The Rise of PaaS and How to Secure It
Posted by: Romke de Haan
Cloud computing has increased the use of “Competitive Architectures” utilizing modern frameworks and computing resources to help scale, speed time-to-market and improve the overall DevOps workflow.
A lot of the benefit stems from Cloud Service Providers’ PaaS (Platform-as-a-Service) infrastructure. No longer does the IT team need to worry about creating and maintaining virtual instances or the operating system and the technology platforms that power the code. Most PaaS services also carry the burden of scale making the system stable for thousands or millions of requests. But, with new technologies comes new security controls and policies. Let’s take a look at some of the common PaaS offerings available and how to think about establishing a strong cloud security foundation alongside them.
SERVERLESS
Serverless technologies is a bit of a misleading term, it doesn’t mean that there is no server running to process your code or store your data, it means that the responsibility of maintaining any type “server” is completely abstracted from your infrastructure. At GuidePoint Security we’ve seen a huge shift over the years of organizations greenfielding applications completely on serverless frameworks.
COMPUTE
MicroService architecture has reigned in the modern application space for a decade now. PaaS services let you expand on that design allowing you to further strip down microarchitectures even further without the need to pay for idle compute time. With server-less compute cloud service, or Functions-as-a-Service, providers allow you to strip down the architecture even further, allowing you to run small pieces of code that launch and shut down per request. Security of these services become heavily dependent on ensuring strong IAM policies, API Gateways, or other services like GraphQL to communicate data back and forth with end users. It makes securing these services through VPCs, IAM security policies, and other access controls even more critical.
APPLICATION INTEGRATION
There are a slew of PaaS services to help you do everything from orchestrate your Functions to sending out emails and SMS. Cloud service providers can also handle the most complex architectures like machine learning to be able to provide your applications with some really cool predictive systems. Each of these services provide some unique security protocols and configurations, so be sure to discover what controls you have to pay attention to when implementing them in your cloud tenant.
DATA
There’s a growing number of serverless data services in the cloud. From traditional database access to noSQL to blob storage, these enterprise ready data services allow you to construct resilient data architectures in the cloud. Like all the other serverless services, your security program needs to adhere to new ways to access and store data. You can create some very unique policies that limit access to endpoints in your applications.
CONCLUSION
Mainly it comes down to a streamlined technology process. If your teams are managing applications on site over VPN, you may have some latency issues and trouble with access. Maybe your staff can’t handle all the tiny little day-to-day tasks and complete major projects. It could be that the budget doesn’t call for an additional headcount but you need additional abilities? Whatever the reasoning, PaaS has established itself as a streamlined answer to the issues of speed, productivity, expansion and complexity in the cloud. With the “new normal” being cemented more every day, it’s not a bad time for cloud teams to start considering how they can implement PaaS services to increase their cloud maturity.
Romke de Haan
Romke de Haan has over 22 years of experience as a technical & business leader and technology strategist. Romke has worked with commercial corporations such as Microsoft, Razorfish, & Kohl’s as well as federal agencies including the General Services Administration, Environmental Protection Agency, and Transportation Security Administration.
Romke has provided technology leadership in digital transformation and innovation through the design of data driven and UI-focused systems hosted both in the cloud and on-premise. In working with federal agencies such as the TSA, Romke helped lead cloud migration initiatives by transforming organizational practices from siloed structures and waterfall methodologies to Agile delivery methods such as DevSecOps through CI/CD pipelines.
Romke’s skillset not only includes technology but also includes UI design and business strategy allowing him to better align digital transformation initiatives with the needs of the business. Romke has served in various roles including application architect, developer, mentor to startups across the US and South America, and civic initiatives such as being a founder member of Milwaukee’s Code of America chapter.