There’s something to be said about people with the right focus and experience working every button and lever for you…
Clients frequently like to ask me the “which one is more secure” question about Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). My answer usually starts with something like “Well, let’s define ‘secure’ for the purpose of your question” and goes into some high level points about how a cloud computing environment could be considered secure if it:
- Meets your internal policies and/or external regulations across the many domains of security [CISSP domains or Cloud Security Alliance domains are good examples]
- Has enough transparency and control points to feel confident that you are compliant with those policies and regulations (aka point in time and real-time auditability)
- Meets your and the ability to know when something goes wrong (from simply being out of policy up through an actual data breach)
- Has the 500 other things that you could add to this list…
Until recently my opinion has been that IaaS gives you more ability to fiddle and tweak with the system, and as such it is more secure as per the above criteria. As a user of IaaS and PaaS services, I spend a lot of time making sure that my resources are ‘secure’ before doing anything with them, and perhaps naively assumed that was the norm.
I say until recently because the more I talk to people working on IaaS and PaaS the more I hear them say the phrase “we leave that up to the customer”, and that made a light go off in my head.
The general (enterprise IT) public has at least a few smart security people with a good idea on what it takes to secure things inside their datacenters today, unfortunately they don’t always have the time, budget or business support to actually get the job done. When it comes to cloud computing, there are really very few people with a clue right now of how all the pieces come together, what the real threats are, and how you can tie things up to be “secure” (see above definition if you’ve been skimming).
So the end result is that very few IaaS or PaaS customers go much further than installing an image, adding some simple firewall rules and hopefully setting a strong password. They think the provider is keeping them secure, and the provider thinks the customer is responsible. This is obviously less than ideal. End result is that SaaS, where all you need to do is log in and everything is taken care of for you, gives you an environment that is more secure. Of course, every SaaS, PaaS and IaaS provider is different, this is an opinion about the concepts, not a particular implementation.
Scott’s Top 5 Reasons SaaS is more Secure than PaaS or IaaS (sorry for the corny quotes)
5. Born to be wild – SaaS apps and platforms were designed to be exposed, shared and used over dirty networks. Every i has been dotted and t has been crossed.
4. I’m sorry, Dave. I’m afraid I can’t do that. - One of the great things about IaaS is that you can make it do virtually anything you want, even if it exposes all of your data. Not on SaaS!
3. Another Brick in the Wall – The thicker the SaaS wall is, the less of the infrastructure can be accessed. Security by obscurity, isn’t – but security by unavailability, is.
2. I am Iron Man – There are super smart security nerds focused on every layer of the solution in SaaS environments is very different from the collection of random components that you jumble together to get your enterprise apps running on an IaaS platform.
1. Leave the driving to us - The bottom line is that SaaS providers force you to use a secured, well thought out implementation of a shared software platform. There The lack of control, which is what bothers most security people, is what actually makes SaaS more secure. The analogy of flying is safer than driving, but freaks many more people out really holds true here. Could you bring your car to a safe stop after blowing a tire on the highway while being distracted by a cell phone, crying baby, the radio, etc? Capt Sully landed a jet on the hudson river! There’s something to be said about people with the right focus and experience working every button and lever for you, and is something to keep in mind as you plan out how and where you will take advantage of cloud computing.
Follow Scott’s ramblings on twitter: @scottsanchez
[...] a previous post I discussed my opinion on why SaaS is the most secure option right now, better than PaaS and IaaS. The short version is that because security is forced on you [...]
The different models – SaaS/PaaS/IaaS vary in their degree of control they give to the user, but don’t allow general conclusions about security.
I would rather say it largely depends on the provider. There are lots of sh*tty SaaS providers in the Internet that don’t get security right…