boscorelli - Fotolia

Are PaaS database applications more secure than IaaS applications?

Choosing between a platform as a service database and an infrastructure as a service database when it comes to large amounts of data can be challenging. Expert Dan Sullivan explains the security factors to keep in mind.

While AWS has products that work with Internet of Things (IoT) applications, I've read that PaaS database architectures may be the better way to go when large amounts of data are involved. What are the security implications of PaaS database applications, and when would it be advisable to use them for IoT applications?

There are core security implications of using a cloud-based database that are common across infrastructure as a service and platform as a service; two important differences are the shared responsibility for security in the PaaS model, and question of cotenancy in PaaS databases.

Anytime you move an application to the cloud, you will be sharing security responsibility with a cloud provider. For example, if you manage your own databases on AWS EC2 instances, you will rely on AWS to provide physical security and implement access controls. As a customer of IaaS, you will be responsible for securing operating systems and specifying authorizations for users. When working with PaaS, more responsibility is shifted to the PaaS provider.

PaaS providers will presumably manage database security controls. Specifically, the vendor would secure servers, database applications, files and other storage mechanisms. This is an advantage for IoT application developers who can focus more on application features and analytics than database administration.

When using a PaaS database, you may want to consider how data is stored with respect to other PaaS user data. For example, if a key value database is used, data may be stored in a single logical database. In this scenario, the PaaS application would have to include a customer-specific identifier with each key to avoid collisions with other customers' data. If a relational database is used to store application specific data -- such as sensor readings from a car, then PaaS providers might use a single database and partition based on customer ID. A key question for PaaS customers is "how is data stored with respect to other customers' data and does that mechanism create potential vulnerabilities for others to access a customer's data?"

Multi-tenancy is also an issue with regards to applications running on virtual servers. Will a single instance of an application receive data from multiple customers? For example, a messaging queue like Kafka or Kenesis could be used to receive data from IoT devices; is it acceptable for you to share a messaging service or do you require your own, isolated input stream?

PaaS providers may offer specialized database services well-tuned for IoT workloads. It is important to understand how multi-tenancy in data loading services, application processing and data storage are implemented.

Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)

Next Steps

Check out the top 10 database security headaches

Dig Deeper on Cloud Computing Platform as a Service (PaaS) Security