Software as a Service has password issues. Platform as a Service has encryption issues. Infrastructure as a Service has rogue user issues

According to Joe McKendrick the SaaS, PaaS and IaaS (the three cloud models) have very different kinds of risks…  “Software as a Service has password issues. Platform as a Service has encryption issues. Infrastructure as a Service has rogue user issues”.

 

SaaS Risks:

The biggest issue in the SaaS model of Cloud Computing is the password management, since SaaS delivers applications from the cloud, the main risk is likely to stem from multiple passwords accessing applications. However other risks that must be consider are:

 

  1. Data Security: One company data co-mingled with other businesses’ data.
  2. Lack of federated identity management: Due to multiple identities of employees at multiple SaaS providers, an employee’s access cannot be shut off automatically, following termination of an employee.
  3. Lack of strong service level agreements (SLAs) and contracts that hold people accountable should something happen. 
  4. Lack of interoperability among vendors (Vendor Lock-in): Puts companies at risk if SaaS provider goes out of business or acquired by a competitor. Switching costs could be high. 
  5. Web Application and Infrastructure Vulnerabilities.

 

PaaS Risks:

In the PaaS the number one issue is the data encryption, PaaS can be inherently secure, but the risk is slow system performance. That’s because data encryption is recommended before data is sent to PaaS cloud providers. However other risks that must be consider are:

 

  1. Business Continuity Planning and Disaster Recovery with PAAS vendor.
  2. Lack of Secure Software Development Process with PAAS vendor. 
  3. Vendor Framework Lock In. 
  4. Lack of adequate provisions in SLA. 
  5. How to meet compliance demands and control risks when work with a PAAS Vendor.

 

IaaS Risks:

In this case the most important issue will be the rogue users. IaaS focuses on managing virtual machines, and the risks are little different than with other cloud types — here, the main risk is rogue or unwarranted commandeering of services. IaaS requires governance and usage monitoring; enterprises should establish cloud service governance frameworks that help prevent employees accessing information or services they are not permitted to use. However other risks that must be consider are:

 

  1. If the business mission critical application is hosted in IAAS environment, the down time due to man mad or nature disaster could introduce significant business risks.
  2. Physical security of the IAAS environment.
  3. The Service Level Agreement.
  4. Compatibility of IAAS and internal legacy infrastructure. 
  5. Regulatory compliance.

 

 

- Camilo Ferran

 

www.zdnet.com

www.owasp.org

 
Posted 1 year ago
View comments
Tagged: Risks, SaaS, PaaS, IaaS, .

Creative Commons License
Sma4rt Cloud Blog by Sma4rt Cloud is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Based on a work at sm4rtcloud.tumblr.com .
Permissions beyond the scope of this license may be available at http://creativecommons.org/.