SaaS, PaaS and IaaS: three cloud models; three very different risks

SaaS, PaaS and IaaS: three cloud models; three very different risks

Summary: Software as a Service has password issues. Platform as a Service has encryption issues. Infrastructure as a Service has rogue user issues.


Many see cloud computing as one huge monolithic wave sweeping through the business world. However, there are many different types of clouds, and the risks -- and methodologies needed to address them -- varies as much as the cloud models themselves. Vordel's Mark O'Neill, writing in Computing Technology Review, dissects the differing security issues in Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (Iaas):

Software as a Service (SaaS): Issue #1 here is password management. Since SaaS delivers applications from the cloud, the main risk is likely to stem from multiple passwords accessing applications, O'Neill says. "An organization can solve these issues by opting for a single sign-on option between on-premise systems and cloud. By leveraging a single sign-on option, users are able to access both their own desktops and any cloud services via a single password.... This approach also reduces the incidences of dangling accounts – which are vulnerable to unauthorized usage – after users leave organizations."

Platform as a Service (PaaS): Issue #1 here is data encryption. PaaS can be inherently secure, but the risk is slow system performance. That's because data encryption is recommended before data is sent to PaaS cloud providers, O'Neill says. The risk is that encrypting every piece of data will also eat up consumer organizations' CPU cycles and slow things down. Still, any solution implemented should broker the connection to the cloud service and automatically encrypt "confidential user data such as home addresses, social security numbers or even medical records."

Infrastructure as a Service (IaaS): Issue #1 here is rogue users. IaaS focuses on managing virtual machines, and the risks are little different than with other cloud types -- here, the main risk is rogue or unwarranted commandeering of services. IaaS requires governance and usage monitoring, and O'Neill recommends that enterprises establish cloud service governance frameworks that help prevent employees accessing information or services they are not permitted to use. "It also prevents them from running up costs on virtual machines or setting up their own accounts to access services paid for by the organization," he says.


Topics: Data Centers, Apps, Cloud, Emerging Tech, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Security


    Thanks for the article.

    Just one comment on the PaaS front. What we see on the market is that a growing number of customers understand that their move to the cloud is driven by net new applications aiming at pushing MORE information on NEW type of devices (tablets, phones, etc.) Consequently, this information *is* going to be out there anyway, furthermore on devices that they can't always control (especially with the growing BYOD trend). Consequently, they realize that over-engineering an encryption story at the PaaS level would only harden... what's probably already the strongest link of the chain. Not to say that encryption is not important, just that PaaS is not for them the weakest point of the chain they are building.

    In terms of SaaS and login centralization, we are successfully using OneLogin at CloudBees and it works well for our needs.

    With regards,

    Sacha Labourey
    CEO, CloudBees, Inc.
  • well discribed defination to three types of cloud services

    You can also read more on IaaS PaaS SaaS via

    Also covering DaaS