Cloud PaaS through the lens of open source – opinion

Opinion piece by Rob Gibbon – Product Manager at Canonical. All views expressed are the author’s own.

The open source perspective viz. PaaS

Open source software, as the name suggests, is developed in the open. The software can be freely inspected by anyone, and can be freely patched as required to suit the security requirements of the organisation running it. Any publicly identified security issues are centrally triaged and tracked. Associated software patches are also developed and distributed in a coordinated manner. The process is based on broad collaboration between government agencies, open source software vendors, security researchers, community contributors and oftentimes the obligations set forth in the widely adopted GPL open source software license.

Platform as a Service (PaaS) solutions, generally speaking, are developed as proprietary, black-box solutions. Whilst the software offered by the PaaS solution is sometimes free open source software, the provisioning and management solution surrounding the software is almost always proprietary to the PaaS vendor. The customer may have little to no visibility into the provisioning and management engine codebase and the problems that might exist therein, and is likely to depend on the PaaS vendor to fulfill many of their security obligations.

PaaS providers have maintained an excellent security posture for many years. Exploits are rare, and when they are identified, the vendor’s response is usually rapid and decisive. But PaaS is still a relatively new technology in terms of general adoption, and where an exploit in PaaS is identified, its scope can be quite devastating for users of the service in question.

“ChaosDB” for example, was a privilege escalation vulnerability identified on the popular Microsoft Azure CosmosDB platform, that potentially allowed attackers to gain access to database instances that had the “Jupyter Notebook” feature enabled. Whilst Microsoft acted responsibly and rapidly addressed the threat presented by ChaosDB, it is nevertheless an example of a PaaS vulnerability with potentially broad scope and far reaching consequences. I believe Microsoft acted commendably, but Microsoft also has the scale and the resources to be able to act in a decisive manner – something smaller or less experienced PaaS vendors might struggle to do.

PaaS and the shared responsibility model

In the shared responsibility model of public cloud computing, the PaaS vendor is typically responsible for a great deal more of the security procedures and controls than in a classical on-premise or even cloud infrastructure as a service (IaaS) deployment – such as one founded on proven, mature open source software. Thus with PaaS the customer usually surrenders much more control and visibility, yet remains the accountable party.

For many enterprises (for example, those that operate in licensed and strictly regulated verticals such as financial services,  telecommunications, or institutions directly accountable to the public and organisations that deliver safety critical services) the risks posed by the prospect of an attacker gaining full access to data platforms – especially those hosting secret, sensitive or personally identifiable citizen data – are likely to be unacceptable. For many others with perhaps less at stake, the risks presented by a security breach on a PaaS solution doubtless remain unpalatable.

PaaS as open source software: my opinion

From a security standpoint, I believe PaaS still has a way to go until it can match the level of procedural maturity and confidence that open source software deployments can offer to those accountable for enterprise information security. Whilst I firmly believe in the complementary premise of PaaS as a flexible and convenient customer option, as an open source proponent I advocate for vendors to develop PaaS provisioning and management systems in the public domain as open source software.

By making their solutions available to public scrutiny, PaaS vendors can sponsor transparency, traceability and the timely resolution of critical vulnerabilities. Open source software offers PaaS vendors a proven path to engendering long term trust and supports customers in maintaining their accountability.

By establishing a diversified portfolio of service providers and solutions, I believe customers can proactively minimize their risk of exposure. Hybrid and multi-cloud solution architectures that operate over the top of cloud service providers can be founded on robust, open source technologies and can be hardened according to customers’ own unique needs and security best practices.

• Learn more about Managed Application services from Canonical

• Learn more about Canonical Managed Kubernetes and private cloud services

• Contact us to discuss your requirements