How secure is 'Platform as a Service (PaaS)?'

BROWSE BY TAG Platform Security,   Application and Platform Security,   Secure SaaS: Cloud services and systems,   Operating System Security,   Alternative OS security: Mac, Linux, Unix, etc.,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security Should developers create libraries of common cryptographic algorithms? How to secure USB ports on Windows machines What is the best database patch management process? What is an encryption collision? What are new and commonly used public-key cryptography algorithms? Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Should businesses delay Windows Vista adoption and just buy Windows 7? Why should we place data files on a separate partition than the OS? Should Windows Mobile updates come from Microsoft? Secure SaaS: Cloud services and systems Cloud computing data security starts with internal strategy, experts say Network security expert urges hardening of cloud protocols Security challenges with cloud computing services Is Identity Management as a Service (IDaaS) a good idea? Burton Group warns of cloud computing risks Researchers say search, seizure protection may not apply to SaaS data McAfee to acquire email SaaS vendor MX Logic When to use the service features of the Metasploit hacking tool Cloud-based security services should start private Cloud computing security: Infrastructure issues Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method New hacking method stealthily attacks Macs with malware Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The economics of cloud computing, particularly in the current economic climate, do look extremely compelling: on-demand resources, pay-as-you-go pricing, and "infinite" scalability, as some vendors claim. There's no doubt it's here to stay, and enterprises will seek to leverage it in some way. In theory, cloud computing can also lead to reductions in IT staffing levels, as there's not the same need for in-house knowledge to support internal systems or processes. The enterprise instead can outsource part of its infrastructure and leverage the expertise of professional application, platform, infrastructure and service providers.

My advice, however, is to always proceed with caution when assessing the suitability of any new technology for the enterprise, particularly when it comes to security. Personally, I don't feel cloud computing is mature enough yet for enterprises to risk using it for anything more than development and familiarization, and certainly not critical, sensitive internal applications.

Platform as a Service (PaaS) vendors tend to dictate the database, storage and application framework used, so what about those legacy applications? Enterprises will still require the skills and infrastructure to be able to run them. I think it's this need for specialized training combined with security concerns that will see many enterprises start off with internal clouds, built within the security of their own network.

Though not offering the economies of scale of public clouds, internal clouds keep the enterprise in control of security, service levels and regulatory compliance, and can handle old and new applications. They also avoid the cost and disruption of completely restructuring an existing infrastructure. Once enterprises are comfortable with working with an internal cloud, they are quite likely to move to a hybrid whereby both public and internal clouds are used. For mission-critical applications, this will probably take the form of a private cloud where the enterprise has direct control of both clouds under a unified management system.

But this scenario is some ways off. Even the large PaaS vendors such as Google, Microsoft and Salesforce.com have short track records with their products. They need to be treated as you would any version-one product, with particular attention paid to their service-level agreements. For example, Windows Azure platform, Microsoft's cloud computing platform, suffered an outage one weekend in March. Had your enterprise been using the service, how would the outage have affected the organization's ability to conduct business? Alternatively, it would have been Microsoft's responsibility to fix it, not your IT team's (but be careful; your executive team may not see the distinction).

If you're looking for guidance on what uptime you should expect in a service-level agreement, the Cloud Computing Bill of Rights provides a useful checklist of protection with which to benchmark a supplier's offering. This is a wish list, but I think the upcoming National Institute of Standards and Technology (NIST) Cloud Computing Security publication will do a lot to standardize federal-compliant cloud infrastructures.

Once enterprises understand how to meet compliance demands and can control risks within a cloud environment, then cloud-based platforms could well become the obvious choice for enterprises as well as startups. This is why cloud service providers are scrambling to develop enterprise-class controls to give better control and management of resources and data in cloud environments.