The Myth: PaaS isn’t secure.

Today I was flying back to The Netherlands from France and I had a good conversation with a gentleman on the plane. We started talking about Cloud. After 5 minutes, he told me the famous sentence: “Cloud is not secure”.

Well, I do not agree with this information. Not only this gentleman, but a lot of professionals are saying that everyday to their managers. So, I would like to clarify some points and open the discussion:

First of all, let’s review what is PaaS, Saas and IaaS:

IaaS provides cloud-based infrastructure services that provide compute, storage, and network capacity.

The cloud subscriber is usually responsible for installing, configuring, securing and maintaining any software

on the cloud-based infrastructure, such as database, middleware, and application software.

SaaS provides cloud-based business applications, like a human resources, sales, or financial application, running on platform

software (such as database and middleware) and infrastructure that are hosted and fully managed by the SaaS provider.

The SaaS subscriber typically has little to no visibility into or control of the underlying platform and Infrastructure.

PaaS provides integrated, cloud based platform services that include preinstalled and configured database and middleware (such as application and web servers) software effective subscription basis.

It can also provide a platform for developing, testing, deploying and securing different kinds of enterprise applications, such as transactional

and analytics applications.

Now, Let’s talk about the security of these services.

Supposing that you are a health insurance company and you want to run the services by your own. You don’t want to store any data in the Cloud over the opinion that isn’t safe. I have a few questions for you and for your team administering the local infrastructure.

– Do you have a dedicated expert security team?

– Do you have Processes that ensure compliance with regulatory and industry standards?

– Are you following compliance standards like ISO 27001, HIPAA, SOC1 and SOC2?

– Do you have any audit process?
– Do you have the correct physical and logical security controls?

– Do you have strategies for patches and updates? if you have it, is this automatic?

If you cannot  answer all my basic questions with “yes”, doesn’t matter if you are running under the local infrastructure, your data is possibly not safe anyway.

The fact is, people like to talk about what they consider unsafe, but they don’t look to their own environments. What if I told you that Oracle is certified for all my questions above? What should be your decision between your local infrastructure not following all the requirements but a cloud service doing it for you? You can confirm this information on this link below:

https://www.oracle.com/corporate/pressrelease/new-cloud-certifications-032917.html

I am not saying that you don’t have any work or any change to perform after you migrate. You have to consider the sensitivity of the data and what can be done on each level. Would you like to have a look how Oracle Cloud can help you to protect your data? You can check here.

https://www.oracle.com/cloud/security/index.html