Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

robgibbon
on 30 August 2021

Cloud PaaS through the lens of open source – opinion


Opinion piece by Rob Gibbon – Product Manager at Canonical. All views expressed are the author’s own.

The open source perspective viz. PaaS

Open source software, as the name suggests, is developed in the open. The software can be freely inspected by anyone, and can be freely patched as required to suit the security requirements of the organisation running it. Any publicly identified security issues are centrally triaged and tracked. Associated software patches are also developed and distributed in a coordinated manner. The process is based on broad collaboration between government agencies, open source software vendors, security researchers, community contributors and oftentimes the obligations set forth in the widely adopted GPL open source software license.

Platform as a Service (PaaS) solutions, generally speaking, are developed as proprietary, black-box solutions. Whilst the software offered by the PaaS solution is sometimes free open source software, the provisioning and management solution surrounding the software is almost always proprietary to the PaaS vendor. The customer may have little to no visibility into the provisioning and management engine codebase and the problems that might exist therein, and is likely to depend on the PaaS vendor to fulfill many of their security obligations.

PaaS providers have maintained an excellent security posture for many years. Exploits are rare, and when they are identified, the vendor’s response is usually rapid and decisive. But PaaS is still a relatively new technology in terms of general adoption, and where an exploit in PaaS is identified, its scope can be quite devastating for users of the service in question.

ChaosDB” for example, was a privilege escalation vulnerability identified on the popular Microsoft Azure CosmosDB platform, that potentially allowed attackers to gain access to database instances that had the “Jupyter Notebook” feature enabled. Whilst Microsoft acted responsibly and rapidly addressed the threat presented by ChaosDB, it is nevertheless an example of a PaaS vulnerability with potentially broad scope and far reaching consequences. I believe Microsoft acted commendably, but Microsoft also has the scale and the resources to be able to act in a decisive manner – something smaller or less experienced PaaS vendors might struggle to do.

PaaS and the shared responsibility model

In the shared responsibility model of public cloud computing, the PaaS vendor is typically responsible for a great deal more of the security procedures and controls than in a classical on-premise or even cloud infrastructure as a service (IaaS) deployment – such as one founded on proven, mature open source software. Thus with PaaS the customer usually surrenders much more control and visibility, yet remains the accountable party.

For many enterprises (for example, those that operate in licensed and strictly regulated verticals such as financial services,  telecommunications, or institutions directly accountable to the public and organisations that deliver safety critical services) the risks posed by the prospect of an attacker gaining full access to data platforms – especially those hosting secret, sensitive or personally identifiable citizen data – are likely to be unacceptable. For many others with perhaps less at stake, the risks presented by a security breach on a PaaS solution doubtless remain unpalatable.

PaaS as open source software: my opinion

From a security standpoint, I believe PaaS still has a way to go until it can match the level of procedural maturity and confidence that open source software deployments can offer to those accountable for enterprise information security. Whilst I firmly believe in the complementary premise of PaaS as a flexible and convenient customer option, as an open source proponent I advocate for vendors to develop PaaS provisioning and management systems in the public domain as open source software.

By making their solutions available to public scrutiny, PaaS vendors can sponsor transparency, traceability and the timely resolution of critical vulnerabilities. Open source software offers PaaS vendors a proven path to engendering long term trust and supports customers in maintaining their accountability.

By establishing a diversified portfolio of service providers and solutions, I believe customers can proactively minimize their risk of exposure. Hybrid and multi-cloud solution architectures that operate over the top of cloud service providers can be founded on robust, open source technologies and can be hardened according to customers’ own unique needs and security best practices.


Related posts


Oliver Smith
17 May 2024

Migrating from CentOS to Ubuntu: a guide for system administrators and DevOps

Cloud and server Article

CentOS 7 is on track to reach its end-of-life (EoL) on June 30, 2024. Post this date, the CentOS Project will cease to provide updates or support, including vital security patches. Moving away from the RHEL-based ecosystem might appear daunting, but if you’re considering Ubuntu the switch can be both straightforward and economically viabl ...


Canonical
21 November 2023

Canonical announces the general availability of chiselled Ubuntu containers

Canonical announcements Article

Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu Canonical announced today the general availability of chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime ...


Luci Stanescu
26 September 2024

CUPS Remote Code Execution Vulnerability Fix Available

Ubuntu Article

Four CVE IDs have been assigned that together form an high-impact exploit chain surrounding CUPS: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177. Canonical’s security team has released updates for the cups-browsed, cups-filters, libcupsfilters and libppd packages for all Ubuntu LTS releases under standard support. The u ...