Today Heroku, a Ruby platform-as-a-service which was recently acquired by Salesforce.com, disclosed a serious security issue. The vulnerability has been fixed, and there is no evidence that it was ever exploited.
Earlier this week, NodeFu had its databases deleted when admins revealed its CouchOne password on Github. Missteps by PaaS providers leave customers at risk and jeopardize the reputation of the public cloud.
Is it time for a PaaS security certification standard?
First of all, credit where credit is due. The Heroku security issue was discovered by David E. Chen, the founder of Heroku competitor Duostack. Chen notified Heroku and didn’t disclose the issue on his own blog until Heroku issued a statement about it. Heroku also deserves credit for publicly disclosing the issue.
I’ve written before that the public cloud can be more secure than on-premise solutions. That still holds true. But no solution offers perfect security, as these incidents demonstrate. Infrastructure-as-a-service gives customers more control over their data. There are government standards for software-as-a-service that private companies can also use to assess the security of a service. PaaS customers usually have less transparency into how the system works than IaaS customers, but more power (and therefore more room for error) than SaaS customers. Although providers should be responsible for customer’s security, Chen notes that customers shouldn’t be helpless when it comes to their own security on platforms:
Take security into your own hands. Users should be responsible for verifying that their providers meet their needs. Ask questions. Ultimately, you are responsible for your app and it’s up to you to find out what your provider really does for your app’s security behind the shallow promises of marketing materials.
That’s a good starting point, but what questions should be asked? If PaaS really is the future, as we’ve predicted, then we’re going to need some some good questions.
One particular question to ask is suggested by Chen: how are users partitions segmented from each other? Chen writes:
There are two strategies for providers to partition the resources for each user I would like to discuss: virtualization, or operating system/runtime privileges. In the first, each user is provided with a contained copy of what appears to be a complete machine dedicated to their use. In the latter, many users share one machine (which may be virtualized itself). Heroku has chosen the latter approach, though this is likely not apparent to many users.
That’s a good starting point. However, “Have you ever posted your database password in Github?” is probably not going to be a helpful question. There are still going to be slip-ups, and gauging a providers reputation and security procedures is going to be increasingly important. What if there was a way for providers to receive certification? A set of best practices for PaaS security, along with an independent auditing organization, could be just the thing the industry and its customers need right now.
Image credit: Bichuas (E. Carton)
