Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

You shall not PaaS!

Ben Finkel | April 6, 2016
The implementation of any connected database or computer system must consider security, first and foremost, and PaaS can be a big help

Each year, data and security breaches make big splashes in the headlines. In 2013, an attack against retail giant Target affected more than 40 million customers. A 2010 attack against the Sony PlayStation Network compromised 77 million accounts. The Identity Theft Resource Center already lists 155 separate breaches in the first quarter of 2016 alone.

The frequency and sophistication of these attacks will only increase. As a result, the implementation of any connected database or computer system must consider security, first and foremost.

Software engineers, developers, and architects, have a prime responsibility to take advantage of every tool available to increase the security of the systems they deploy.  This can seem like a heavy burden, particularly when resources are strained and the threat of an attack seems minimal. It also might feel helpless in the face of highly technical attacks and the persistence of malicious actors.

PaaS offers an important suite of features and tools to help with this task. Indeed, relying on public infrastructure and standardized tools and methodologies is a critical step in protecting your systems from attack.

PaaS software runs in the largest data centers operated by some of the most secure software and hardware available. Before a single line of code is written or deployed, you can count on the robust security that organizations like IBM, Google, Microsoft, and others rely on in those data centers.

At the physical layer, these data centers employ many safeguards: perimeter fencing, employee background checks, custom access control, and other features that are often outside the modest budget of an individual organization. These are backed up with 24/7 monitoring and in-depth auditing capabilities for all physical access to the infrastructure.

The stack of software running the PaaS you deploy on has been built from the ground up to incorporate security at each layer. Google uses custom-built machines and operating systems that exclude unnecessary components and features where vulnerabilities would otherwise be introduced. All of the major cloud vendors utilize powerful industry-standard encryption technology for information in-transit and often at-rest as well. Secure networking, both at the physical and logical layers, round out another tier of security that is an integrated part of any solution we develop on these systems.

Of course, the primary feature of a PaaS deployment is the opportunity and flexibility to develop any app and workload we can imagine. With that power comes the responsibility to integrate sound security practices at the application layer ourselves. PaaS makes this as straightforward and understandable as possible in a number of ways.

Tools to scan for and report on common vulnerabilities such as cross-site-scripting or SQL injection attacks are available, often for free. Amazon Web Services offers a Web Application Firewall to help you secure the traffic to and from your PaaS applications. Taking advantage of these offerings is an easy way to create a layer of application security that doesn't break your budget, nor require highly specialized security training.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.