The Backend components illustration.

If you’re planning to go serverless on your next project with Backend-as-a-Service, your timing couldn’t be better. The architecture has matured enough to ensure you’ll get a flexible cloud solution right out of the box, with an optimal time to market.

However, if BaaS security implementation is one of your concerns, reading this article is highly recommended.

BaaS development is one of Acropolium’s primary services. In business since 2005, we witnessed the birth of the model and delivered numerous Baas-based projects for healthcare, HoReCa, social media, and other industries. Choosing the right backend services, setting them up correctly, and managing security settings are some of the tasks we perform on a regular basis.

In this article, we’ll focus on the advantages of BaaS from a security standpoint. Keep reading if you want to know more about the multi-tier model, compliance with data privacy laws, and the security hierarchy concept. But first, let’s quickly go over the essentials of BaaS.

BaaS in a nutshell

If we compare software to a car, the front-end components are those that we interact with directly: the steering wheel, the gas and brake pedals, the multimedia system. The engine, gearbox, and suspension, on the other hand, are the underlying backend parts — we don’t usually see them, but they make everything work.

BaaS, or Backend-as-a-Service (don’t confuse it with Backup-as-a-Service or Blockchain-as-a-Service), is a cloud-based solution for backend functionality. With SDKs (Software Development Kits) that facilitate feature deployment and APIs (Application Programming Interfaces) that enable communication between programs, developers can concentrate their efforts on the frontend.

In reality, this means you can use the resources saved by using Backend-as-a-service to enhance user experience, business logic, and design. It’s as if someone has already put together most of the car’s internal parts for you.

These are some of the backend features that BaaS takes care of:

  • Databases and file storage
  • Authentication and access management
  • APIs (Application Programming Interfaces)
  • Infrastructure (physical servers software runs on, network scalability, etc.)
  • Notifications (email, push, etc.)
  • Social media integration

In short, using a BaaS platform is an excellent way to outsource the maintenance of the server infrastructure and automate the development of backend services. To enjoy these perks, you can either choose a pre-configured solution from a cloud service provider or go with a custom-built BaaS platform. The important thing to remember is: client authentication and data security are handled at the BaaS level, so choose wisely.

By the way, if this brief overview isn’t enough for you, check out our full article on BaaS and its benefits.

And now, it’s time to look at the internal structure of the BaaS model.

BaaS architecture

BaaS uses a multi-tiered architecture, which helps developers implement security features more efficiently.

Knowing the principles a typical BaaS platform is built on will help you understand the strengths and weaknesses of its security protocols. Just the basic principles, we promise to not go in too deep.

The three layers of BaaS

Most Backend-as-a-Service solutions comprise three distinctive layers:

  • Foundation layer. This layer contains your databases and files. It’s a cluster of servers the system uses to store, retrieve, and backup your data. Depending on your provider and your scalability needs, the machines may run an SQL or a NoSQL database.
  • Application layer. At this level, software processes requests (for instance, user authentication) and communicates with the data layer. It’s done via API calls and is based on the integrated business logic. The choice of the tech stack here is much broader and may include programming languages like Java, Python, Pearl, and more.
  • Connection layer. This layer provides your servers with a secure connection to the internet. For optimal operation, it also includes load balancers.

If you’ve already done some reading on the subject, you might have come across the term “tier” used alongside “layer”. Note that these are not identical in meaning. The notion of layers pertains to functional differences, while tiers represent separate parts of the infrastructure that host those layers.

Running databases and APIs on different server clusters (tiers) is recommended both for security and flexibility reasons. Most options from major BaaS vendors, as well as custom-made solutions, are built in accordance with this principle.

Speaking of vendors, there’s a growing number of BaaS providers on the market, which reflects the high demand for the model. AWS Amplify, Google Firebase, Microsoft Azure, and Parse (now owned by Facebook) are currently some of the best-known names in the industry. Each of them has implemented their own practices and follows a set of standards to ensure security at every level, from authentication to data and file storage.

But be sure to always study the provider’s offer in advance, as you might end up in vendor lock-in, with important safety features missing in the chosen package.

And let’s not forget how much of any software’s functionality revolves around data. Your proprietary and customer data are valuable commodities and should be kept safe at all times. How’s BaaS doing in that regard? Let’s find out.

BaaS data and file storage practices

Developers achieve security of data and files in Backend-as-a-Service systems thanks to:

  • Data encryption. Be it a custom solution or a provider’s product, BaaS-based systems always use encryption protocols. Data is encrypted in transit between servers, as well as in storage — both in the API and database tiers.
  • Automatic backup. Standard practice for cloud-based services, data is backed up regularly and mirrored on several servers, often in different physical locations.
  • File access policies. Customizable access rights are hardwired into the very fabric of BaaS. With careful implementation, precise permissions can be set at the API level, as well as for different users.

Even though the BaaS model uses multi-tier architecture and has solid file and data security practices, it may still be vulnerable to attacks. More on this — in the next section.

Main BaaS security concerns

There aren't too many issues with BaaS security, but we need to mention them for objectivity.

As with most software, customer data safety is the number one priority for BaaS-based systems. From our experience, BaaS security threats are mostly explained by suboptimal authentication practices and poorly implemented user/customer roles. This can result in data breaches by malicious agents, as well as users getting access to information that was not intended for their eyes.

Remember, once you integrate compromised backend services into your software, it will automatically inherit those security flaws. Another source of problems is too trivial: human error. Even the mighty Google isn’t immune to this: the infamous Android app leak occurred due to a misconfiguration in Firebase.

Let’s see what possible BaaS security issues there are and how they can present themselves in different situations.


When developers employ ready BaaS solutions, they mostly rely on built-in security tools. After all, not having to reinvent the wheel is the reason to use those pre-manufactured blocks of code. The fact is, not everyone reads instructions on implementing security features that BaaS providers supply with their products. So customers often receive products with basic authentication methods.

Here’s the culprit: when a user requests data, many BaaS systems will only require identification from the app that makes the API call. That is not the only security feature available, but the one many developers use by default. The app authenticates by providing its ID and a secret key as proof that it has the right to use that ID. If someone has sufficient expertise to get hold of those two identifiers and create an impostor app, they can gain access to the database. Since most apps store keys in their binaries, the chances of this happening are much higher than we might think.

To avoid this problem, developers should use additional methods of authenticating the user who initiates the request. When the user’s identity is linked to that of the app making the API call, it becomes nearly impossible to fake.

However, other issues may arise when multiple users require access to the same data in different ways.

Granular access

Oftentimes, an app’s business logic requires differentiated access to data, depending on who’s asking. For instance, managerial staff has to be able to change certain fields, while other employees only need to view that information. Moreover, some data may need to be distributed on a strict need-to-know basis.

Even though BaaS security settings are quite flexible, it can be a real headache for developers. It’s easy to get lost in multiple user access permissions and configurations, especially with pressing deadlines. Keep in mind, BaaS solutions are often advertised as a magic wand that will speed up delivery and help cut costs (which they do). Naturally, engineers may succumb to taking a shortcut here and there, using default user roles and simpler hierarchies.

The result? Unauthorized access to sensitive information and possible exploits by third parties, leading to reputational and financial losses.

To prevent this from happening, we can recommend taking two simple precautions:

  • Set app and user privileges with more precision
  • Never use the same channels for user and administrative access

There’s another concern we need to mention. Rather than being a functional flaw, this one is about obeying the law.

Compliance with data privacy regulations

When it comes to private data, regulatory compliance requirements are strict, especially if you’re in the healthcare business. Not all ready-made BaaS solutions are HIPAA-compliant, although most are designed in accordance with GDPR. Make sure to check this before settling for a BaaS provider — or request compliance with specific standards from the vendor that’s building your custom product.

Failure to implement a data protection privacy policy for BaaS that’s required in your domain may lead to fines and lawsuits.

These are all the BaaS security threats we could think of. In all fairness, our experience with BaaS has been overwhelmingly positive, and the possible security shortcomings are minor compared to the benefits.

Why BaaS is a secure option for backend

BaaS offers a number of security features that should be sufficient for any project.

If we dig a little deeper, it turns out there are many upsides of using Backend-as-a-Service for end-user security, as well as for protecting your proprietary data. The model lends itself well to tying those loose safety ends, and it’s more about developers taking the time to unleash its full potential.

Here are the essential security mechanisms a properly designed Baas solution will have.

Multi-tier security

The BaaS security hierarchy may seem complex at first, but it’s also very effective. The idea is that security is enforced at multiple levels by defining access permissions for different users and roles. Moreover, you can set specific rules at every tier of the platform. Provided you’ve teamed up with a software vendor experienced in BaaS.

BaaS API security

In a properly set up BaaS, API calls are linked to the IDs of both the app and the user. This prevents unauthorized access to the app’s functions and data. Besides that, you can assign API permissions for every role. This makes invoking API requests virtually impossible for users without the appropriate rights.

BaaS files security

Similar permissions can be defined at the file access level. Allow or restrict reading, altering, or deleting files for each user role. You can do so globally or specify files or folders.

BaaS owner policies

Another useful security feature of BaaS that rests upon its sophisticated user hierarchy. When it comes to managing data for modern web applications, different parts of a program may request access to the same fields in data tables. Owner policies prevent apps from accessing data that they did not create.

In addition to the points listed above, software developers should adhere to common security principles such as:

  • Isolate databases
  • Set up anti-malware software
  • Perform regular security updates

As you can probably see by now, BaaS security and privacy features are diverse and highly customizable. Let’s do a quick summary, and we’ll be on our way to building more BaaS projects.

The bottom line

If you’re unfamiliar with Anderson’s rule, it says that if a system works with sensitive data, balancing its functionality, scalability, and security isn’t easy. The rule actually states you can only get two out of three.

BaaS solutions, in our opinion, do a great job of keeping data secure while being perfectly scalable. And if you add a team of experienced software developers to the mix, checking the “functionality” box is possible, too.

The key here is not to be complacent when integrating BaaS code into the customer’s product. It’s the developer’s responsibility to fully utilize the solution’s security protocols, adding extra features if required.

If your project requires a solid BaaS base to build on, Acropolium is ready to lend you a hand. We’re prepared to handle any backend security challenges, integrate industry-standard solutions like Firebase, Parse, or AWS Amplify, or offer you our partner BaaS platform. And if necessary, we can create that frontend functionality you need.

Get in touch and let us help you achieve great time to market at unbeatable quality.