PaaS security considerations

Security is the first concern which arise when talking about cloud services. Let's take a closer look.

Cloud services are usually categorized as SAAS, PAAS, and IAAS. What comes to security, I personally trust PaaS most.

Infrastructure as a Service (IaaS):
Computing resource, typically a virtual machine or sometimes physical computer, is provided to customer. Customer installs platform, middleware services and application software. Security is more or less up to the customer's competence. Example service providers: Amazon EC2, IBM Softlayer.

Platform as a Service (PaaS):
OS platform, execution environment, data storage and services are provided by service provider. This environment is more limited simultaneously more protected than IaaS. Example service providers: Microsoft Azure, IBM Bluemix.

Software as a Service (SaaS):
Customer pay for use of certain domain specific application and has very limited capability to affect the behavior of the software. Usually SaaS providers do not disclose their security measures, thus one can not evaluate the level of security. Example services: Salesforce, Basecamp.

Summary: IAAS - You're on your own. PAAS - Limited but protected. SAAS - You just got to trust.

PaaS security mechanisms

Let's dig into some details of security mechanisms of PaaS service. I'm using IBM Bluemix as an example here.

Control of external communication
Only HTTP/S and WebSocket/S connections are allowed. All other connection attempts are discarded. All external connections go through external appliance for improved security.

API isolation
Only selected set of application programming interfaces are provided to developer. Even if the application is behaving badly, it can not do much harm. Vulnerabilities like Shellshock are eliminated as the platform does not provide access to such services as command line.

Data protection
Data is proven to be available to given application only. However, several instances may share the same data store, if configured so.

Platform instantiation
Each application runs in its own container that has specific resource limits for processor, memory, and disk.

The week point of a PaaS-based cloud service is the application itself. No security measure can protect the application from it's own stupidity. However, the developer can focus all attention to application design, without need to worry for underlain services. This may eventually reduce the amount of stupidity in application design and leads to better overall security.