Five-step implementation of cloud computing PAAs security

When it comes to security and cloud computing models, the platform as a service (PaaS) has its own special challenges. Unlike other cloud computing models, PAAs security requires application security expertise that most companies can not invest heavily in. This is a complex issue because many companies use the "cantonment" infrastructure-level security control strategy as a response to application-level security risks (for example, once the application code releases production, use WAF to mitigate the discovery of cross-site scripting or other front-end problems). This strategy has become impractical in PAAs deployment applications due to a lack of control over the underlying infrastructure in the PAAs.

Given the flexibility associated with PAAs and control, you must have some control over the underlying computing environment. Like IaaS, PAAs offers nearly limitless design flexibility: You can build any application based on social networking sites to implement intranet sites or CRM applications. However, unlike IaaS, the "stack" under the application is opaque, which means that the components and infrastructure that support the application are (by design) a "black box." In other words, like SaaS, security controls must be built into the application itself, but unlike the application-level security controls that service providers in SaaS typically implement for all customers, security controls in IaaS are targeted at your application. This means that it is up to you to take responsibility to determine which control measures are appropriate and to implement them.

Here's a simple diagram that shows the difference between the model and the customer:

Application Design Flexibility

Function control ratio

Underlying transparency

For organizations that have invested heavily in application security, they have fully trained developers, independent development, testing, and production processes, so they should be comfortable with PAAs security issues. Organizations that have not yet made these investments can, to some extent, help meet the challenges of PAAs security by following these steps.

Step one: Establish security measures

The fundamental challenge of application security is long before PAAs is implemented. Therefore, there is considerable research on how to improve the deployment of safe and robust applications. Having a technology that provides direct support is called application Threat modeling. Some good points are the Owasp Threat Modeling page and the Microsoft Security Development Lifecycle Resource page. From a tool's point of view, it is free cross-site scripting (XSS) and SQL injection. An enterprise with internal tools can apply it to PAAs security measures, or many PAAs vendors offer customers a tool with similar functionality at a free or discounted price. And when companies want to use a broader scanning strategy, they can also use free tools such as Google's skipfish.

Step Two: Scan network applications

Many companies have accepted application scans, a network application scanning tool that addresses common security issues such as Cross-platform scripting (XSS) and SQL import. An enterprise with internal tools can apply it to PAAs security measures, or many PAAs vendors provide a tool for customers with similar functionality at a free or discounted price. And when companies want to use a broader scanning strategy, they can also use free tools such as Google's skipfish.

Step three: Train the developer

It is critical that application developers fully master the principles of application security. This can include language-level training, which they currently use to build the security coding principles in the language used by the application, as well as broader issues such as security design principles. Because of the downsizing and mobility of developers, which often require that training be repeated regularly and maintained as normal, the security training costs of developer applications may be more expensive. Fortunately, there are some free resources, such as the Texas A&m/fema Domestic Preparedness Campus program, which provides free e-learning materials for security software development. Microsoft also offers free training through its clinic 2806: Microsoft Developer Security Knowledge Training, which is a useful entry-level training material for starting your own custom program.

Step Four: have dedicated test data

This is always happening: developers use production data for testing. This is a problem that needs to be understood correctly because confidential data, such as customer-identifiable data, can leak during testing, especially if the same security measures are not implemented in the development or commissioning environment as in the production environment. PAAs is more environmentally sensitive, and many PAAs services make it easier to deploy, test-run, and database sharing between production to simplify deployment. Tools such as open source Databene benerator can produce high-capacity data that matches the specific structure of your database, and data format adjustments help to have dedicated production data. Typically, these processes belong to a specific framework, so you need to be aware of finding a job that works in your particular environment.

Step five: Readjust priority

This last step is one of the most important steps you can implement. Since PAAs may imply a cultural and priority adjustment, then accept the adjustment accordingly and incorporate it into your own mental and behavioral system. With PAAs, all are related to the application, which means that the organization's security will be highly dependent on the development team in the organization. If this is not a PAAs problem, it will be a nightmare, because at the infrastructure level you cannot implement measures to mitigate the identified risks. If you have been relying on infrastructure-level control to meet security challenges at the application level, it is time to reconsider.