You shall not PaaS!

The implementation of any connected database or computer system must consider security, first and foremost, and PaaS can be a big help

Each year, data and security breaches make big splashes in the headlines. In 2013, an attack against retail giant Target affected more than 40 million customers. A 2010 attack against the Sony PlayStation Network compromised 77 million accounts. The Identity Theft Resource Center already lists 155 separate breaches in the first quarter of 2016 alone.

The frequency and sophistication of these attacks will only increase. As a result, the implementation of any connected database or computer system must consider security, first and foremost.

Software engineers, developers, and architects, have a prime responsibility to take advantage of every tool available to increase the security of the systems they deploy.  This can seem like a heavy burden, particularly when resources are strained and the threat of an attack seems minimal. It also might feel helpless in the face of highly technical attacks and the persistence of malicious actors.

PaaS offers an important suite of features and tools to help with this task. Indeed, relying on public infrastructure and standardized tools and methodologies is a critical step in protecting your systems from attack.

PaaS software runs in the largest data centers operated by some of the most secure software and hardware available. Before a single line of code is written or deployed, you can count on the robust security that organizations like IBM, Google, Microsoft, and others rely on in those data centers.

At the physical layer, these data centers employ many safeguards: perimeter fencing, employee background checks, custom access control, and other features that are often outside the modest budget of an individual organization. These are backed up with 24/7 monitoring and in-depth auditing capabilities for all physical access to the infrastructure.

The stack of software running the PaaS you deploy on has been built from the ground up to incorporate security at each layer. Google uses custom-built machines and operating systems that exclude unnecessary components and features where vulnerabilities would otherwise be introduced. All of the major cloud vendors utilize powerful industry-standard encryption technology for information in-transit and often at-rest as well. Secure networking, both at the physical and logical layers, round out another tier of security that is an integrated part of any solution we develop on these systems.

Of course, the primary feature of a PaaS deployment is the opportunity and flexibility to develop any app and workload we can imagine. With that power comes the responsibility to integrate sound security practices at the application layer ourselves. PaaS makes this as straightforward and understandable as possible in a number of ways.

Tools to scan for and report on common vulnerabilities such as cross-site-scripting or SQL injection attacks are available, often for free. Amazon Web Services offers a Web Application Firewall to help you secure the traffic to and from your PaaS applications. Taking advantage of these offerings is an easy way to create a layer of application security that doesn't break your budget, nor require highly specialized security training.

Creating a robust user identity and authentication model in your application logic layer is of course a critical layer of security as well. It can be difficult to write a secure user store from scratch, but with PaaS, you have access to comprehensive Identity and Access Management tools.

You can incorporate reliable, well-tested, and highly maintained identity providers like Salesforce,, or Google as your identity provider. Additional features like Microsoft's Azure Active Directory allows you to incorporate Multi-Factor Authentication right out of the box for added security. All of these features come at little to no cost and, like the security above, are relatively trivial to implement.

There is no magical silver bullet to make a secure system, nor is there such a thing as 100 percent security. To secure our data and processes as much as possible requires many layers of redundant security. We thwart attacks by forcing malicious actors to deal with them all in turn.

Public PaaSes perform much of that legwork for us, and the things they cannot implement for us, they offer tools and features that make them as turnkey as possible. Having the PaaS provider as your ally in system protection affords us much greater security than we could achieve on our own.

This article is published as part of the IDG Contributor Network. Want to Join?