It's possible for a PaaS to improve your security posture by implementing many of the security controls you'd otherwise be responsible for yourself. Every PaaS provider has a Shared Responsibility Model, like this one from AWS [0], and a good PaaS can eat up much of what would otherwise be your responsibility as an AWS customer: network architecture, secure configuration, IAM, system access (and auditing), intrusion detection, etc.
On the other hand, many PaaS providers obfuscate their security implementation, and ultimately your data could be compromised by their mistakes. Things you should look for when evaluating PaaS providers:
- How are resources, networks, etc. separated/isolated per customer?
- What are YOUR security responsibilities on the platform?
- How transparent is the provider about their security controls? Do they have security whitepapers, SOC 2 reports, etc. that are transparent and legit? Better yet, can they prove to you in the product how security controls are being implemented?
Disclaimer: I'm the CEO and founder of Aptible [1], a PaaS specifically built to meet and prove security requirements for companies in regulated/high-compliance environments.
I have a question about endpoints. It seems like you guys charge per endpoint. I don't quite understand this. So if I'm developing an api only application, every api endpoint I develop in my application will be charged? And for Aptible to keep track, would I have to register each endpoint I develop?
If my application was just serving dynamic html pages, I wouldn't be charged per url of my application right? So why would I be charged per api endpoint?
EDIT:
Another question. Do you guys offer any SSO solutions? If not, if I used say Auth0 for authentication, are there any issues with integrating with Aptible?
"Endpoints" on Aptible are load balancers. So you would pay for each load balancer your API needs (usually just 1), not every API endpoint. Thanks for the feedback on that — we will update the language to be clear that these are load balancers, not API endpoints.
We don't provide a solution for implementing SSO in your own application, but many of our customers do integrate with Auth0 without issue. For your own team's access _to Aptible_, we offer SSO through SAML integration with any provider (Google, Okta): https://deploy-docs.aptible.com/docs/sso
Another question. I tried looking for the answer on the website, but couldn't find it. Is it possible to use my own AWS account and integrate it with Aptible or does Aptible provide their AWS assets for my use? The former would be ideal for us as we would like to own (more accurately, rent them ourselves) all of our AWS assets and just have someone like Aptible help us to manage them.
Aptible hosts (and pays for) AWS resources on your behalf, similar to Heroku/Render/Railway. Last year, we built support for integrating Aptible into your own AWS account, but only a handful of existing customers are currently using that, and it's not available in the product by default. I'd be interested to learn why you prefer this model. If you're willing to chat about it, my email is in my profile.
Alternatively, have you checked out other PaaS-in-your-own-IaaS solutions like:
On the other hand, many PaaS providers obfuscate their security implementation, and ultimately your data could be compromised by their mistakes. Things you should look for when evaluating PaaS providers:
- How are resources, networks, etc. separated/isolated per customer?
- What are YOUR security responsibilities on the platform?
- How transparent is the provider about their security controls? Do they have security whitepapers, SOC 2 reports, etc. that are transparent and legit? Better yet, can they prove to you in the product how security controls are being implemented?
Disclaimer: I'm the CEO and founder of Aptible [1], a PaaS specifically built to meet and prove security requirements for companies in regulated/high-compliance environments.
[0] https://aws.amazon.com/compliance/shared-responsibility-mode...
[1] https://www.aptible.com/