/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */

PaaS is intended to enable developers to build their own applications on top of the platform supported by cloud service providers. As a result, it tends to be more extensible than SaaS, at the expense of customer-ready features. In the case of PaaS, it is the responsibility of the universities' system administrators to effectively manage the same level of security measures provided by the cloud providers for protecting the underlying infrastructure components to ensure basic service availability and integrity levels.

1. Logical Access

Unauthorised access to universities' data in the cloud platform should be restricted. One of the best approaches to data access control is using the least privilege rule - i.e. access to particular data shall only be granted to authorised personnel on a need-to-know basis.

Individual users shall be authenticated on their own behalf. The universities are recommended to deploy user-centric authentication method that adopts a single set of credentials at multiple sites.

2. Application Development

PaaS provides a framework of building blocks to construct customised applications based on customers' own needs. Same as IaaS, application development within PaaS environment also require consideration on security throughout the SDLC.

However, since less operational controls can be obtained by PaaS customers, application design and implementation may require additional steps to achieve the same level of security as IaaS counterparts. For example, extra data encryption mechanism shall be implemented with the application logic if secure protocols (e.g. SSL, HTTPS, etc.) cannot be utilised on PaaS platform.

3. Portability and Interoperability

When shifting from IaaS to PaaS, vendor lock-in (dependency) turns out to be a critical security issue if a university may have to change its cloud service provider in the future, portability and interoperability must be considered. With PaaS, the expectation is that certain degree of application modification will be necessary to achieve portability. The focus is minimising the amount of program re-writing while maintaining or enhancing security controls, along with achieving a successful data migration.

When possible, the university shall develop the cloud platform components with a standard syntax and open APIs. The university should also understand:

• What tools are available for secure data transfer, backup, and restore?
• How base services like monitoring, logging, and auditing would transfer over to a new cloud provider?
• What security control functions are provided by legacy cloud provider and how they would translate by the new provider?
• What is the impact on performance and availability of the application when migrating to a new PaaS platform?

References:

[Previous section] [Next section]