robybret - Fotolia
What are the security risks that may arise from cloud features such as measured services and rapid elasticity for platform as a service (PaaS) systems?
One of the major benefits of anything living in the cloud is the ability to measure resources and use rapid elasticity to quickly scale as the environment demands. The days of being locked into physical hardware are over, and the benefits of rapid elasticity in cloud computing are attractive to many organizations.
There are some concerns -- more based off the education of cloud computing -- which an organization needs to be aware of before using these features. Like anything else, the cloud can be deployed securely, but without understanding how to implement these services, an organization can find itself at risk.
With measured services, which are cloud services that are monitored and measured by the provider according to usage, an organization can leverage resource metering to perform particular automated actions. These systems can expand based on thresholds and from an on-demand service model.
As a cloud footprint can swell or deflate with demand, there are multiple security concerns to consider with the fluctuating infrastructure of potential PaaS systems. Managing data in the cloud needs proper policy and configuration to validate its security. This is always a concern, but there are some unique use cases when it comes to cloud security because of the elastic nature of the infrastructure.
Data lifecycles in the cloud can be different than their physical predecessors because systems and applications are more automated. Being able to create, store, use, share, archive and destroy data is now possible on systems that might only be up for a certain period of time. The ability to log the transactions of these systems and applications is something unique to the cloud. The audit of this data and the collection of logs and forensics is also a challenge unique to the cloud.
Performing incident response and forensics in an elastic cloud environment is also something with which organizations should be familiar. Your cloud service provider and the deployment model -- PaaS included -- will determine how incident response is handled. Being able to preserve, collect and analyze data on systems while they're potentially moving can become a challenge if an organization isn't prepared for it.
Many of the security features at this point should be moved toward the workloads, and there should be a policy in place to isolate and contain incidents instead of removing the systems. There are actually many pros to dealing with incidents in the cloud, but it's different than dealing with incidents on a physical network, and might involve a learning curve.
Another thing to look out for regarding the measured services and rapid elasticity of the cloud is the possibility that certain systems could be provisioned in different geographical regions if that is how they're configured. This is something that has to normally be done manually, but it's still a concern when sensitive data might be stored outside of boundaries that clients or customers aren't expecting. When building out an infrastructure like this, it's wise to consider what data is moving between these systems and applications and if there are any privacy implications when it is transferred.
Lastly, as systems are spanned throughout your cloud environment, it's extremely important to have proper configuration management utilized to keep control of the automated systems. The last thing you want is to have systems built and spawned throughout your infrastructure that increase your risk footprint throughout the environment. Being able to control what's being built and locking it down to a secure standard that limits the damage and decreases the opportunity for attackers to take advantage of an automated environment is key.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Find out what's new in platform as a service this year
Discover how PaaS can help with application development
Learn more about the Google PaaS, App Engine
Dig Deeper on Cloud Computing Platform as a Service (PaaS) Security
Related Q&A from Matthew Pascucci
Understanding the differences between sandboxes vs. containers for security can help companies determine which best suits their particular use cases. Continue Reading
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading