Comments: Many secure enterprises use a simple solution: encrypt objects before they enter the cloud. Unfortunately, this method is not the best solution to mitigate the security problem of platform-as-a-service (PaaS). In order to avoid the security problem of infrastructure-as-a-service (IaaS, many secure enterprises use a simple solution: encrypt objects before they enter the cloud. Unfortunately, this method is not the optimal solution for mitigating the platform-as-a-service (PaaS) security issues.
PaaS creates an environment for data access and processing. In the PaaS environment, data will be accessed, modified, and stored. This means that the data needs to be decrypted and reencrypted, so the main management problems are introduced.
The challenge of encryption is far from the challenge of PaaS security. In this article, we will look at the security issues that enterprises should consider when signing contracts with PaaS providers.
PaaS security challenges: Data Location
PaaS provides the software development environment and the storage capacity of result output or files. The actual platform is not a single host, but a platform and can be seen as a cluster Host group. This means that your data location is not separated into the specific slice on the host. The lack of a single location for data poses a security challenge. A single location is easier to ensure security than multiple locations.
PaaS is expected to reduce software development costs by providing development tools and environments, such as software, storage areas and necessary work areas. The PaaS environment achieves efficiency through repeated data.
Duplicate data creates high data availability for developers and users. However, the data is not completely deleted; instead, the pointer to the data is deleted. In this way, data residue is distributed, just like any other data. In this case, the difference is that the precise location is unknown and it is difficult to generate threats.
PaaS security challenges: Privileged Access
One of the popular PaaS functions is the built-in debugging mentioned in the advertisement ." Software developers usually use debugging to find problems in code. Debugging authorization to access data and memory locations allows developers to debug code and fix values one by one to test different outputs. Debugging provides equal privileged access and is a tool highly required by developers, but this is also true for hackers.
Another advantage of using PaaS is that enterprises do not have to deal with the balance between security and programmer privileges. Generally, programmers want to work in a licensed environment and only require full access, rather than going through the entire process to determine which privilege is actually needed. By transferring development to the PaaS environment, enterprises can transfer sensitive issues to cloud service providers. Obviously, this does not guarantee that it is the safest or the best solution to this problem, but the overall responsibility is transferred.
PaaS security challenges: Distributed Systems
PaaS file systems are usually highly distributed. A popular implementation is the use of Hadoop Distributed File System (HDFS). HDFS service uses a separately managed Namenode/Namespace (Namenode/Namespace); nodes may be independent, however, cloud service providers (CSPs) have clusters, so it is likely to standardize the configuration path. HDFS uses the default ports 50070, 50075, and 50090. These ports are all TCP ports, but they represent the attack carrier, that is, various outputs can try to cause failure or DoS behavior.
In addition, the use of Map Reduce requires that TCP access ports 50030 and 50060 be allowed. Other ports must be vacant for Namenode, Datanode, Backupnode, Jobtracker, and Tasktracker. Once these are used for operations and management, they also represent potential attack carriers.
Recognizing that potential attack vectors are not really critical to a vulnerability, they represent an analysis area attached before being submitted to the PaaS architecture. Appropriate traffic flow assessment and security mechanisms are the minimum requirements. CSP should be able to provide the necessary security, but it is the customer's responsibility to check this.