Platform as a Service (PaaS)

Platform as a Service (PaaS) moves the shared responsibility boundary upward. The provider now operates more of the runtime platform, such as managed web runtimes, managed databases, managed application hosting, or managed integration services. The customer gives up some host-level control, but the customer does not give up ownership of data, identity policy, configuration choices, secrets, workload logic, or exposure decisions.

That shift changes the shape of customer work. The customer may stop patching guest operating systems or maintaining host middleware directly. In exchange, the customer becomes more dependent on platform configuration, service integration, identity design, network placement, and application correctness. Less operating-system burden does not mean less responsibility. It means the responsibility sits in different places.

The boundary shift can be visualized like this:

    flowchart TD
	    A["Provider operates more"] --> B["Host platform and runtime"]
	    A --> C["Managed patching and service operations"]
	    D["Customer still operates"] --> E["Application logic"]
	    D --> F["Identity and access policy"]
	    D --> G["Secrets, data, and configuration"]
	    D --> H["Exposure and integration choices"]

What to notice:

• the customer burden narrows, but it does not disappear
• misconfiguration becomes a bigger risk relative to host maintenance
• application and data governance remain firmly customer-owned

What Changes from IaaS to PaaS

Compared with IaaS, PaaS typically reduces responsibility for:

• guest operating system patching
• middleware lifecycle management
• parts of scaling and runtime maintenance

But PaaS still leaves the customer responsible for:

• application logic and insecure code paths
• service configuration and exposure policy
• workload identity and permission scope
• secrets handling and key strategy
• data classification, retention, and recovery expectations

That is why a PaaS environment can be operationally easier while still producing serious customer-owned failures.

A Practical PaaS Control Map

 1service_model: paas
 2workload: managed-web-application
 3
 4provider_responsibilities:
 5  - runtime-platform-operations
 6  - underlying-patch-management
 7  - managed-service-availability-baseline
 8
 9customer_responsibilities:
10  - application-authz-logic
11  - secret-injection-and-rotation-policy
12  - environment-configuration
13  - inbound-exposure-rules
14  - role-assignment-and-user-access
15  - data-retention-and-deletion-policy

What this demonstrates:

• the runtime may be managed while the workload remains customer-governed
• the customer’s responsibility moves closer to policy and configuration
• a PaaS system can still be badly secured through weak application or tenant decisions

Why PaaS Can Feel Safer Than It Really Is

Because the provider handles more platform mechanics, teams often infer that the workload itself is therefore safer. That is a dangerous shortcut. Many important control failures in PaaS environments come from:

• permissive configuration
• broad service identities
• weak secret management
• insecure application behavior
• unreviewed internet exposure

The provider may run the platform correctly while the customer still creates a risky workload on top of it.

Common Mistakes

• assuming a provider-managed runtime makes application security mostly provider-owned
• forgetting that secrets and identity scope remain customer design decisions
• treating PaaS configuration screens as convenience features rather than as control surfaces
• assuming provider-managed scaling also handles business continuity objectives automatically

Design Review Question

A team migrates an internal web app from VMs to a managed application platform. They stop managing the operating system and say security responsibility has therefore shifted mostly to the provider. The team still controls internet exposure, environment configuration, secrets, and application authorization logic. Is the team right?

No. The stronger answer is that the provider has taken more of the platform burden, but the customer still owns the controls that determine how the workload behaves, who can reach it, and how its data is protected. The boundary moved upward, but it did not vanish.

Check Your Understanding