Adopting a platform-as-a-service (PaaS) delivery model dramatically boosts an organization’s ability to create services and make them available to clients and stakeholders. That is why chief information officers (CIOs) are looking to PaaS to reduce costs, produce agile services and improve the customer experience. These benefits seem like no-brainers, but it’s important to seriously consider the security implications when adopting a PaaS platform.

PaaS customers do not manage or control the underlying cloud infrastructure, which includes networks, servers, operating systems and storage. With PaaS, software patching and other vulnerability-related processes are delegated to the cloud provider. The consumer typically has no say in what gets installed. The vast majority of attacks on these systems exploit vulnerabilities for which patches are publicly available, so a good patch management strategy is the first line of defense against these attacks.

Sharing Resources in Space and Time

One of the essential characteristics of cloud computing is that resources are shared among multiple users. This is a major security concern. Consumers are afraid boundaries might break down and lead to confidentiality or integrity breaches.

Data must be as secure as possible without compromising ease of use and access. The obvious answer to this problem is encryption, but this presents a few practical challenges. For example, data needs to be unencrypted to perform searches. Performance needs could result in caching significant data in memory or even storing the encryption keys in cleartext.

Resources are shared not only in space, but also in time, meaning that the very same resource area allocated for a consumer can be reused at a later time for another consumer. Secure storage reuse and secure data disposal are critical here.

One customer’s resource usage shouldn’t affect other customers. With traditional outsourcing, isolation is achieved by maintaining dedicated physical infrastructure for each customer and wiping clean all shared computers before reuse. Some cloud providers offer resource instances that run on hardware dedicated to a single customer, causing the boundary between cloud computing and platform hosting to shrink significantly.

DDoS Response

Distributed denial-of-service (DDoS) attacks target the availability of a system or a service by saturating resources. A cloud solution’s ability to quickly respond to a changed workload — the rapid elasticity characteristic — and scale outward with demand creates a natural protection against some DDoS attacks. Due to rapid elasticity, PaaS solutions are by nature more resilient to attacks.

As a side effect, a DDoS attack that activates a spike in elasticity may involve extra unwanted costs. Whenever a cybercriminal attempts to saturate any resource, however, the rapid elasticity characteristic kicks into gear, acquiring new resources to counter the attack. The measured service characteristic may then notify the consumer that something unexpected is happening, providing an additional level of early warning.

Free PaaS offerings are often exploited to facilitate automated cloud-based attacks. The role played once by botnets is now played by sample cloud offerings: Thousands of microcloud instances can be provisioned by automated scripts and then used simultaneously to launch a coordinated DDoS attack against a small listing of targets. All the bad guys need is an application program interface (API) to provision cloud platforms, platform access to automatically install script and, eventually, a few hours of central processing unit (CPU) and network burst — just enough time to create service unavailability before being identified and taken offline.

Key PaaS Capabilities

In addition to traditional attack methods, a new phenomenon recently emerged in which cybercriminals threaten potential victims with large-scale DDoS attacks if they refuse to prepay a ransom. This is the case with DDoS for bitcoin (DD4BC), which has been active since 2014. Its rival, Armada Collective, appeared toward the end of 2015.

Security services will be a strategic market differentiator for cloud providers. A PaaS service should be able to:

  • Scan and analyze mobile applications.
  • Scan web apps on the internet or private networks.
  • Perform static analysis to scan source code for security vulnerabilities.
  • Employ single sign-on capabilities.
  • Drain logs over the syslog, syslog-tls or HTTPS, including all the events related to the application.
  • Distinguish logs from different instances of the same application.
  • Encrypt data at rest.
  • Facilitate secure communication between the application and database instance.
  • Discover sensitive data and stored procedures for masking sensitive data.

Similarly, a PaaS platform should equip IT analysts with a better understanding of security policies, including practices such as source code scanning, dynamic scanning, threat modeling and penetration testing, as well as a documented process for incident management. It should help IT teams comply with industry standards regarding network security, data encryption and access control. Finally, it must enable organizations to secure data in transit, in use and at rest.

Finding the Right Solution

A cloud security platform should be designed with secure engineering practices and layered security controls across the network and infrastructure. It also needs to provide security services that application developers can use to secure their mobile and web apps.

IBM Bluemix uses infrastructure-as-a-service (IaaS) cloud services and takes full advantage of the existing Bluemix security architecture. It provides multiple, overlapping tiers of protection for your applications and data. Bluemix also adds security capabilities at the PaaS layer in three categories: platform, data and application.

Learn more about IBM Bluemix

More from Cloud Security

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Lessons learned from the Microsoft Cloud breach

3 min read - In early July, the news broke that threat actors in China used a Microsoft security flaw to execute highly targeted and sophisticated espionage against dozens of entities. Victims included the U.S. Commerce Secretary, several U.S. State Department officials and other organizations not yet publicly named. Officials and researchers alike are concerned that Microsoft products were again used to pull off an intelligence coup, such as during the SolarWinds incident. In the wake of the breach, the Department of Homeland Security…

What you need to know about protecting your data across the hybrid cloud

6 min read - The adoption of hybrid cloud environments driving business operations has become an ever-increasing trend for organizations. The hybrid cloud combines the best of both worlds, offering the flexibility of public cloud services and the security of private on-premises infrastructure. We also see an explosion of SaaS platforms and applications, such as Salesforce or Slack, where users input data, send and download files and access data stored with cloud providers. However, with this fusion of cloud resources, the risk of data…