A Platform as a Service (PaaS) comes with vulnerabilities that hackers can exploit. To mitigate this risk, you should consider the defense-in-depth approach, which allows you to create layers of defense mechanisms to set up obstacles between hackers and their targets.
You cannot rely on one security mechanism to halt a hacker — you need layers of other mechanisms to protect a PaaS for different types of attacks. You should balance a mechanism's inherent weaknesses with other mechanisms that offer stronger obstacles.
Traditional defense-in-depth applies to a company that has full control of its IT infrastructure of physical servers and networks. With PaaS defense-in-depth, you are limited to controls a PaaS provider gives you.
The PaaS provider lets the developer build, test, deploy, and run a Software as a Service (SaaS) application on the PaaS. The developer can change the behavior of an application developed on-premise to make it work well on the PaaS, and then set user threshold levels that her team members can concurrently work with the PaaS.
The developer can use a laptop or mobile devices to access the PaaS from remote locations. The PaaS provider doesn't let the developer control operating systems, physical servers, or network infrastructure needed to run applications on the PaaS.
PaaS defense-in-depth's four phases of the life cycle
Asset identification phase
Identifying assets is the first step toward building layers of defense. You need to classify them into user, cloud, data, administrative, software, environment, and hardware assets.
- User assets include PaaS developers, testers, policy makers, and possibly a Service Level Agreement (SLA) manager. Risk managers and PaaS operators complete the team.
- Cloud assets include PaaS providers (e.g., Microsoft Azure) and the type of Infrastructure as a Service (IaaS) on which the PaaS runs. The IaaS can be proprietary or open source.
- Data assets include data sensitivity (unclassified and classified), people, business transactions, and other daily operations directly related to the PaaS.
- Administrative assets include documentation, user reference manuals, inventory records, and operational procedures. These assets also include life cycle procedures, disaster recovery plans, user licenses, standards, and a map of SLA relationships to other parties.
- Software assets include applications, testing tools, and a list of logging options.
- Environment assets are concerned with the environmental systems, buildings, backup facilities, air conditioning, heat, and water. You need to be in a comfort zone when you work with a PaaS.
- Hardware assets include company-issued or company-approved personal laptops and mobile devices to remotely access the PaaS. These assets don't cover the underlying IaaS infrastructure of physical servers and networks.
Adversaries identification phase
The next step is to identify who your adversaries might be. Possibilities include private individuals, terrorist groups, and nation states. Adversaries can:
- Passively monitor communications between PaaS developers, testers, policy makers, and business analysts without revealing their presence;
- Use social engineering to steal or access the PaaS hardware assets;
- Flood cloud resources with excessive packets resulting in denial of service to the PaaS;
- Maliciously insert malware into the PaaS failover algorithms; and
- Directly attack the Software Defined Network (SDN) controller that is used to control PaaS network traffic.
Layers of defense phase
You need to present obstacles to chase away the adversaries. Here are tips of setting up each layer.
For passive attacks,
- the first line of defense is traffic flow through secured firewalls within the PaaS.
- the second line of defense is PaaS access controls.
For insider attacks,
- the first line of defense is PaaS physical and personnel security.
- the second line of defense is PaaS access controls.
For close-in attacks,
- the first line of defense is physical and personnel security.
- the second line of defense is technical surveillance countermeasures.
For distribution attacks,
- the first line of defense is trusted development and application deployment.
- the second line of defense is integrity and confidentiality controls.
For active attacks,
- the first line of defense is deployment of nested firewalls, antivirus software, and intrusion detection tools.
- the second line of defense is PaaS user authentication controls and failover mechanisms.
You should periodically review defense-in-depth because new attack types may emerge that require more lines of defense. Also, more cost-effective technologies might become available, and they could change the order of the lines of defense (e.g., from the second line to the first line). Finally, user perceptions change on what obstacles are needed to halt adversaries.
Setting up layers of defense is your best bet for protecting a PaaS. One security mechanism's inherent weaknesses can be overcome with other mechanisms' more effective obstacles to adversaries.
Judith M. Myerson is a Systems Engineering Consultant and Security Professional. She is the editor of Enterprise System Integration and the author of RFID in the Supply Chain. She has researched and published articles on a wide range of cloud computing topics, RFID, security, networking, and mobile. She was awarded a Master of Science degree in Engineering (Computer and Information Sciences). President of a toastmasters group, Judith was awarded her Advanced Communications Gold certificate. She is a member of The Operational Security Professional Association.