The Rise of PaaS and How to Secure It

Cloud computing has increased the use of “Competitive Architectures” utilizing modern frameworks and computing resources to help scale, speed time-to-market and improve the overall DevOps workflow.

A lot of the benefit stems from Cloud Service Providers’ PaaS (Platform-as-a-Service) infrastructure. No longer does the IT team need to worry about creating and maintaining virtual instances or the operating system and the technology platforms that power the code. Most PaaS services also carry the burden of scale making the system stable for thousands or millions of requests. But, with new technologies comes new security controls and policies. Let’s take a look at some of the common PaaS offerings available and how to think about establishing a strong cloud security foundation alongside them.

SERVERLESS

Serverless technologies is a bit of a misleading term, it doesn’t mean that there is no server running to process your code or store your data, it means that the responsibility of maintaining any type “server” is completely abstracted from your infrastructure. At GuidePoint Security we’ve seen a huge shift over the years of organizations greenfielding applications completely on serverless frameworks. 

COMPUTE

MicroService architecture has reigned in the modern application space for a decade now. PaaS services let you expand on that design allowing you to further strip down microarchitectures even further without the need to pay for idle compute time. With server-less compute cloud service, or Functions-as-a-Service, providers allow you to strip down the architecture even further, allowing you to run small pieces of code that launch and shut down per request.  Security of these services become heavily dependent on ensuring strong IAM policies, API Gateways, or other services like GraphQL to communicate data back and forth with end users. It makes securing these services through VPCs, IAM security policies, and other access controls even more critical. 

APPLICATION INTEGRATION

There are a slew of PaaS services to help you do everything from orchestrate your Functions to sending out emails and SMS. Cloud service providers can also handle the most complex architectures like machine learning to be able to provide your applications with some really cool predictive systems. Each of these services provide some unique security protocols and configurations, so be sure to discover what controls you have to pay attention to when implementing them in your cloud tenant.

DATA

There’s a growing number of serverless data services in the cloud. From traditional database access to noSQL to blob storage, these enterprise ready data services allow you to construct resilient data architectures in the cloud. Like all the other serverless services, your security program needs to adhere to new ways to access and store data. You can create some very unique policies that limit access to endpoints in your applications.

CONCLUSION

Mainly it comes down to a streamlined technology process. If your teams are managing applications on site over VPN, you may have some latency issues and trouble with access. Maybe your staff can’t handle all the tiny little day-to-day tasks and complete major projects. It could be that the budget doesn’t call for an additional headcount but you need additional abilities? Whatever the reasoning, PaaS has established itself as a streamlined answer to the issues of speed, productivity, expansion and complexity in the cloud. With the “new normal” being cemented more every day, it’s not a bad time for cloud teams to start considering how they can implement PaaS services to increase their cloud maturity.