Platform as a service, or PaaS, is a cloud computing service model that allows users to rent hardware and software tools over the internet to help quickly develop software and applications. Typically used by developers, PaaS allows users to build, compile and run programs without worrying about the underlying infrastructure. With PaaS, users do not manage or control the underlying cloud infrastructure, including network, servers, operating systems and storage, but they do have control over the deployed applications and possibly configuration settings for the application-hosting environment. AWS® Elastic Beanstalk and Google App Engine are popular examples of PaaS services offered by Amazon Web Services and Google Cloud.
Benefits and Security Implications
The use of PaaS has several benefits for businesses, such as enabling rapid software development and simplified deployment. However, while developers regularly access web-based resources – such as GitHub®, how-to guides or workbooks – to get their jobs done more quickly and effectively, attackers use these same resources to inject malware into unsuspecting networks. Moreover, deploying PaaS environments creates a lack of visibility that further exposes organizations to risk in the cloud. Lateral movement by an attacker in a data center or cloud can go undetected indefinitely without complete visibility and precise controls to restrict it. Without visibility, you also run the risk of not detecting unauthorized users who deploy cloud resources for cryptomining or other purposes at your expense.
To provide consistent, frictionless security that will protect vital assets without impeding the productivity and agility of adopting PaaS, automation needs to be part of the development process. Developers do not need to become security experts so long as security checks can be automated across the development life cycle. Applications within PaaS environments require enterprise-level security and a multi-dimensional approach, including in-line, API-based and host-based protection components. With in-line components, it’s important to protect and segment cloud workloads to safeguard against internal and external threats. By monitoring traffic in your cloud environment, you’ll gain application-level visibility into communication between cloud workloads and can implement segmentation policies to ensure the appropriate level of interaction between these workloads.
For API-based protections, you need continuous discovery and monitoring, data security, and compliance reporting. The API-based approach is transparent to developers and allows security teams to monitor cloud resources for any suspicious activity. This prevents misconfigurations and ensures compliance with industry standards like PCI DSS, HIPAA or GDPR. Lastly, with host-based protection components, you must secure the operating system and applications within the workloads. A lightweight host agent deployed within the cloud instance should detect any zero-day exploits and ensure the integrity of the operating system and applications. Attackers may still uncover vulnerabilities within the environment, but this agent-based approach can provide protection until your organization is able to patch components.