Platform-as-a-service (PaaS) is a key pillar of the cloud revolution, giving developers a hosted platform on which to create and test new applications without having to think about the underlying infrastructure. The biggest names in this space are public PaaS providers such as the U.S. firm Heroku, but many enterprises are wary of this model, mainly for security reasons – hence the emergence of private PaaS setups like Qubell, where business users don’t have to share resources with strangers.
As we will discuss at our upcoming Structure:Europe conference in London on 18-19 September, it seems this model is becoming particularly attractive to European companies, who have always been on the conservative side when it comes to the cloud and who now feel PRISM and Tempora have confirmed their worst suspicions. But does private PaaS really make that much of a difference, given the reach of these government surveillance programs?
The Berlin-based PaaS provider CloudControl has had a public PaaS offering (based on Amazon Web Services resources) for four years, but this week it wrangled what is essentially the same product into a private PaaS service, in order to “bring all the benefits of the cloud to enterprises, while addressing data protection concerns.” The press release announcing CloudControl’s private PaaS product, the OpenStack-based Application Lifecycle Engine, even began with a reference to PRISM.
“Companies here in Germany fear already when using public infrastructure that somehow the NSA or other government agencies might be able to intercept the communications between the public cloud and their corporate computers,” CloudControl marketing chief Sebastian-Hendrik Picklum told me. “They like continuing to use their data centers and having control from the server to the user.”
However, Picklum acknowledged that this was “more about being afraid of going to the public cloud without having a real reason for that.”
There are two problems with thinking private PaaS is significantly more secure than public PaaS, Picklum suggested. The first is that the companies using private PaaS are also going mobile, which means the data flowing between server and user has to go over the public network at some point. This makes it about as vulnerable to being scooped up by Tempora or some similar surveillance scheme as data being worked on in a public PaaS system.
The second issue is that PaaS, public or private, comes with inherent security benefits anyway. What companies such as Heroku and CloudControl do is to spin up temporary “instances” – ephemeral virtual computers – that effectively get flushed away once the user is done with them. So even if someone theoretically got past the security and gained access to this virtual container, they would be quite likely to see it vanish pretty quickly.
“We can’t really communicate those benefits right now because people right now in Germany are not perceiving that,” Picklum said. “They don’t see that the cloud technology is even more secure because resources are temporarily assigned to applications.”
Right now it’s hard to ascertain precisely how much more secure European data centers are than their U.S. counterparts, or whether private PaaS really does offer a level of security that public PaaS does not — we don’t know the full extent of online spying in Europe yet, nor the techniques that are being employed. (Hopefully more will have come out by the time we discuss these issues at Structure:Europe in September.)
But what is clear is that many European businesses are uncertain and scared – a situation that makes perception a major factor in their decisions.