October 11, 2016

SaaS, PaaS and IaaS: What are all the risks?

Davitt Potter

By Davitt Potter
Senior Security Engineering Manager, Arrow ECS

 

 

Cloud computing is a transformative technology that offers new layers of automation as well as better use of computing resources.  Cloud computing offers many advantages, including scaleability, productivity, a reduction in capital spending and technology infrastructure and flexibility, just to name a few.

However, as you and your customers begin to expand their adoption of software as a service, platform as a service and infrastructure as a service models, organizations need to understand the risk that is introduced as data and resources are moved outside of the enterprise firewall.  When implementing any (or all) of these three models, one needs to pay close attention to the security trade offs for not only data, but also organizational compliance when organizations separate application and information resources form the underlying physical infrastructure.

SaaS PaaS IaaS cloud securitySaaS Security Concerns

  • SaaS, sometimes referred to as on-demand software, is a model where software is licensed on a subscription basis and is centrally hosted.

Hackers are increasingly interested in not only breaking into your network but the value of the data they may find there. If the SaaS provider is compromised, data encryption is a good idea to help protect organizational data; however, it will not protect against phishing and malware attacks launched to steal individual user access credentials. Encryption should be considered a “must have” technology; but organizations should remember that it, by itself, is not a panacea.

Although SaaS providers must provide assurance that they are taking steps to mitigate breach risks, the responsibility for security cannot stop there. Organizations that select SaaS solutions must also share security responsibility and implement internal procedures and processes. This includes education strategies to teach employees how to identify and respond to phishing campaigns, as well as setting company policies around what data should be placed in the cloud and what is better kept within the firewall. Just because an organization can store their data in the cloud doesn’t mean that they should. Organizations need to have a conversation with a trusted, knowledgable partner to understand what (if any) data is best served on premise, in a hybrid setting, or totally “in the cloud” to understand the business and security consequences of doing so. Setting policies and best practices around what data may or may not need to be stored in the cloud can save numerous headaches, and potential data exposure and loss, later.

PaaS Security Concerns

  • PaaS allows companies to build, run and ultimately manage Web applications without the infrastructure that is normally required.

Since PaaS is based on the notion of using shared resources (such as hardware, network, and security provisions), security concerns are usually focused on mission critical information that hackers can obtain during a data breach. If the PaaS tenants have Administrator/’root’, or shell access to the servers running their instances, additional security issues could arise if hackers are able to gain unauthorized access and change configurations. Additionally, security controls and self-service entitlements offered by the PaaS platform could pose a problem if not properly configured . Providers should be able to provide clear policies, guidelines, and adhere to industry accepted best practices.

Once again, security can not be solely the PaaS provider responsibility. When selecting a PaaS vendor, consider these crucial issues before final selection:

  • What are the types of encryption used?
  • What is the data independence and availability (can you move your virtual machines and all of their data to another provider? Who has access to it? What happens if a cloud instance migrates to another country?)?
  • What are the disaster recovery/business continuity protocols?

IaaS Security Concerns

  • IaaS provides virtualized computing resources over the Internet hosted by a 3rd party.

The security concerns of IaaS are similar to the concerns of your own data center. Are you protecting sensitive data or intellectual property?  Are there compliance standards that need to be met and how are those standards evaluated? Do you need the ability to audit your cloud provider to meet those compliance requirements?  What approach does the cloud vendor take in monitoring?

With IaaS environments, control is the major concern that you need to address. Because you’re using a virtualized environment and resources that are not technically yours, weaknesses in the vendor’s security can affect your organization dramatically.

Use a Trusted Expert

Insufficient due diligence is a top contributor to security risk associated with SaaS, PaaS and IaaS. These security issues are the reason why it is so important to work with a knowledgeable and trusted technology provider. Arrow Enterprise Computing Solutions offers a comprehensive portfolio from the world’s leading technology suppliers to solve your customers most pressing network, computing and security issues.

Editor’s Note: This post was originally published in June 2015 and has been updated for accuracy and comprehensiveness.