Cloud Security Checklist for Your Platform-as-a-Service (PaaS)
by Bart Copeland

Bart Copeland, October 23, 2013

Cloud Security ChecklistSecurity is a primary concern when organizations are ready to develop using cloud based technologies and can even inhibit cloud adoption. Some of the common issues cited include the perceived lack of control using a public cloud, visibility into the cloud or data compliance requirements. For those with compliance or regulatory requirements, it’s absolutely necessary to maintain this control in-house. We find that these organizations set up a private cloud infrastructures as the best way to deal with this. The CIA’s choice to use AWS as its private cloud gives Amazon a big checkmark beside the way they handle security in their infrastructure (if you meet the CIA’s standards, then you must be doing something right). However, cloud security is an issue at every layer of the stack, not just the infrastructure layer. Organizations need to review the security associated with the platform-as-a-service (PaaS) used to build their applications because it is equally important.

Here are some key questions to ask the vendor when evaluating the security of a private PaaS:

  • How will my application interact with other applications on the server? Does your PaaS use containerization to separate the applications?


This is one of the most critical questions you need an answer to.  While there are other methods for isolating applications on a cloud, Stackato uses Linux containers to ensure that our customers’ applications are secure. Linux containers allow users to deploy their applications in a safe and secure way, knowing that one application cannot interact with any other on the PaaS unless it is specifically allowed to.  Your application is completely isolated—it can only see your application’s files and processes. If someone is trying to access your application, the container’s isolationist nature prevents it from being breached. Of course, if you want your applications to interact there are ways to allow these connections using the RabbitMQ messaging service (there's also an ActiveMQ plugin), the Harbor port service, or shared data services.


  • Have third-parties performed penetration tests on your platform? What was the outcome?


The majority of our customers are Fortune 500 organizations with traditional IT security departments. Before those organizations are allowed to go into production with Stackato, their security team needs to do in-depth penetration testing and sign off on the platform. While security professionals will arguably always find some issues with anything they test, the important thing is how quickly those potential vulnerabilities are mitigated and rectified.


  • What are your procedures for security updates?


Security issues are taken very seriously at ActiveState. We provide an RSS feed for Stackato  patches through our community website, and proactively notify our customers when a security-related fix is available. The 'kato patch' command makes it easy to apply updates to Stackato, and upstream updates to the OS can be safely applied using standard Ubuntu tools. Since the containers used in Stackato are cloned from a template, we've created a special upgrade script to make upgrading easier.  


  • How does your PaaS prevent users from getting root access to the container?


There are security measures inherently associated with the Linux containers, but in Stackato we also have a backup. Linux containers use namespace isolation, so a user never has full root privileges to it. The application only has access to the processes that has been assigned to it.  However, Stackato also provides users with additional security. Each container also runs  AppArmor (an alternative to SELinux) to provide  an extra layer of security.  


  • How do I know a malicious bug in one of the containers won’t take up too much memory and  bring down my server?


One of the key benefits of Stackato is that it provides you with complete resource control over each container.  Your applications will get their share of CPU and no single one can use up more RAM than it has been allotted.  You don’t need to worry about malicious or poorly designed applications causing resource issues that could result in costly downtime.  You set the limit and the application stays within it.

Cloud security at each level of the stack needs to be evaluated to ensure that it maps on to an organization’s security requirements. For more information about Stackato security, you can watch the webinar A Secure Cloud with Stackato Private PaaS.

Title image courtesy of Oliver Tacke on Flickr under Creative Commons License.

[White Paper: Cloud Security with Stackato]

Subscribe to ActiveState Blogs by Email

Share this post:

Category: stackato
About the Author: RSS

Bart Copeland is our CEO and president. He's passionate about ensuring that everyone at ActiveState has a lot of fun while solving complex problems with applications that provide real benefit to our customers. He holds an MBA in Technology Management from the University of Phoenix and a Mechanical Engineering degree from the University of British Columbia.