As with most cloud services, PaaS security considerations typically revolve around the practicalities of working in a distributed environment. The main PaaS security consideration is usually access control. This has implications for data protection both at rest and in transit. With that in mind, here are five PaaS security best practices you should usually aim to implement.
PaaS security is a shared responsibility between the cloud service provider (CSP) and the client (or tenant). The CSP is responsible for ensuring the security of the underlying infrastructure. The client is responsible for managing their use of that infrastructure.
The client also has ultimate responsibility for ensuring the privacy, integrity, and accessibility of their own data. This has two key implications. Firstly, clients need to manage their own user access (in other words implement robust access control). Secondly, they need to assume that both their CSP’s and their own defenses will be breached at some point. They, therefore, need a robust plan for dealing with that situation.
Here are the seven most important PaaS security best practices that will help to keep your data safe.
Risk assessments are the foundation of all forms of security. They need to be undertaken regularly as security threats are continually developing. This is particularly important with anything related to IT as it is a particularly fast-moving environment.
In the context of PaaS security, risk assessments should usually take the form of threat modeling. Your IT team needs to look at your applications from the point of view of a potential attacker. They should deconstruct each part and analyze both individual components and their interactions looking for potential vulnerabilities.
Effective mapping will make it a whole lot easier to undertake effective threat modeling even if you’re only using one CSP. With PaaS, it’s very common for clients to use multiple CSPs, leveraging their various strengths. For example, AWS Lambda is often the tool of choice for business logic whereas Heroku may be the preferred option for serving the UI.
The more CSPs you use, the more important it becomes to keep accurate and up-to-date maps of your processes. You should therefore have a protocol for ensuring that maps are updated any and every time a process is changed.
All applications should be thoroughly tested both on their own and as part of their infrastructure. It’s advisable to retest applications periodically, regardless of whether or not any changes are made. Applications should definitely be retested every time a change is made no matter how minor. Again, there should be protocols in place to ensure that this happens.
This is one of the most basic security best practices there is and should definitely be applied to PaaS security. Cyber attackers have long since worked out that the threat of leaking data is a very powerful one. What’s more, even if you agree to their terms, you still have to take it on trust that they will actually keep up their side of the deal.
Keeping data encrypted at all times ensures that it cannot be compromised even if your defenses are breached. This means you can afford to ignore any demands cyber attackers may make.
Part of security, including PaaS security means ensuring that your systems remain functional and your data is accessible no matter what happens. The only way to be sure of this is to have a robust backup system. This includes having a robust system in place for restoring from the backups you take.
All reputable PaaS vendors are going to have native tools for managing user authentication and access management. Most will have other in-built security features. Common options include a web application firewall, robust logging and monitoring functionality, and useful reporting.
Make a point of leveraging the tools your CSP provides unless you have a better alternative. Be prepared to supplement your vendor’s tools with ones you source yourself.
Currently, C#, Python, and Java are supported across just about all PaaS providers. It’s therefore strongly advisable to stick to these languages as much as possible. This will minimize your potential vulnerability to vendor lock-in.
If you must use more niche APIs then make it a policy to build in layers of abstraction between them and the application or service. This will minimize the number of changes that need to be made if you wish to move to a new vendor.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.