Information security leaders and professionals are not clear on the differences between platform-as-a-service and software-as-a-service solutions. We need to offer precise information about these differences — otherwise, we merely end up with the troubling issues. The confusion between PaaS and SaaS can have some serious security implications. Are you making a major security mistake with Platform as a service (PaaS)?
Understand SaaS and PaaS — for your security.
Not too long ago — before PaaS was as prevalent as it is now — there was just SaaS. These services mainly delivered various capabilities and applications via the cloud. The SaaS solution is generally well-adopted point solutions. They are managed and run by third-party companies such as Salesforce. The SaaS company takes on the burden of technical issues, storage, and security. SaaS is an out-of-the-box solution, requiring limited IT staff at hand to manage.
Customers increasingly sought more customization options for their offerings, making PaaS a natural evolution of SaaS.
The first major milestone in PaaS history came in 2007. After years as a customer relationship management tool, Salesforce launched Force.com. Force is a platform version that allowed businesses to create custom software. With PaaS, businesses gained the power to write their own code and have complete control over database-driven applications.
The value proposition of PaaS is compelling: If the original version of Salesforce lacks a capability your business needs; with PaaS, you can build it yourself.
Of course, Salesforce wasn’t the only company dipping its toes in the PaaS world. Platforms like Heroku, Amazon Web Services, and Google Cloud have also become major players in the space. By 2013, PaaS had gained major momentum, boasting 2 million apps downloaded on Salesforce’s AppExchange.
With this evolution, businesses could easily integrate social media and CRM data, allowing for unprecedented insights and streamlined processes. Of course, major companies saw the possibilities PaaS offered early in the technology’s history and quickly jumped on the bandwagon, driving even more growth in the platform space.
The critical difference between PaaS and SaaS is that in PaaS, you can build whatever you want.
With SaaS, you’re limited to the features and capabilities that already exist within the program. All you have to do is flip the switch on what capabilities you want to be activated, and you’re off and running. For PaaS to work well for you, you’ll want to know your company’s security policies, know what information you have, and know who can upload and access that information.
Greater Power, Greater Responsibility — Greater Security
PaaS, meanwhile, gives you a lot of control — but that control comes with a lot of responsibility. As you start to build your own complicated systems on top of a platform, you need to ensure you’re carefully controlling access to company and customer information.
One of the more common mistakes businesses make when deploying PaaS is assuming that people who administer the system have a firm handle on who has access to what information in the system.
There’s a misconception that a centralized control mechanism inside the organization oversees what gets built and ensures that it has the appropriate quality and security controls. While Salesforce and similar platforms do have incredibly robust security models that allow businesses to control access in a fine-grained fashion, businesses usually aren’t doing this correctly. It’s simply not happening.
The door to sensitive information can easily be left wide open, inviting nefarious or unintentionally dangerous activity.
This mistake derives from the extreme user-friendly nature of PaaS, particularly Salesforce’s version. Literally, anyone can build an application on it. The blessing and curse of PaaS are that someone like Bob in finance could be building this excellent business-enabling app that, in the old days, would have been developed as an in-house product such as an Access database.
People are getting things done, and it’s great, but Bob might not fully understand the risk of storing information in the cloud. Bob could be sending this database around asking people to populate it with data, thinking everything is excellent and secure because it’s “in the cloud.”
Everyone else trusts Bob and is operating under a mistaken assumption that the security controls are there. Before you know it, you’ve got a huge unsecured database of sensitive information. For example, you might find out later that the application or database is integrated into your website, and customers are typing in their Social Security numbers when asking for help.
Or maybe the database is open to public users — a lot of PaaS novices accidentally allow access to the outside world. Suddenly, you’ve got people logging in and changing their own information. The exposure is unthinkably broad. Not great.
It’s important to remember that PaaS is exceptionally flexible and that because you can do anything with PaaS, people will do anything and everything.
You can totally build amazing workflow processes that could transform your business. But before you forge ahead, you need to take a look at PaaS systems as being under the same scope as any other robust data classification formats you commonly leverage to understand the information in any given system. PaaS needs to fall under the same scope and receive the same consideration you have for all your SQL server databases, your in-house systems, and anything you have running on the cloud, such as infrastructures as a service like AWS or Microsoft Azure.
Bottom line: The applications you build with PaaS won’t necessarily change the strategic posture of your organization, but you do need to think of the technology as being a sophisticated, grown-up system that requires strategic planning and foresight.
Significant Consequences for Getting PaaS Wrong
PaaS takes a complicated process — building software applications — and makes it accessible and straightforward. This is great, except there are a lot of things going on behind the curtain that the average Bob from finance might not be able to appreciate. There are a lot of questions he won’t even know to ask!
The security mistake usually lies in blind spots regarding your security needs and assuming the security controls built into your SaaS applications carry over when using PaaS.
When you have blind spots, you may end up storing data that’s not in line with how you would typically store that type of information. Or maybe you don’t even know what information is in the system and therefore can’t possibly know how to protect it correctly. Or, not to pick on Bob from finance again, but he probably doesn’t even know what the company’s policies are regarding information storage and sharing.
With PaaS, it’s all too easy to store super-sensitive information and then allow everybody in your company to run, export, and save reports that have that information.
Whether you want to call it data leakage or data egress, the security mistake result is the same: Information becomes uncontrollable.
If you don’t know the information you’ve got, and you don’t know how you’re controlling access to it, then you are absolutely at risk for a data breach. And these days with data breaches, it’s a matter of when not if. Just in the first half of 2019, nearly 31 million records were exposed.
No industry or business is immune, and the consequences are genuine and very negative. Picture your data breach appearing in a Wall Street Journal headline big. Sure, most data breaches are caused by hackers and criminals. But they are also just as likely to occur from an internal source because of human error or improper security practices.
Using PaaS responsibly boils down to the idea that knowledge is power. Know your company’s security policies, know what information you have, and know who can upload and access that information. Otherwise, your information will take on a life of its own and will eventually land you in a world of trouble.
Image source: philipp-katzenberger — Unsplash
Chief Product Officer and Technology Leader of RevCult
Pete Thurston serves as chief product officer and technology leader of RevCult, where he’s discovered his passion is really in identifying simple and effective applications of technology to the problems all businesses face.