5 PaaS security best practices to safeguard the app layer private platform as a service (private PaaS)

What are the main advantages and disadvantages of PaaS?

PaaS can be a good choice for developers who don't want to worry about the underlying infrastructure or operational tasks, but it's not always the best option for app development.

A decade ago, everyone was talking about moving applications to the cloud, meaning uprooting something running on a private server and taking it to a cloud provider. The original models of cloud computing -- IaaS, PaaS and SaaS -- reflect three ways of doing that. What's happened instead is that the cloud has become more of a universal front end to legacy data center applications.

Little of what runs in the cloud ever ran elsewhere; it was developed for the cloud, and cloud providers quickly realized that. They created web services or hosted features that developers could use to build applications. These services created the successor to the old PaaS cloud model, and when people talk about PaaS today, they're referring to these services.

Advantages of PaaS

There are four major advantages to modern PaaS:

  1. The use of cloud provider hosted features simplifies application development. Software features that most developers need, ranging from horizontal tools such as database support to more application-specific tools such as those supporting IoT, are offered pre-built. That saves overall project time, developer resources and development project budgets.
  2. Cloud provider features can take advantage of cloud capabilities that aren't exposed to cloud users for security and stability reasons. That means the implementation is very likely more efficient and flexible than what users could develop on their own.
  3. Because the cloud provider tools are standardized across all users, skills are transportable. A company building its own IoT logic couldn't expect to find anyone already familiar with its principles, but one adopting cloud provider features for IoT could expect to find experience with cloud provider tools available in the labor pool.
  4. Because PaaS tends to standardize the way common functions are supported, applications built on PaaS will likely be easier to support on an operations basis. Deployment, redeployment and scaling are typically facilitated by the PaaS tools, and so operations burdens and errors are reduced.

Most enterprises that adopt a PaaS cloud model today do so because of one or more of these benefits. And the majority say that the greatest benefits of PaaS are accrued during project development and maintenance, where cloud provider tools improve project quality and accelerate the delivery of results.

Chart listing PaaS pros and cons
PaaS advantages include simplified app development and minimal operational responsibility.

Disadvantages of PaaS

For all the positives of PaaS, there are three significant negatives as well. Enterprises agree that the upsides of PaaS are most visible to development teams, and the downsides of PaaS to CFOs. The most significant are the following:

  1. The use of cloud provider PaaS tools often increases the cost of running applications in the cloud, because each tool has an associated price. Furthermore, costs are often based on usage, which means the cost of a cloud application can climb simply because some of the PaaS tools are used often. Some enterprises have reported unexpected cost overruns due to this.
  2. Although all the major cloud providers offer most commonly used PaaS tools, the implementations are typically slightly different. That means applications might require software changes if an enterprise decides to change cloud providers. Loss of portability is a major problem for enterprises that fear cloud provider lock-in.
  3. The differences in implementation for a given PaaS tool likely mean the same software can't be run across a multi-cloud; a version for each cloud provider might be required. That makes deployment, redeployment and scaling much more complex. Because tool pricing might also change across cloud providers, multi-cloud usage of PaaS can also create significant variations in application cost depending on where everything is hosted.

The best way to get the most out of PaaS is to plan accordingly. The risks of PaaS can be minimized by fully assessing the costs of using PaaS tools for application development and deployment. Enterprises can sometimes reduce costs through careful feature selection, and all cloud providers offer tools to estimate costs. If an enterprise has good data on application usage, it can avoid cost surprises that would incur the wrath of senior management.

PaaS benefits can also be optimized. Planning is the key to this as well. Cloud providers often offer multiple ways of doing essentially the same thing -- high-level PaaS features aimed at IoT, for example, that are really wrappers around lower-level features such as event handling. You might not need all the high-level features, and if that's the case, the benefits won't offset the costs.

The most difficult problem to address in PaaS is portability. Tools are likely to be implemented differently across cloud providers, and that increases the cost of sustaining a multi-cloud or changing cloud providers. One way to address this is to design applications so that cloud provider-specific features are contained in small software modules that can be changed easily or switched for multi-cloud deployment -- or if another cloud provider offers a better deal.

These measures work where there's a modest number of specialized PaaS tools involved, but they can be difficult to apply when there's a lot of software and a lot of PaaS tools associated with the software. In that case, it's wise to look at the idea of separating PaaS tools from the cloud provider completely.

Overcome potential drawbacks with private PaaS

Enterprises generally agree that the best alternative to cloud provider PaaS is what can be called private PaaS, which means building applications on middleware tools designed to be portable across cloud providers and hosted directly via IaaS VM or containers. This, if done properly, can eliminate most of the risks of PaaS while retaining the main benefits.

The key to success with this approach is minimizing the number of software sources required to create the private PaaS. Try to lay out all PaaS requirements for current and future applications, and then use that list to find software sources, starting with software providers that can fulfill the largest number of PaaS needs. Enterprises that acquire their private PaaS software from an open source supplier rather than building their own tools from source code generally report having fewer issues with managing compatibility across tools and libraries.

Private PaaS is more work, and the acquired PaaS tools likely won't be free, so it's essential to compare the costs and benefits of private PaaS with those of traditional public cloud PaaS. Enterprises should also look at how well private PaaS tools work compared with public PaaS. Cloud providers' implementations of private PaaS tools can take advantage of relationships with cloud provider infrastructure that aren't exposed to users, and thus aren't available to private PaaS implementations.

Cloud provider relationships with software vendors, increasingly common in the cloud market, can offer an easier pathway to private PaaS. Look at the tools available from a source that's affiliated with all your cloud options first, and then compare it with the costs and benefits of others as you would with public cloud PaaS tools.

There's no easy way to tell how to balance the pluses and minuses of PaaS. Every enterprise must look at each benefit and risk and assign a value to it based on their own operations. It's also important to track any shifts in those values created by changes in cloud provider services and pricing, company application usage and traffic, and expenses and capital costs. Keeping careful notes on how each plus and minus is assessed -- each time an assessment is made -- is essential to getting the best results over time.

Next Steps

How to choose a PaaS or IaaS that aligns with DevOps

5 PaaS security best practices to safeguard the application layer

Top 10 PaaS providers of 2022 and what they offer you

Test your platform-as-a-service knowledge with this PaaS quiz

PaaS and containers: Key differences, similarities and uses

Dig Deeper on Cloud app development and management