PaaS security practices
In the cloud, security is a shared responsibility between the cloud provider and the customer. The PaaS customer is responsible for securing its applications, data, and user access. The PaaS provider secures the operating system and physical infrastructure.
Below are seven PaaS security best practices for ensuring an organization's data and application security in the cloud.
Research the provider's security. Only 8% of the 25,000 cloud services in use today meet the data security requirements defined in the CloudTrust Program, according to the 2019 McAfee Cloud Adoption and Risk Report. Only 1 in 10 encrypt data at rest, and just 18% support multifactor authentication. Ask about the provider's security patch management plan, and ask whether it uses updated security protocols. Check the security procedures for employee access to IT systems and the physical facilities. Ask if they have an incident response plan when a security breach does occur, as well as a disaster recovery plan when the entire system becomes out of service. If the PaaS service goes down, what happens to the applications and data running on it?
Use threat modeling. The majority of security flaws are introduced during the early stages of software development. Security-conscious developers can identify and fix potential flaws in the application design by using threat modeling practices and tools. The Open Web Application Security Project (OWASP) has information on threat modeling and Microsoft offers a free threat modeling tool and information.
Check for inherited software vulnerabilities. Third-party platforms and libraries often have vulnerabilities. Developers can inherit them if they fail to scan for these potential liabilities.
Implement role-based access controls. Role-based identity and access management helps to ensure developer and other user access to the resources and tools they need, but not to other resources.
Manage inactive accounts. Unused accounts provide potential footholds for hackers. Deprovision former employee accounts and other inactive accounts. Hackers look for people who have recently left or joined companies—LinkedIn is a great source for that—and take over the accounts. Also, lock root account credentials to prevent unauthorized access to administrative accounts.
Take advantage of provider resources. Most major PaaS providers offer guidelines and best practices for building on their platforms. Many also provide technical support, testing, integration, and other help for developers.
PaaS security solutions
Organizations can deploy their own security technologies to protect their data and applications from theft or unauthorized access. Three important cloud security solutions are: cloud access security brokers, cloud workload protection platforms, and cloud security posture management.
- Cloud access security broker (CASB). CASBs, also called cloud security gateways (CSGs), provide a variety of security services, such as monitoring for unauthorized cloud services; enforcing data security policies including data loss prevention (DLP); restricting access to cloud services based on the user, device, and application; and auditing cloud configurations for compliance and risk.
- Cloud workload protection platforms (CWPP). Unsecured workloads and containers offer cybercriminals a path into the cloud environment, so cloud workload protection platforms discover and monitor the containers and workload instances. CWPP services also apply malware protection and simplify security management across multiple PaaS environments.
- Cloud security posture management (CSPM). A security posture manager continuously audits the cloud environment for security and compliance issues, as well as provides manual or automated remediation. Increasingly, CASBs are adding CSPM functionality.
Cloud security continues to improve with new advancements in architecture and security technology. As an example, the advent of containers, which package individual applications and their dependencies, helps make PaaS development more secure by isolating individual application instances from vulnerabilities in other applications on the same server.
As more enterprise applications move into the cloud, more developers will be using PaaS to create cloud-native applications and to cloud-enable on-premises applications. To minimize the risk of cyberattacks, data breaches, and other security incidents, IT managers should follow application security best practices and implement up-to-date, advanced cloud security technologies.
Cloud security solutions from McAfee enable organizations to accelerate their business growth and digital transformation by giving them visibility and control over their data in the cloud. Learn more about McAfee cloud security technology.