Secure what you put into the cloud, pt. 3

PaaS includes services such as Force.com for development and runtime of cloud-based applications. Regardless of how an application is developed, the runtime security is much the same once it is deployed in the cloud. So in terms of network, application and data security, PaaS is very similar to IaaS.

On the other hand, PaaS is unique in that integration of security, data, process or management functionality requires infrastructure services that connect PaaS applications to on-premise systems. For example, applications developed in the cloud should not have their own identity silos in the cloud. Instead, they should be able to access identity, policy and entitlement data from on-premise identity management systems. (In other words, developers need an account service in the PaaS that can provide identity data from the corporate directory.)

Leading PaaS providers offer a library of standard infrastructure services, but the back-end integrations that connect these services to on-premise systems remain the responsibility of the enterprise. To securely integrate on-premise infrastructure services with PaaS, you will need to: ƒ

  • Create cloud-ready REST-style APIs out of existing SOAP-based web services (or JavaAPI, JMS, MQ, PL/SQL or other legacy interfaces). Use technology like an API gateway to create, manage, deliver and secure these APIs so they can be safely exposed to the PaaS.
  • ƒDeploy an API gateway as a broker at the edge of the PaaS cloud to mediate the security and protocol requirements from on-premise API sources.

Learn more here.

Secure what you put into the cloud, pt. 2

IaaS includes services such as Rackspace and Amazon EC2. In contrast to SaaS, enterprise IT has complete ownership of what applications are deployed in an IaaS environment, and a good degree of flexibility for securing them at the edge of the cloud. You should start with a micro-perimeter that can be deployed in the cloud and spun up and down elastically, and protect REST/JSON-style APIs.

For IaaS environments accessed exclusively via VPN, you can treat cloud applications like on-premise applications. But instead of deploying an agent as the policy enforcement point (PEP) for each application, use a more scalable and secure API gateway as a proxy-based PEP. If your applications need to be accessible to third parties, consider using a federation model instead of requiring VPN access.

For data security, on-premise DLP technology can work equally well for IaaS applications if it is made available as a standardized service that can be automatically provisioned.

Learn more here.