (SLA). Don't hesitate to negotiate changes to areas that don't meet your requirements. SLAs are typically written with the PaaS provider's convenience in mind, so to make the relationship work, make sure the SLA meets your needs and development style as well.
- Know the PaaS provider's reputation. You can always ask for references -- and if you do, you should call them. One question to ask: Does the provider keep its promises? Trust is essential in working with clouds.
More questions for PaaS providers
Following are other security questions to ask potential PaaS providers:
- How do you mitigate or patch vulnerabilities from your vendors?
- What are your business continuity and disaster recovery plans? Do you have any single points of failure?
- What security services do you provide, if any? (For instance, does the company have an intrusion prevention system or a Web application firewall service?)
- How do you interview and screen the employees who have access to the infrastructure where my application lives?
- How easily can I move my data off your platform if I choose to move to another provider?
Another challenge: PaaS providers typically frown on tenants conducting penetration tests, vulnerability scans and so on against their own environments because doing so might be disruptive to other tenants. Look for your PaaS provider's willingness to address your concerns and, ideally, help you schedule the tests you need.
Asking the right questions
One best practice in assessing PaaS security involves developing a list of questions to which you must have clear answers. You can follow that with questions with answers that are "nice to haves," but not necessarily deal-breakers.
For help compiling your questions, turn to resources from two independent organizations: The "Cloud Controls Matrix" from the Cloud Security Alliance and the "Guidelines on Security and Privacy in Public Cloud Computing" from the National Institute of Standards and Technology.
Once you've compiled a short list of PaaS providers that meet your business requirements, you can ask your security questions, evaluating the responses on completeness and effectiveness. When the written responses aren't enough, ask to speak to one of the PaaS provider's technical people -- not to a salesperson -- to help fill in the blanks.
In the future, Hazdra expects to see the evolution of a common security framework that's based on standards and that independent third parties can audit for compliance, much like ISO compliance in manufacturing. That development would make it easier to assess the security of different PaaS offerings, evaluating tradeoffs such as cost versus security levels. It would also make it possible for PaaS providers to offer security-level agreements.
About the author:
George Lawton is a journalist based near San Francisco. Over the last 15 years, he's written more than 2,000 articles on computers, communications, business and other topics. Find out more at glawton.com.
This was first published in October 2013