Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

on 30 August 2021

Cloud PaaS through the lens of open source – opinion

Opinion piece by Rob Gibbon – Product Manager at Canonical. All views expressed are the author’s own.

The open source perspective viz. PaaS

Open source software, as the name suggests, is developed in the open. The software can be freely inspected by anyone, and can be freely patched as required to suit the security requirements of the organisation running it. Any publicly identified security issues are centrally triaged and tracked. Associated software patches are also developed and distributed in a coordinated manner. The process is based on broad collaboration between government agencies, open source software vendors, security researchers, community contributors and oftentimes the obligations set forth in the widely adopted GPL open source software license.

Platform as a Service (PaaS) solutions, generally speaking, are developed as proprietary, black-box solutions. Whilst the software offered by the PaaS solution is sometimes free open source software, the provisioning and management solution surrounding the software is almost always proprietary to the PaaS vendor. The customer may have little to no visibility into the provisioning and management engine codebase and the problems that might exist therein, and is likely to depend on the PaaS vendor to fulfill many of their security obligations.

PaaS providers have maintained an excellent security posture for many years. Exploits are rare, and when they are identified, the vendor’s response is usually rapid and decisive. But PaaS is still a relatively new technology in terms of general adoption, and where an exploit in PaaS is identified, its scope can be quite devastating for users of the service in question.

ChaosDB” for example, was a privilege escalation vulnerability identified on the popular Microsoft Azure CosmosDB platform, that potentially allowed attackers to gain access to database instances that had the “Jupyter Notebook” feature enabled. Whilst Microsoft acted responsibly and rapidly addressed the threat presented by ChaosDB, it is nevertheless an example of a PaaS vulnerability with potentially broad scope and far reaching consequences. I believe Microsoft acted commendably, but Microsoft also has the scale and the resources to be able to act in a decisive manner – something smaller or less experienced PaaS vendors might struggle to do.

PaaS and the shared responsibility model

In the shared responsibility model of public cloud computing, the PaaS vendor is typically responsible for a great deal more of the security procedures and controls than in a classical on-premise or even cloud infrastructure as a service (IaaS) deployment – such as one founded on proven, mature open source software. Thus with PaaS the customer usually surrenders much more control and visibility, yet remains the accountable party.

For many enterprises (for example, those that operate in licensed and strictly regulated verticals such as financial services,  telecommunications, or institutions directly accountable to the public and organisations that deliver safety critical services) the risks posed by the prospect of an attacker gaining full access to data platforms – especially those hosting secret, sensitive or personally identifiable citizen data – are likely to be unacceptable. For many others with perhaps less at stake, the risks presented by a security breach on a PaaS solution doubtless remain unpalatable.

PaaS as open source software: my opinion

From a security standpoint, I believe PaaS still has a way to go until it can match the level of procedural maturity and confidence that open source software deployments can offer to those accountable for enterprise information security. Whilst I firmly believe in the complementary premise of PaaS as a flexible and convenient customer option, as an open source proponent I advocate for vendors to develop PaaS provisioning and management systems in the public domain as open source software.

By making their solutions available to public scrutiny, PaaS vendors can sponsor transparency, traceability and the timely resolution of critical vulnerabilities. Open source software offers PaaS vendors a proven path to engendering long term trust and supports customers in maintaining their accountability.

By establishing a diversified portfolio of service providers and solutions, I believe customers can proactively minimize their risk of exposure. Hybrid and multi-cloud solution architectures that operate over the top of cloud service providers can be founded on robust, open source technologies and can be hardened according to customers’ own unique needs and security best practices.

Related posts

21 November 2023

Canonical announces the general availability of chiselled Ubuntu containers

Canonical announcements Article

Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu Canonical announced today the general availability of chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime ...

26 September 2023

CVE 우선순위 지정을 통한 오픈 소스 보안

Security Security

최근 연구에 따르면 엔터프라이즈 시장의 애플리케이션 중 96%가 오픈 소스 소프트웨어를 사용합니다. 오픈 소스 환경이 점점 더 세분화됨에 따라 조직에 대한 잠재적인 보안 취약점의 영향을 평가하는 작업이 엄청날 수 있습니다. 우분투는 가장 안전한 운영 체제 중 하나로 알려져 있습니다. 하지만 그 이유는 무엇일까요? 우분투 보안팀은 매일 알려진 취약점에 대해 업데이트된 소프트웨어 패키지를 수정하고 릴리스하기 때문에 ...

5 September 2023

Empowering Australian government innovation: a secure path to open source excellence

AI Security

The Australian Federal Government is not alone in dealing with challenges like natural disasters, global pandemics and economic uncertainty. Like many governments, they are looking for new and innovative ways to tackle these challenges. FST Government 2023 is an exciting conference that brings over 200 government leaders together to explo ...