Adopting a platform-as-a-service (PaaS) delivery model dramatically boosts an organization’s ability to create services and make them available to clients and stakeholders. That is why chief information officers (CIOs) are looking to PaaS to reduce costs, produce agile services and improve the customer experience. These benefits seem like no-brainers, but it’s important to seriously consider the security implications when adopting a PaaS platform.

PaaS customers do not manage or control the underlying cloud infrastructure, which includes networks, servers, operating systems and storage. With PaaS, software patching and other vulnerability-related processes are delegated to the cloud provider. The consumer typically has no say in what gets installed. The vast majority of attacks on these systems exploit vulnerabilities for which patches are publicly available, so a good patch management strategy is the first line of defense against these attacks.

Sharing Resources in Space and Time

One of the essential characteristics of cloud computing is that resources are shared among multiple users. This is a major security concern. Consumers are afraid boundaries might break down and lead to confidentiality or integrity breaches.

Data must be as secure as possible without compromising ease of use and access. The obvious answer to this problem is encryption, but this presents a few practical challenges. For example, data needs to be unencrypted to perform searches. Performance needs could result in caching significant data in memory or even storing the encryption keys in cleartext.

Resources are shared not only in space, but also in time, meaning that the very same resource area allocated for a consumer can be reused at a later time for another consumer. Secure storage reuse and secure data disposal are critical here.

One customer’s resource usage shouldn’t affect other customers. With traditional outsourcing, isolation is achieved by maintaining dedicated physical infrastructure for each customer and wiping clean all shared computers before reuse. Some cloud providers offer resource instances that run on hardware dedicated to a single customer, causing the boundary between cloud computing and platform hosting to shrink significantly.

DDoS Response

Distributed denial-of-service (DDoS) attacks target the availability of a system or a service by saturating resources. A cloud solution’s ability to quickly respond to a changed workload — the rapid elasticity characteristic — and scale outward with demand creates a natural protection against some DDoS attacks. Due to rapid elasticity, PaaS solutions are by nature more resilient to attacks.

As a side effect, a DDoS attack that activates a spike in elasticity may involve extra unwanted costs. Whenever a cybercriminal attempts to saturate any resource, however, the rapid elasticity characteristic kicks into gear, acquiring new resources to counter the attack. The measured service characteristic may then notify the consumer that something unexpected is happening, providing an additional level of early warning.

Free PaaS offerings are often exploited to facilitate automated cloud-based attacks. The role played once by botnets is now played by sample cloud offerings: Thousands of microcloud instances can be provisioned by automated scripts and then used simultaneously to launch a coordinated DDoS attack against a small listing of targets. All the bad guys need is an application program interface (API) to provision cloud platforms, platform access to automatically install script and, eventually, a few hours of central processing unit (CPU) and network burst — just enough time to create service unavailability before being identified and taken offline.

Key PaaS Capabilities

In addition to traditional attack methods, a new phenomenon recently emerged in which cybercriminals threaten potential victims with large-scale DDoS attacks if they refuse to prepay a ransom. This is the case with DDoS for bitcoin (DD4BC), which has been active since 2014. Its rival, Armada Collective, appeared toward the end of 2015.

Security services will be a strategic market differentiator for cloud providers. A PaaS service should be able to:

  • Scan and analyze mobile applications.
  • Scan web apps on the internet or private networks.
  • Perform static analysis to scan source code for security vulnerabilities.
  • Employ single sign-on capabilities.
  • Drain logs over the syslog, syslog-tls or HTTPS, including all the events related to the application.
  • Distinguish logs from different instances of the same application.
  • Encrypt data at rest.
  • Facilitate secure communication between the application and database instance.
  • Discover sensitive data and stored procedures for masking sensitive data.

Similarly, a PaaS platform should equip IT analysts with a better understanding of security policies, including practices such as source code scanning, dynamic scanning, threat modeling and penetration testing, as well as a documented process for incident management. It should help IT teams comply with industry standards regarding network security, data encryption and access control. Finally, it must enable organizations to secure data in transit, in use and at rest.

Finding the Right Solution

A cloud security platform should be designed with secure engineering practices and layered security controls across the network and infrastructure. It also needs to provide security services that application developers can use to secure their mobile and web apps.

IBM Bluemix uses infrastructure-as-a-service (IaaS) cloud services and takes full advantage of the existing Bluemix security architecture. It provides multiple, overlapping tiers of protection for your applications and data. Bluemix also adds security capabilities at the PaaS layer in three categories: platform, data and application.

Learn more about IBM Bluemix

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…