Problem solve Get help with specific problems with your technologies, process and projects.

How secure is 'Platform as a Service (PaaS)?'

There's no doubt that companies will want to leverage cloud computing and platform as a service, but expert Michael Cobb explains why enterprises should proceed with caution.

Should enterprises be confident in the security of cloud computing or Platform as a Service, like Google App Engine and Microsoft's Azure Services Platform?
The economics of cloud computing, particularly in the current economic climate, do look extremely compelling: on-demand resources, pay-as-you-go pricing, and "infinite" scalability, as some vendors claim. There's no doubt it's here to stay, and enterprises will seek to leverage it in some way. In theory, cloud computing can also lead to reductions in IT staffing levels, as there's not the same need for in-house knowledge to support internal systems or processes. The enterprise instead can outsource part of its infrastructure and leverage the expertise of professional application, platform, infrastructure and service providers.

My advice, however, is to always proceed with caution when assessing the suitability of any new technology for...

the enterprise, particularly when it comes to security. Personally, I don't feel cloud computing is mature enough yet for enterprises to risk using it for anything more than development and familiarization, and certainly not critical, sensitive internal applications.

Platform as a Service (PaaS) vendors tend to dictate the database, storage and application framework used, so what about those legacy applications? Enterprises will still require the skills and infrastructure to be able to run them. I think it's this need for specialized training combined with security concerns that will see many enterprises start off with internal clouds, built within the security of their own network.

Though not offering the economies of scale of public clouds, internal clouds keep the enterprise in control of security, service levels and regulatory compliance, and can handle old and new applications. They also avoid the cost and disruption of completely restructuring an existing infrastructure. Once enterprises are comfortable with working with an internal cloud, they are quite likely to move to a hybrid whereby both public and internal clouds are used. For mission-critical applications, this will probably take the form of a private cloud where the enterprise has direct control of both clouds under a unified management system.

But this scenario is some ways off. Even the large PaaS vendors such as Google, Microsoft and Salesforce.com have short track records with their products. They need to be treated as you would any version-one product, with particular attention paid to their service-level agreements. For example, Windows Azure platform, Microsoft's cloud computing platform, suffered an outage one weekend in March. Had your enterprise been using the service, how would the outage have affected the organization's ability to conduct business? Alternatively, it would have been Microsoft's responsibility to fix it, not your IT team's (but be careful; your executive team may not see the distinction).

If you're looking for guidance on what uptime you should expect in a service-level agreement, the Cloud Computing Bill of Rights provides a useful checklist of protection with which to benchmark a supplier's offering. This is a wish list, but I think the upcoming National Institute of Standards and Technology (NIST) Cloud Computing Security publication will do a lot to standardize federal-compliant cloud infrastructures.

Once enterprises understand how to meet compliance demands and can control risks within a cloud environment, then cloud-based platforms could well become the obvious choice for enterprises as well as startups. This is why cloud service providers are scrambling to develop enterprise-class controls to give better control and management of resources and data in cloud environments.

Dig Deeper on Cloud Computing Platform as a Service (PaaS) Security