The future of PaaS security

In the world of PaaS security, it's clear: architecture is key. If we consider the vulnerabilities seen with major cloud providers in recent years, IaaS has a better track record compared to PaaS. Of course, there were a few missteps, like the AWS IMDSv1 issue leading to the Capital One incident, but mostly, IaaS has held up well. Why is that? There are two main reasons:

1. VM isolation is deeply rooted in the robust design of the seventies, when the theory of hypervisors was formalized an proven.
2. computers are very complex, but IaaS is a relatively simple concept: the degrees of freedom are "small", the focus area are limited (memory, processor, devices).

As long as cloud providers don't depart too much from these foundations, they are in a position to harden PaaS properly, meaning cross-tenant violations are easy to identify and prevent.

But we must keep in mind that, in the Cloud model, there is room for a VERY large continuum of services standing between IaaS and SaaS: as it turns out, PaaS is a melting pot, and that is the core of the problem.

PaaS security trajectory

PaaS security's trajectory is directly tied to the evolution of its foundational architecture:

1. The broader the design spectrum, the more openings there are for hidden and intricate risks. Overloading with too many choices can hinder the providers' ability to effectively model-check their PaaS.
2. The more a service leans towards the abstract, verging on SaaS territory, the higher the probability of intricate risks creeping in. SaaS has been notoriously challenging to fortify in terms of both security and compliance.

As Public Clouds become more mature, innovations slow down, starting from the lowest layers (IaaS) and slowing impacting the PaaS continuum.

Competitive advantages grow thin.

The market settles down.

This is very clear if we look at the announcements made by AWS and Azure during the last three or four reInvent and Ignite.

Consequently, there is going to be a big temptation from Cloud providers to find other growth vectors. For me, it means closing in to SaaS. Cloud providers are going to shift to the right of the PaaS continuum.

The last thing PaaS security needs is to tread down the SaaS path.

Architecture security

This is where security architecture will play a critical role, because, as we explained, shift-right will inevitably bring a lot of abstraction and a lot of complexity to PaaS core designs. Some of this complexity will "spill" to the customer domain: like climate change, PaaS complexity is already visible today:

• Confidential computing is right-shifting from IaaS to PaaS. Many extreme dangers related to confidential containers are awaiting a proper handling. Kata containers help, but in my opinion we are far from seeing a confidential computing Kubernetes cluster production ready.
• Azure Synapse workspaces are a typical example of a quasi-SaaS, extremely integrated and hetereogenous.
• Azure CosmosDB Jupyter notebooks is another example of a quasi-SaaS.
• BaaS (blockchain as a service) is an example of an ill-categorized service. It is marketed and operated as SaaS, but should be a PaaS. This illustrate the thin margin between PaaS and SaaS at the rightmost end of the Cloud model continuum.

Takeaways

The Cloud shared responsibility model could be shaken as more quasi-SaaS services are made generally available: providers will be put under high pressure for keeping the highest standards of isolation, and customer will be put under high pressure by the costly challenge of securing integration of quasi-SaaS into their PaaS environments.

Cloud providers' and cloud customers' security architects will play an instrumental role in letting security scale with complexity and in keeping IT risks under control.