Platform as a Service (PaaS) is a cloud computing service model that allows users to rapidly develop software and applications via a comprehensive, cloud-based platform. Often used by developers, PaaS allows users to build, compile, and run programs without worrying about the underlying infrastructure and without the need to deploy and configure software.
PaaS does not require users to manage or control networks, servers, operating systems, and storage, but does allow users some control over software workflows, configurations, and in some cases, the application hosting environment.
When considering PaaS security as part of an organization’s cloud security strategy, PaaS users should pay attention to their identity as a key security perimeter. In addition, it is important to secure code artifacts such as repositories and container images, ensure development workflows are tightly controlled, secure sensitive data, and ensure monitoring, logging, and auditability of the entire development lifecycle.
In this article:
PaaS platforms are attractive targets for hackers because they provide access to a wide range of applications and data:
When working with a PaaS provider, you need to understand how the platform works and what you need to do to protect your data.
Security is not the sole responsibility of the PaaS provider. When choosing a PaaS provider, consider these important questions:
The following technology solutions can help cloud customers secure their PaaS environment.
CASB uses auto-discovery to identify cloud applications in use, high-risk applications, high-risk users, and other risk factors. It can implement security access controls such as encryption and device analysis. If single sign-on (SSO) is not available, it can also perform credential mapping.
CWPP is a next-generation security management tool that helps keep workloads secure in cloud environments. It protects not only the application itself, but also the processes and resources that support each workload, such as the networks and databases used by an application.
Another advantage of CWPP is that it protect individual workloads across complex hybrid and multi-cloud architectures. For example, if a workload has five instances running in one cloud, five other instances in another cloud, and two instances on-premises, CWPP sees all 12 instances as a single workload and provides consistent protection.
Cloud Security Posture Management (CSPM) is a security solution designed to identify cloud misconfiguration and compliance risks. It continuously monitors gaps in security policy and helps enforce secure configurations in cloud infrastructure.
CSPM is typically used by organizations that are adopting a cloud-first strategy and want to extend security best practices to hybrid and multi-cloud environments. It can be used to minimize misconfiguration issues in PaaS services and the applications running within them. It also reduces compliance risk across a cloud environment.
The following best practices can help you more effectively secure PaaS environments.
Threat modeling involves deconstructing the application’s design into components and analyzing how these components interact from an attacker’s perspective. The goal is to evaluate the application and the risks it faces to outline mitigation steps for remediating previously uncovered vulnerabilities
PaaS vendors typically provide encryption for data in transit by default or provide mechanisms to enable it. Encryption helps protect data passing through REST APIs, which use HTTPS as communication transport.
In PaaS environments, data in transit has a higher security priority than data at rest, because PaaS has complex workflows and tends to integrate with multiple external systems. However, you should still encrypt stored data, such as configurations, session information, or sensitive customer data. Typically, data at rest encryption requires using tools that work with the PaaS vendor’s APIs.
In addition to setting up encryption, you should also implement secure secret management to protect artifacts that require security, such as keys generated and used for at-rest encryption, passwords, and API tokens.
Due to the underlying platform APIs, you rarely can “drop in and replace” the vendor. To maximize portability and minimize lock-in, you should choose a language supported by most vendors.
Most providers support popular languages like C#, Java, and Python. If you use a niche vendor, you can create wrappers around the niche APIs to implement a layer of abstraction between a service or application and the underlying niche APIs. This technique can ensure you only need to make one modification when changing providers.
Each PaaS vendor offers different security features. You need to investigate the available security features and then enable them. Common security features include a web application firewall, application gateway, and enhanced monitoring and logging.
You should also maintain a strong identity and credential management by implementing the features offered by the cloud vendor. Common features include identity and access management, authentication, and authorization. Ideally, you should integrate these features into back-end processes for developer or administration access and application access.
for up to 20 instances