In a previous post, titled "Is PaaS the optimal cloud service model option for security? (Part 1 of 2)" I teed up the idea that PaaS (Platform-as-a-Service) - a way of delivering cloud services - is, in my opinion, the best option for getting a balance of security and usability. This post discusses why I believe that is true and how we can start to benefit from it moving forward.
Platform-as-a-Service, commonly referred to as PaaS, forces a partnership between vendor and consumer more than any of the other two available service models (IaaS or SaaS) because the vendor delivers virtual infrastructure as well as the software needed to host your application or service. In this model, the consumer provides the application (code) and shares security, and management/monitoring capabilities, and responsibility with the vendor. While I can't imagine this is easy on the contract end of things, I believe that it's the most sane approach, and one that will continue to evolve into the top choice for cloud services. Gartner forecasts the worldwide enterprise market for PaaS platforms will grow from $900 million in 2011 to $2.9 billion in 2016, representing a 26.6 percent rise each year,” writes David Linthicum in InfoWorld. A greater than 25% rise year-over-year is considered meteoric by some standards, and rightfully so.
One of the keys to PaaS being the best option for security is that it forces a cooperation between vendor and consumer. You can't just dump data into the system and pretend security isn't your problem anymore like in the SaaS (Software-as-as-Service) model, nor are you stuck trying to work out all the security bits (beyond the wire/network) like in IaaS (Infrastructure-as-a-Service).
The trick to shared responsibility is, of course, understanding where the line is and having a clear understanding of who is responsible for what. I recently published a podcast where I talked through this issue with an attorney - who ultimately led me to the conclusion that all things cloud require experienced attorneys, else you will fail. Lawyer jokes aside, we are really forced to sit down with the CSP (Cloud Service Provider) and understand which of you is responsible for things like maintenance of the application server configuration and patching - especially when your code depends on certain features and configurations and perhaps even patch-level to function.
When you're picking your CSP for PaaS, make sure you look at the Cloud Security Alliance CCM (Cloud Controls Matrix) to get an understanding of what controls should be in place, and then decide which of your CSP partners provide the best capabilities, while giving you transparency and whatever measure of control you require.
The critical issues, when it comes to shared responsibility, are the ones which tend to require 'both' you and your CSP to cooperate. For example, one of the biggest issues is incident response. When something goes wrong, and it doesn't have to be a security event, who is the first responder, who manages the incident response, and how does determination of 'closure' take place? Having this discussion with your CSP before you sign the contract is much easier than trying to have it afterwards and realizing that you're left holding the bag. If you as the consumer don't have the capability of response, then you should at least have confidence in your provider's response - or else you're left trying to fix something you can't have access to, or maybe worse - you don't fully understand.
Shared responsibility is a big leap of faith, but then again it may be the best leap you've ever taken as an enterprise security organization. In today's IT landscape I think the odds that a PaaS cloud service model will improve your overall security posture is about as good as the odds that it will decrease that same posture. Those odds, I believe, favor the less mature organization and therefore more of a dependence on external parties for security. Some organizations live below the "security poverty line" (a term coined by Wendy Nather, 451 Group) and in their case a PaaS provider which can maturely handle their security concerns, and is properly vetted, will likely dramatically increase their security capabilities.
While collaboration via the shared responsibility model is critical in theory, the practice of this is where rubber meets road. It's easy to get caught up in magnificent promises which make you feel all warm inside - but ask how the shared responsibility comes together. If your provider is responsible for security "up to the application server" and you're responsible for system-level access, and all the code running on top of the platform, and sharing responsibility for incident response ... ask how this will happen.
Is there a way for your provider to show you all the security bits "behind the scenes" that you're not responsible for? For example, attacks at the network level which you'll hopefully never see - or do you even care? Let's face it cloud providers (including HP) talk about transparency - but the key is in the delivery of a mutually agreed upon value.
Shared telemetry is tricky because as the customer you need to view data that's relevant to you and your environment without compromising the data of your co-tenants, while being able to only tweak controls of things you have responsibility for. This is the opposite of a trivial ask ... I know, I'm watching several organizations try to deliver this as a service right now. It's hell but striking a balance delivers unprecedented value to the customer. In many of these cases data and telemetry is delivered via a portal or 'view' into the environment through a customized SIEM tool. That makes a ton of sense since SIEM already does so much for us beyond simple logging and correlation.
This will likely not shock you if you've been keeping up on this blog lately, but one of the bigger issues is shared change management. That's right, I said shared change management in the PaaS environment. At a CSP of any scale, this is at best a puppet show. Small vendors will have relatively less issues with this, but think about having to do change management across 1,000 customers, each with several thousand potential VMs... a virtual nightmare. I'll leave the granularity discussion for someone much smarter than I, but I think at very least a workable advanced-warning system for maintenance of any kind is needed. Beyond the "your environment will receive an upgrade to the MySQL versions from version X to version X.1 on Day Y" you will need the ability to test compatibility, the ability to postpone should you encounter a hard-stop, and other means to potentially roll-back if something were to break ... assuming your CSP cares whether your stuff breaks or not, right? Wait, what does that contract say again?
It's a PaaS win
I really do believe that as PaaS matures and evolves, and the PaaS CSP community starts to mature to the point where every solution does not look completely different, you'll eventually end up with an 'app store'-like functionality. You'll pick a provider and have the capability to deploy to PaaS provider A, B or C and their consistency will allow you to have a single security model with shared and central tools ... maybe? The next trick is to open up the CSP's reporting interface so that you can get multiple providers' telemetry into a single 'thing' ... or maybe that's what these Cloud Services brokers are all about? Perhaps one of them can speak up - I'd love to hear their take on something like this. I already know of a few partnerships we have (HP) which are attempting to do this, and it'll be interesting to see how it works out.
Security is always going to be important, and more so in the cloud as the network flattens, the applications/services are exposed to the 'big, bad Internet' and you lose control of the infrastructure and even the app servers/middleware. The key for you, the consumer, is finding a good middle ground where your developers are happy, your operations folks are happy (maybe those two groups are even the same thing?), your management is seeing 'agility' and the security folks are resting a little bit easier. I guess time will tell us whether PaaS comes out the winner in security ...or not.
As with any assessment, your mileage may vary, and clearly this is not a blanket assessment that applies to everyone unilaterally. Even the best ideas and intentions fail in some circumstances. To that I say, batteries not included, some assembly required.