December 8 - Day 1: Platform-as-a-Service Defined - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
December 8 Day 1: Platform-as-a-Service Defined
You must login to participate in this chat. Please login.

Great discussion today guys! I'm looking forward to tomorrow! Thanks Joe, Lorna, tmeehan532 and everyone!

Apprentice

Nice framing of that problem... great point. Thanks Joe!

Apprentice

@Wendy-- The range of PaaS vendors is wide.  Some are providing services around open-source solutions (including hosting OSS-driven services), and some have completely custom software.  If your goal in using PaaS is to push some of the complexity to a vendor (instead of just bringing the complexity in-house in a more organized fashion), then you're almost certainly going to be using a vendor that's got a decent amount of proprietary code, since the OSS solutions are more around organizing complexity than removing it.

Ninja

Right Wendy -- maybe expertise is hard to find, but why not invest in training and implement internally.

Author

Joe, is it true that many PaaS vendors are just wrapping open source solutions? I get that it's a viable way of doing things, but for customers, I wonder if that's really driving value in a cloud-centric happy place.

Apprentice

@Lorna Garey There are companies who just design APIs, specifically to mitigate the risks associated with them being public on the Internet.  Yes, it's a complex undertaking.

Strategist

On APIs, like many things, "there's a vendor for that".  There are a number of API management firms that think deeply about all aspects of APIs, and they're almost certainly worth using if you have a significant API.

Ninja

@tmeehan532-- well said.

Ninja

@Lorna, it does seem like a bit of a screen door. It's not the first nor the twentieth attack I've read about that came down to APIs

Apprentice

APIs seem like a target-rich environment for potential attackers.

Author

@Lorna Garey I think the reason PaaS is the least adopted is because it's the most complex in terms of integration with internal systems.  IaaS is more commoditized and easily replaced.  SaaS is a complete handoff with minimal integration / touchpoints, shifting most of the risk to the vendor.  PaaS means you share in the risk, integration, and there is less commodity-like sys admin practices (believe it or not).

Strategist

Got it, thanks Joe! Excellent point.

Apprentice

I believe the SnapChat security issue was around their API not being as locked down as it could be.  That speaks to the fact that developers really don't care much about security, but isn't anything that's specific to them being on GAE.

Ninja

@Lorna-- I think the PaaS adoption issue is mainly because of the complexity.  The first vendors either tried to build scaffolding around complexity to make it a little easier, or baked in a lot of assumptions to knock out complexity (which also knocked out the number of use cases it could address).  The next wave of solutions are either around solving specific problems within the PaaS umbrella (e.g., offerings from IBM and AWS), or leveraging some of the scaffolding and using containers (e.g., Docker), and it's probably not going to be either-or, but and.

Ninja

Speaking of security and SnapChat, wasn't that breach a few months ago really a third party app breach? So what could SnapChat have done differently to avoid that situation (aka what can we do differently to avoid the SnapChat PaaS nightmare)?

Apprentice

So if you're concerned about security, public IaaS is probably a conquerable issue, but public PaaS may not be (at least not in the near term), and you'll instead be looking at PaaS software that you control.

But if you're more focused on agility than security, then public PaaS may give you a huge boost.  For example, I believe SnapChat is running on Google App Engine, and I'm sure they've gotten massive business agility in the process of outsourcing all of the various things that you get to with GAE.

Ninja

PaaS is the least-adopted area of cloud. Do you think that lack of transparency is the reason?

Author

@jemison288..  I will take note of that input on private keys.

Apprentice

@Wendy--   I think the bigger issue with security and PaaS is that, at least for public PaaS, you're giving your PaaS vendor the keys to the kingdom.  And many public IaaS setups don't have incredibly granular user controls, so you're almost certainly violating least-user-privilege by setting up public PaaS.

Ninja

@tangcov-- Most public IaaS vendors now allow you to maintain your private keys outside of their control, and so you can essentially bring the security position of public IaaS to the same as colocation, which is good enough for many applications.

Ninja

@jemison288 Good point.  Trust but verify.  However, it's very hard to trust a vendor when you have depend on them to provide visibility into their (often proprietary) operations.  Just as your local tax collector how hard it is to get transparency from corporations.  Every now and then, you get a peek via reports to the SEC and shareholders.  Asking for transparency into their very operations is going to a long time in coming.

 

Strategist

Yes, the thing with PaaS is that there seems to be a lot of behind the scenes juju.

Author

Joe, in your June 2014 report on big data security, you revealed that about a quarter of IT isn't doing regular database security assessments. To @Tmeehan532's point, what other major gaps do you see when it comes to PaaS security?

Apprentice

So the Rap Genius / Heroku story (if you haven't read that, it's worth Googling to find and read) is a pretty terrifying read for anyone in security thinking about pure public PaaS, because it says that your PaaS vendor can lie to you about specific technical aspects of your deployment without any contractual penalties (and perhaps very few commercial penalties, but we don't know the details there).

Ninja

Thank you @Lorna Gray.  @tmeehan532, @jemison288..  It is important for us to talk about security concerns win the cloud at least when an organization is going for a public IaaS.

Apprentice

I think the key intersection between PaaS and security is that your PaaS vendor needs to expose enough of the complexity of your underlying architecture (firewalls, networks, identity management) so that you can make sure your security policies can be deployed and you can test that they are properly in place.  

Ninja

@tangcov That's going to be a big IBM reference document.  On security, it's all in who is held accountable for a security breach.  If it's the developers, they will change their priorities accordingly.  But almost no company does that yet.

Strategist

@tangcov - we also have some devops data and reports that might be of interest:

http://reports.informationweek.com/abstract/21/12518/Security/DevOps-Impact-on-Application-Security.html

http://reports.informationweek.com/abstract/6/11960/Data-Center/Research:-2014-DevOps-Survey.html

Author

@tangcov-- I think you need several security tools within an organization, and security is something that has to be bigger than just external applications.  It's a bigger discussion, and there's definitely some philsophical debates that have to happen first, but I'm in favor of applying BYOD and local admin access, and then building strong monitoring and response processes around those.  You would then apply those monitoring and response tools (so IDS, IPS, SIEM, etc) to your deployments.

Ninja

I am actually looking for a reference architecture for the DevOps toolchain using IBM's technology stacks.

Apprentice

@Lorna Gray.  I am also involve in promoting our DevOps adoption so this is an interest to me.

Apprentice

Okay, if we're talking Dev Ops tomorrow, I'll hold that question until tomorrow.

Apprentice

@Tmeehan52 speaks the truth. I've seen the security No brigade in person during PaaS initiatives in the enterprise. There was an active repression of activity to "keep security's nose out of it" until it was too late for them to preempt the initiative. I'm curious to hear Joe's thoughts on how security teams can get involved, kind of the reverse of Lorna's scenario of bringing Dev Ops into the discussion.

Apprentice

i am in the ops side of the organization.  we had a IaaS POC that got slowed down by IT security requirements and firewall rules

Apprentice

@tangcov - Joe can address PaaS' effect on security. We talk DevOps tomorrow as well.

Author

Lorna, I'm a project manager in a law firm who used to work in the IT shop of a software development company.  I'm on both sides.

 

Strategist

@tmeehan, are you on the dev or the ops side of the fence?

Author

what tool or technology that will allow us to address the organizational security requirements?

 

Apprentice

That DDJ community is amazingly engaged, and they seem to have been pretty frank.

Author

Security teams are seen as the "no" people.  They slow things down or cause problems with project schedules.  Only now after 10 years of Sarbanes Oxley regulation, PCI & HIPPA regulations, NSA spying revelations, regular recurring mass credit card scandals are we starting to consider taking steps to address system and data security.

Strategist

Ah, a Don MacVittie report! Those are always good Dev Ops insights from MacVittie!

Apprentice

@Wendy, there is a lot of talk about DevOps being good for security because Ops at least has a seat at the table. And, automation tends to improve security.

Author

True, but ppl aren't even trying! Just 40% even bring the security team in the loop when architecting (report is here: http://reports.informationweek.com/abstract/22/12540/SOA-App-Architecture/2015-App-Dev-Priorities-Survey.html)

Author

Security seems to be the elephant in the room here, isn't it? I wonder, pertinent to Lorna's comment, whether it's not a precursor to some impending paradigm shift for dev ops

Apprentice

Until customers are willing to pay for security, security will remain a backwater marsh of trouble.  There's also so few metrics to measure security efficacy.

 

Strategist

We just did an app dev survey that showed really dismal results in terms of security.

Author

Does anyone else think the rise of power in the app dev ranks is contributing to the current rash of successful attacks? I mean, devs are incentivized to care about speed and rich functionality.

Author

Developers who care about operations -- DevOps.  That's the people thinking about physical servers, etc.  Developers with sys admin skills.

 

Strategist

Elegance does't pay the bills, Lorna!

Apprentice

If IT isn't thinking about the servers as a whole, who is?  Certainly, the Development staff just cares where a service is located, not the whole system.

Apprentice

Beauty contests -- to the back of the line!

 

Strategist

Heh. What happened to the goal of elegance?!

Author

Were you expecting an "easy" button?

 

Strategist

Wow, "complicated" is an understatement.

Author

Hi all - If you don't see the audio bar at the top of the screen, please refresh your browser. It may take a couple tries. When you see the audio bar, if it doesn't start automatically, hit the play button. If you experience audio interruptions and are using IE, try using FF or Chrome as your browser. Many people experience issues with IE. Also, make sure your flash player is updated with the current version. Some companies block live audio streams, so if that is the case for your company, the class will be archived on this page immediately following the class and you can listen then. People don't experience any issues with the audio for the archived version.

Apprentice

Developers and security do not mix.

Author

Hi everyone.

PaaS seems to really need clarity.

Author

How to do I attend?

Apprentice

I tried two differnt browsers ... still can't hear anything ...

Apprentice

@ppatel60602, try refreshing your browser window. The audio has started and is streaming now.

Strategist

can not hear audio

Apprentice

We'd love to have your voice in the discussion here. To take part, just type your comment or question into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the class starts -- I think you'll find that we're a very friendly community here! 

Strategist

Hey, everyone, we're glad you could join us! When the class is scheduled to start, at 2:00 p.m. EST, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Strategist


The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll