Improving PaaS Security: Get your Developers Involved

The 6/16 Virtualization Security Podcast started as a twitter conversation with a comment about PaaS Security where James Urquhart, Krishnan Subramanian, Rich Miller, and myself went back and forth about PaaS security and the role of the developer. It was not quite a DevOps conversation but pretty close. Rich could not join us on this Podcast but hopefully will make a future one. PaaS security appears to be dependent on two things, the provider’s security, and how it is used.The basic rules for PaaS are really the same for SaaS with one wrinkle. Those rules are, if you want to secure your data, the responsibility for such security is you, the owner of the data. PaaS provides a platform on which to build SaaS applications and as such strikes me as a development environment in many cases. The NYSE Capital Market Community Platform forms an interesting mix of PaaS and SaaS within their cloud. However, there are other PaaS that are strictly for developers such as VMware CloudFoundry, RedHat OpenShift, SalesForce Force.com. There are still others that provide APIs to their clouds that appear PaaS like such as AWS.

Let’s look a typical use case for PaaS:

  • Application chosen to be developed for a Cloud
  • Developer writes the code
  • Developer tests the code most likely using real world data (perhaps even PII or PAN data)
  • Developer iterates until the code is finished
  • QA tests the code once most likely using real world data
  • SaaS application pushed out into the Cloud

PaaS was developed to push the development of Cloud-based applications as such is really a rapid development environment with many if not all of the pieces already in place such as a database, communication, and other components that make up an enterprise application. So, the question is how do we secure this?

  • Ensure the PaaS is secure first by performing an audit ala CloudAudit
  • Understand your Data
  • Educate your developers
  • Ensure your data is secured either by controls that ensure integrity or confidentiality
  • Understand your Jurisdictional constraints

This could be a quite a bit of work, but this is what should be happening as part of any secure development lifecycle (SDLC). Many of these components will be hard to do? Why, because most do not do them now.
The security team must educate the developers about data security for the data in use so both teams must understand their data, and developers must accept that they will need to practice secure coding techniques, and will not have access to the underlying layers. For some developers, this will be a very hard adjustment. There are two classification of developers, those who think they need low-level access to everything and those who develop web applications today, who live within the limits of the platform. In addition, developers must be educated on not only secure coding principles, but also legal issues dealing with jurisdiction so that data is not propagated to where it should not be. Lastly, developers must secure critical data from the get-go instead of bolting on security at the end.
In essence, PaaS security is a process that requires developers, security, compliance, and legal folks to work together to not only choose a secure PaaS environment but also produce a secure architecture but a secure development environment so that data is protected from the beginning.
* The travelogue video was produced by Lars Troen