Home    Bloggers    Messages    Resources   
Tw  |  Fb  |  In  |  Rss
Matt Heusser

Securing Platform-as-a-Service

Matt Heusser

I went to the GrrCon security conference to hear Adam Ely, the CISO of BlueBox Security and the former CISO of SalesForce.com and CSO of Heroku, give his recommendations for dealing with cloud security.

As we've discussed before, one way to tackle cloud security is to partner with a vendor that specializes in hosting compliant and secure applications. Most of the offerings from those vendors look more like hosted solutions, perhaps with a dashboard and a little bit of scalability, but you'll have to build your infrastructure yourself.

To an application developer, that seems like a lot of work. To the ops team, it seems like yet another system it doesn't have the time or energy to support.

Ely mentioned two other options. One is the software-as-a-service (SaaS) model -- renting a solution from a vendor. The other is something commonly called platform-as-a-service (PaaS) -- building the app yourself but renting the scalable stack. In other words, you upload source code in the right format to a preconfigured Web server, and everything just works.

SaaS and PaaS seem great, but they also mean letting go of a significant part of the infrastructure. What do you say when the security auditors come knocking on your door?

Adam Ely presents on 'Securing Cloud Applications' at GrrCon.
Adam Ely presents on "Securing Cloud Applications" at GrrCon.

Areas of risk
Ely identifies three specific types of risk: physical (when bad guys get in the datacenter), staff (when people get access they should not have), and abuse of authorized access by operations and security professionals. For PaaS, there is also the risk that the vendor will not keep the servers patched and hardened. With SaaS, the vendor also writes the code, and that code could have application vulnerabilities, like SQL injection.

Companies that want to move to these models have to deal with these risks at least to the satisfaction of management -- and likely to the satisfaction of IT, government agencies, or standard auditors.

A little customer, a big vendor
After listing the risks, Ely said nothing is free. If your company is paying eight dollars per month (or even per user) for a piece of software, you'll get the kind of support that eight dollars a month can provide -- which is very different from the kind of full-time hand holding a traditional operations staff can provide a group of IT security auditors.

For many customers, it is unlikely or impossible to get the vendor to comply with a security policy, especially since so many companies have conflicting policies. Ely suggests four techniques to reduce your risk.

  • Communicate intent, not implementation: Instead of telling the vendor the how, talk about your company's expectations. The cloud vendor probably hears similar things from many customers, and it can speak to the intent of your concerns.

  • Audit: PaaS providers typically offer log and production monitoring, intrusion prevention, and possibly firewall reports -- all of which you can include in your security policy.

  • Continuous audit: Many vendors have APIs to monitor who is doing what in the system, especially the backend. Who is logging on to the hardware, what are they doing, who is uploading data, who is looking at what -- vendors can help answer all these questions to one degree or another. Monitoring these things can help you stay compliant and identify risks early.

  • Encryption is data protection: If your data needs to be protected, wrap it in an encryption layer. Again, find a vendor that understands the problem and can support you. Don't force a vendor relationship because it's easy -- make sure the vendor can do what you need done. For example, Ely mentioned that Heroku is not interested in supporting healthcare companies with HIPPA requirements. The rules are too stringent, and the risks are too great. At least for now, the cloud vendor does not pursue or support those customers. It's better to find that out at the beginning of the process than at the end.

Ely offered an ideal scenario: Systems are dispensable, configuration management is automated, vulnerability assessments are continuous, and security events are alerted as part of operational management. It would be uneconomical for most companies to build this kind of system, but cloud vendors like Amazon and SalesForce can build it and spread the costs over thousands of customers.

Of course, that introduces a new partner and new risks, so work with your vendor to understand their implementation -- before you cut over.

Newest First   Oldest First   Threaded View
Page 1 / 2   >   >>
ITempire
ITempire
11/14/2012 1:02:10 PM
User Rank Steel
Re: You Get what you pay for
@ Matt

:) You are leaving out consultants. They have made billions while securing assignments from companies to implement regulatory requirements.

50%
50%
Matt Heusser
Matt Heusser
11/14/2012 11:29:15 AM
User Rank Blogger
Re: You Get what you pay for
@ITempire - I dunno.  We've tried that a few times, between SARBOX and Dodd-Frank.  The only people who seem to be getting secure through regulation are the accountants and auditors ... they have secure jobs ... :-)


50%
50%
Pam Baker
Pam Baker
11/13/2012 6:35:07 PM
User Rank Blogger
Re: You Get what you pay for
Excellent article, Matt. Thanks for posting it. And I agree, support should be a given on the bigger deals. But it isn't so buyer beware!

50%
50%
ITempire
ITempire
10/31/2012 10:36:29 AM
User Rank Steel
Re: You Get what you pay for
@ Matt That is where govt bodies should come in and ensure that if vendors are putting at risk too many customers and generating a lot of revenue, they ought to give guaranteed security. Paying taxes is not enough if public's data is at risk.

50%
50%
ITempire
ITempire
10/31/2012 10:26:07 AM
User Rank Steel
Cheap solutions
Rightly said. Expecting wonderful service and fully compliant security at 8$ per month is just not happening. Reputable vendors, quality service and secure apps all come at a price. The client organization has to evaluate what is more needed and affordable considering the price of the service

50%
50%
Matt Heusser
Matt Heusser
10/31/2012 8:19:38 AM
User Rank Blogger
Re: You Get what you pay for
@hailey wrote - "out of the house expertise can be a godsend and there are economies of scale."  Sure.  There is a lot to be gained by a vendor creating one app and selling it to 1,000 customers, more than a company implementing the same app locally.  The vendor can sell to 1/500th the build price and have something like 100% gross margin; everybody wins.  Also, I'm not excited about the "you ain't getting nothing for $8 a month."  That might be true for Amazon Ec2, but when I'm buying SaSS for $8 per user per month for 500 users, well, I expect some support! :-)


50%
50%
Matt Heusser
Matt Heusser
10/31/2012 8:16:51 AM
User Rank Blogger
Re: You Get what you pay for
@swikeyakumar - I think the common problem is that selling is to C-level, portfolio fallks to director level, and integration/implementation is done at the individual contributor level.  The director wants his goals met and the C-level suspects every lower level is just scared of outsourcing.  The resulting confusion is sad ... and predictable.


50%
50%
Matt Heusser
Matt Heusser
10/31/2012 8:00:14 AM
User Rank Blogger
Re: Prices
@mharden wrote: " I think a large part of the 'you get what you pay for' notion is companies going into the cloud with 'open-ended' contracts that leaves to much room for interpretation thus being disappointed in what services they received." - Good point.  The companies I see that are most successful with off-premise hosted SaaS, for example, tend to have contracts that are entirely click-wrap, and put the monthly bill on a credit card.  This is very different than classic, $10-$100K/month deals that are signed on real paper and negotiated over - that kind that the company lawyer actually reads ...


50%
50%
mharden
mharden
10/31/2012 7:19:40 AM
User Rank Steel
Re: Prices
A meaningful process of due diligence in procuring cloud services is setting the right expectations around the services being provided.  I think a large part of the "you get what you pay for" notion is companies going into the cloud with "open-ended" contracts that leaves to much room for interpretation thus being disappointed in what services they received.

50%
50%
swijeyakumar
swijeyakumar
10/30/2012 11:52:21 PM
User Rank Platinum
Re: You Get what you pay for
Price is a factor but as stated multiple things need to be considered. most of all buyers need to educate themselves an the risks and not be "sold" to by a good pitch. "buyer beware" really rings true in this scenario.

50%
50%
Page 1 / 2   >   >>
More Blogs from Matt Heusser
The pressure is on for solution providers to keep up their game in technology and services. These tips will point you in the right direction.
When was the last time you asked what would happen if the essential services you receive from the cloud went down -- even for 10 minutes?
In personal life or in business, IT can say, "Yes we can," and get things done through the cloud.
Your VP of operations wants to install a refrigerator that is Twitter-enabled in the new breakroom. Wait, what?
The next stop in software's world domination? The network.
information resources
sponsored content by NetApp
All resources
flash poll
follow us on twitter
like us on facebook
21st Century IT
About Us     Contact Us     Help     Register     Twitter     Facebook     RSS
Copyright © 2013 UBM Channel, a UBM company   |   Privacy Policy   |   Terms of Service