SaaS, PaaS and IaaS: What are all the security risks?

Cloud computing is a transformative technology that offers new layers of automation as well as better use of computing resources. Cloud computing offers many advantages, including scalability, productivity, a reduction in capital spending and technology infrastructure and flexibility, just to name a few. 

However, as you and your customers begin to expand their adoption of software as a service, platform as a service and infrastructure as a service model, organisations need to understand the risk that is introduced as data and resources are moved outside of the enterprise firewall. When implementing any (or all) of these three models, one needs to pay close attention to the security trade-offs for not only data, but also organisational compliance when organisations separate application and information resources form the underlying physical infrastructure. 

• SaaS, sometimes referred to as on-demand software, is a model where software is licensed on a subscription basis and is centrally hosted.

Hackers are increasingly interested in not only breaking into your network but the value of the data they may find there. If the SaaS provider is compromised, data encryption is a good idea to help protect organisational data; however, it will not protect against phishing and malware attacks launched to steal individual user access credentials. Encryption should be considered a “must have” technology; but organisations should remember that it, by itself, is not a panacea. 

Although SaaS providers must provide assurance that they are taking steps to mitigate breach risks, the responsibility for security cannot stop there. Organisations that select SaaS solutions must also share security responsibility and implement internal procedures and processes. This includes education strategies to teach employees how to identify and respond to phishing campaigns, as well as setting company policies around what data should be placed in the cloud and what is better kept within the firewall. Just because an organisation can store their data in the cloud doesn't mean that they should. 

Organisations need to have a conversation with a trusted, knowledgeable partner to understand what (if any) data is best served on-premises, in a hybrid setting, or totally "in the cloud" to understand the business and security consequences of doing so. Setting policies and best practices around what data may or may not need to be stored in the cloud can save numerous headaches, and potential data exposure and loss, later. 

• PaaS allows companies to build, run and ultimately manage Web applications without the infrastructure that is normally required.

Since PaaS is based on the notion of using shared resources (such as hardware, network, and security provisions), security concerns are usually focused on mission-critical information that hackers can obtain during a data breach. If the PaaS tenants have Administrator/’root’, or shell access to the servers running their instances, additional security issues could arise if hackers are able to gain unauthorised access and change configurations. Additionally, security controls and self-service entitlements offered by the PaaS platform could pose a problem if not properly configured. Providers should be able to provide clear policies, guidelines, and adhere to industry accepted best practices. 

Once again, security cannot be solely the PaaS provider responsibility. When selecting a PaaS vendor, consider these crucial issues before final selection: 

• What are the types of encryption used? 
• What are the data independence and availability? (Can you move your virtual machines and all of their data to another provider? Who has access to it? What happens if a cloud instance migrates to another country?) 
• What are the disaster recovery/business continuity protocols? 

• IaaS provides virtualised computing resources over the Internet hosted by a third party. 

The security concerns of IaaS are similar to the concerns of your own data center. Are you protecting sensitive data or intellectual property? Are there compliance standards that need to be met and how are those standards evaluated? Do you need the ability to audit your cloud provider to meet those compliance requirements? What approach does the cloud vendor take in monitoring? 

With IaaS environments, control is the major concern that you need to address. Because you're using a virtualised environment and resources that are not technically yours, weaknesses in the vendor's security can affect your organisation dramatically.

Insufficient due diligence is a top contributor to security risk associated with SaaS, PaaS and IaaS. These security issues are the reason why it is so important to work with a knowledgeable and trusted technology provider. Arrow's enterprise computing solutions business offers a comprehensive portfolio from the world’s leading technology suppliers to solve your customers' most pressing network, computing and security issues. 

Learn how Arrow can help you mitigate your cloud risk.