AWS Elastic Beanstalk (beta) is a useful tool for cloud architects and developers who want to deploy, monitor and...
scale Web applications quickly, on an as-needed basis. All they have to do is upload a code and let Elastic Beanstalk automatically handle the deployment -- from capacity provisioning, load balancing and autoscaling to application health monitoring. At the same time, they can retain full control over the AWS resources powering the application. They can even use the Elastic Beanstalk console to access the underlying resources at any time.
That said, developing Web applications on platform as a service (PaaS) comes with vulnerabilities. Threat agents include hackers, software design flaws or poor testing methods. These can take advantage of vulnerabilities in order to infect or halt the application.
By mitigating the risks of SaaS application development on PaaS, cloud architects and developers become more aware of the significant threats to their application. These insights can then contribute to higher return on investments, simply by implementing cost-effective safeguards. They also can reduce the costs of disaster recovery by reducing the frequencies of vulnerability exploitation.
Here are five steps to start reducing your risks:
- Identify assets
- Identify vulnerabilities and threats
- Assess risks
- Fix with safeguards
- Implement risk mitigation policy
Step 1. Identify assets
Identify assets associated with software-as-a-service (SaaS) application development on PaaS, then assign a value to each asset. Determine the categories where the assets should belong. Here are some examples:
Users: SaaS developers and SaaS users would both fit into this category. The value of each user group should be based on the average number of man hours spent in developing and testing the application.
Resources: These are any resources that are used by PaaS developers to run and store the SaaS application. For example, Elastic Beanstalk leverages Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Services, Amazon Simple Notification Service, Amazon CloudWatch, Elastic Load Balancing and Auto Scaling. The value is based on pay-as-you-go for these resources. Elastic Beanstalk is free.
Security: This could mean encryption mechanisms, firewalls and industry security standards, including SecaaS (security as a service). The value is based on the man-hours used to implement security.
Documentation: Training manuals, administration guidelines, security standards, network standards, contingency planning, disaster recovery plans and service-level agreements (SLAs) are just a few examples of documentation. The value is based on the type of media used to publish the documentation -- print, online or digital media (CD).
Software: Operating systems; vulnerability testing tools; office tools (documents, spreadsheets, presentations); log analyzers; and programming languages (Java, .NET, the PHP script language, the Node.js programming language, Python and Ruby) would all qualify as software. The value is based on the purchase price or the pay-as-you-go subscription needed to develop the SaaS application on PaaS.
Step 2. Identify vulnerabilities and threats
Hackers are not the only threat agents who could take advantage of PaaS vulnerabilities. Here are other examples of threat agents:
- Software design flaws could let in malicious SQL injections.
- Improper access control configurations could result in theft of the sensitive data the application is processing for storage.
- Improper firewall configurations could result in accidental PaaS outages.
- The vulnerability of data recovery due to the cloud characteristics of pooling and elasticity. This means resources allocated to one user would be accidentally reallocated to a different user. It is not always possible to recover data from a previous user.
Step 3. Assess risks
Users want to be assured that PaaS will be available continuously and that their demand for more traffic can be met. One method of assessing the risk of unavailability is quantitative. Some examples include:
- Estimated frequency per year that the PaaS would become unavailable due to infrastructure as a service (IaaS) outages
- Estimated frequency of PaaS attacks due to improper firewall configurations
- Estimated frequency of not meeting performance guarantees set forth in an SLA
- Estimated frequency of unsuccessful failover of network routers and switches that the support the IaaS on which the PaaS runs.
Step 4. Fix with safeguards
Implementing cost-effective safeguards is one way to mitigate the risks of SaaS application development on PaaS. Here are some examples:
- The application has been properly designed with no software flaws. PaaS developers and cloud architects have the adequate skills and instructions to develop well-designed applications on the PaaS.
- Access control configurations have been properly configured for users based on their different roles and/or data sensitivity. The logging option has been activated.
- Firewalls have been properly configured. Intrusion detection systems and load balancers are in place. A PaaS failover mechanism policy is enforced. The traffic to and from the PaaS has been encrypted.
Step 5. Implement risk mitigation policy
The process of identifying assets, identifying vulnerabilities and threats, assessing risks, and implementing safeguards can vary from one department to another within an organization. To standardize and reduce the cost of the process, a risk mitigation policy should be implemented.
The policy should include the AWS resources, programming languages and servers that are used to develop, run and store the application on the PaaS -- in this case, Elastic Beanstalk -- and how often the policy should be reviewed due to major technology changes, as well as changes in both user and organizational requirements.
In conclusion, have a good team follow the five steps involved in mitigating the risks of SaaS application development on PaaS. A quality group of PaaS developers will help to plan ahead and determine what the cost-effective risk mitigation process should entail.