BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
The most popular cloud model today is infrastructure as a service (IaaS), but it's not always the best model for cloud app security. Many users are aware that platform as a service (PaaS) and software as a service can offer better savings, particularly for users without access to highly skilled cloud tech resources. Most don't know that PaaS in particular can offer better security, and even for skilled users that may be a decisive benefit. To get the most from PaaS security, understand the basic security differences between IaaS and PaaS, pick PaaS providers with security in mind, build applications to maximize the cloud app security benefits of PaaS, and think in PaaS terms when planning new cloud applications and migrations.
Applications are built on middleware tools, and if the combined middleware supporting an application is too complicated, security problems and errors can creep in quickly. In IaaS, every application is built into a machine image that includes the operating system and middleware. There are few (if any) cloud services on which all the applications and components can build, and so the procedures to link applications, identify and validate component identities, and manage data security are likely to be created by cooperation among the diverse machine images.
PaaS facilitates security measures and governance
In a PaaS cloud, a common middleware stack is made up of services that applications can use to secure components, connect and move work, and even manage exchanges with partner organizations. Applications are built on this stack, and so have a common set of features available to them. This harmonizes development, deployment and management of applications, facilitating security measures and governance.
The most obvious impact of this difference is that PaaS almost always includes a security and access control suite that is consistent across all the hosting points, database services, and applications and components. Although such a suite can be provided in IaaS, it's really going to be an on-premises security and access management tool hosted in the cloud, and not a cloud tool designed to address the special risks of public hosting.
A less obvious benefit of PaaS is commonality workflow and database management approaches. Developers will normally build to the tools available to them. That means that interface and database security, encryption and so forth could vary in implementation where the developers' platform offers diverse choices. IaaS, which doesn't constrain the identity of the operating system, much less versions and middleware tools, could introduce a host of different approaches.
PaaS offers standardized development tools
Today's applications are highly integrated to provide efficient workflows corresponding to business activities. If all the applications supporting a given business process are based on different operating system and middleware tools, then application support in the cloud will have to sustain all these approaches to secure applications overall. With PaaS, the tools for application connection and workflow are more standardized and easier to maintain.
Hackers need to enter an application or system to harm it, and that means interface security is critical. With IaaS, the ways in which an interface might be exposed are more variable, and so the measures to defend interfaces are more complicated. Because the operating system and middleware for IaaS has to be managed in the same way as they would be if the system was running in the data center, these interfaces have to be exposed. That renders them more vulnerable. With PaaS, the cloud provider can secure the management interfaces for the operating system and middleware using the same measures used to secure the cloud management interface itself, reducing the number of holes that might have to be plugged.
Some holes in cloud app security are deliberate; users often provide portals for customers and suppliers to exchange information with them. In IaaS, there is no specific way these portals would have to be created and secured, so they could be a major source of risk. In at least the more "architected" of the PaaS systems, there's a concept of "roles" and "actors" that categorize users and allows an administrator to set rights in an organized way. These rights would be enforced across all the systems, applications and databases under the control of the PaaS platform software.
All PaaS approaches are not created equal
Not all PaaS approaches are the same, nor will they all deliver exactly the same cloud app security benefits. Generally, PaaS clouds divide into three classes -- complete operating system and software frameworks like Microsoft's Azure, "adaptive" PaaS frameworks like that of Stackato (acquired by HP) that assemble middleware based on component dependencies, and "connected" PaaS frameworks like Amazon's AWS.
If security and access control are particularly critical for your cloud app security, you'll want to pick a PaaS strategy that offers a complete suite of operating system and middleware tools as a part of the platform or through dependency analysis. Optional additions will erode the "commonality" benefit of PaaS, and so will platforms that allow application developers to supplement platform middleware with products of their own choice.
Of course, PaaS is difficult to adopt where everything can't be run on a common platform. If you can't use PaaS, then try to base all your applications on a common workflow, component interface and directory, and database service strategy. By enforcing platform-like standardization, your IaaS can at least approach the level of security and "administratability" that PaaS offers.
PaaS vs. IaaS: Which is more secure?