M.20) Use infrastructure or platform as a service (IaaS, PaaS)

Category:        Corporate security

Responsible:   CSR

Effort:              No additional effort (This measure will save a lot of time)

Based on:       Recommendation of the author.

The usage of cloud services is double-edged. On the one hand the company stores and transmits data to another company and has no insights in what the employees of the other company might do with this data. On the other hand the usage of cloud services offers many advantages, which also include security related ones [1], [2], [3]:

  • Highly scalable – it is possible to add and remove servers, databases and other infrastructure within minutes. There are also options for auto-scaling (depending on the actual load) available.
  • Cheaper for small companies – Only pay for what’s really needed. Users only pay for active servers. Instances are virtual – those which are not used are simply destroyed
  • Highly flexible – There is no need to decide upfront which server type fits best or how many infrastructure components will be needed.
  • Less effort – Infrastructure management and maintenance of physical hardware is handled by the service provider.
  • Numerous templates, Apps and additional services – It is possible to launch new servers from existing server images which already contain all the required software. It is also easy to enhance a servers capabilities by adding additional services, like Mass-email tools, search engines, database caches, etc.
  • High availability and fault tolerance – Most cloud services are fault tolerant per design. If a hard drive breaks it shouldn’t be a problem.
  • More secure – Proven security architecture and concepts which are in service and have been tested for years now. Cloud infrastructure also often comes with integrated Denial of Service protection. Example: An attacker might think twice if it is really reasonable to attack Google, Amazon or Microsoft servers.
  • Automatic software updates – Operating system and the software of a server can be automatically updated to new versions. This is especially useful for updating software for which a new zero day exploit has been published.
  • Integrated identity management – Each employee gets his or her own credentials. In this way it is always comprehensible what each user did.

There are many other advantages, but those are the major ones. For those reason the author recommends to use IaaS and PaaS cloud services. The privacy point of view is discussed in chapter M.23.



[1] StateTech Staff, “5 Important Benefits of Infrastructure as a Service,” StateTech, 14 03 2014. [Online]. Available: http://www.statetechmagazine.com/article/2014/03/5-important-benefits-infrastructure-service. [Accessed 25 09 2016].

[2] Forbes, “The Business Benefits Of Infrastructure As A Service,” 17 06 2015. [Online]. Available: http://www.forbes.com/sites/cdw/2015/06/17/the-business-benefits-of-infrastructure-as-a-service/#1826e31d19a9. [Accessed 09 25 2016].

[3] Amazon Web Services, “AWS Security Whitepaper,” [Online]. Available: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf. [Accessed 01 08 2016].



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.