The XaaS Landscape: Where’s Security Being Discussed?
Posted by hyperguard on September 28, 2009
The ‘as-a-service’ – or XaaS – opinion and future-casting has officially taken off. Thinking Out Cloud gives a good overview (although we have a slightly different view of the conclusion). Risk Bloggers shared a few worthy thoughts on making sure you end up with a stable XaaS (referred to as cloud) provider.
Security is the giant reality check to the hype curve here. It’s being discussed in terms of web application development from the ground-up, combined with policy changes. See Jon Oltsik’s commentary. Vendors are having their say, such as GigaSpace. Amazon of course is leading the discussion. The busy folks at Rackspace are in full tilt on the issue (as you’d expect).
So what’s missing? Only that the before mentioned musings all focus on security as a starting point before launching XaaS’s. All well and good, however, what about the raft of applications that have been pushed out of the network and live as XaaS’s right now? Are they left ‘to the wild’ as it were?
Companies can’t take the time, effort and risk of taking applications offline to refactor (or re-architect from scratch). One approach is to hook a source code scanner into your distributed Web application firewall (dWAF) to create a virtual patch until the developers can get their hands on the code and fix it. Art of Defence’s thoughts on dWAF use here.
Starting security from scratch for XaaS’s is the right thing to do, yet there are ways to shore up existing applications right now.