Identify security solutions for cloud environments
📘CompTIA Security+ (SY0-701)
Introduction to Cloud Service Models
According to NIST SP 800-145, cloud computing provides on-demand access to shared computing resources.
Cloud service models define what the cloud provider manages and what the customer manages.
The three cloud service models are:
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
Understanding these models is very important for security, because security responsibilities change depending on the service model.
Shared Responsibility Concept (Very Important for Exam)
In all cloud models:
- The cloud provider and the customer share security responsibilities
- As you move from IaaS → PaaS → SaaS,
the provider manages more, and the customer manages less
This is often called the Shared Responsibility Model.
1. Software as a Service (SaaS)
Definition (NIST 800-145)
Software as a Service (SaaS) provides:
- Access to complete applications
- Applications are hosted and managed by the cloud provider
- Users access the software using a web browser or client application
The customer does not manage:
- Servers
- Operating systems
- Storage
- Application code
- Network infrastructure
What the Cloud Provider Manages (SaaS)
The cloud provider manages:
- Physical data centers
- Servers and storage
- Network infrastructure
- Virtualization layer
- Operating system
- Application software
- Application updates and patches
- High availability and scalability
What the Customer Manages (SaaS)
The customer manages:
- User accounts and identities
- Authentication (passwords, MFA)
- Authorization (who can access what)
- Data entered into the application
- Data classification and compliance
- Application configuration settings
SaaS Security Responsibilities
Provider security responsibilities:
- Infrastructure security
- OS and application patching
- Physical security
- Availability and uptime
- Backup and disaster recovery
Customer security responsibilities:
- Strong user authentication
- Access control policies
- Data protection and data privacy
- User activity monitoring
- Compliance with regulations
SaaS Key Security Characteristics (Exam Points)
- Least customer control
- Fast deployment
- Minimal configuration
- Security is mostly handled by provider
- High dependency on provider’s security controls
2. Platform as a Service (PaaS)
Definition (NIST 800-145)
Platform as a Service (PaaS) provides:
- A platform for developing, running, and managing applications
- Customers deploy their own applications
- The provider manages the underlying infrastructure
Customers do not manage servers or operating systems, but do manage applications.
What the Cloud Provider Manages (PaaS)
The cloud provider manages:
- Physical data centers
- Servers and storage
- Network infrastructure
- Virtualization
- Operating system
- Runtime environment
- Middleware
- Database engines
What the Customer Manages (PaaS)
The customer manages:
- Application code
- Application logic
- Application configuration
- Data used by the application
- User access to the application
PaaS Security Responsibilities
Provider security responsibilities:
- OS patching and hardening
- Platform availability
- Infrastructure security
- Runtime environment security
Customer security responsibilities:
- Secure application development
- Secure coding practices
- Application-level authentication
- Input validation
- Data protection
- Identity and access control
PaaS Key Security Characteristics (Exam Points)
- Medium level of control
- Focus on application security
- No need to manage OS or hardware
- Risk of insecure application code
- Security depends heavily on how applications are developed
3. Infrastructure as a Service (IaaS)
Definition (NIST 800-145)
Infrastructure as a Service (IaaS) provides:
- Basic computing resources such as:
- Virtual machines
- Storage
- Networks
- Customers install and manage their own operating systems and software
This model offers the highest level of customer control.
What the Cloud Provider Manages (IaaS)
The cloud provider manages:
- Physical data centers
- Physical servers
- Storage hardware
- Network infrastructure
- Virtualization layer (hypervisor)
What the Customer Manages (IaaS)
The customer manages:
- Operating systems
- OS patching and hardening
- Installed applications
- Middleware
- Runtime environments
- Data
- Network security configurations
- Firewalls and security groups
- User access
IaaS Security Responsibilities
Provider security responsibilities:
- Physical security
- Hardware security
- Hypervisor security
- Infrastructure availability
Customer security responsibilities:
- OS security and patching
- Host-based firewalls
- IDS/IPS
- Application security
- Network segmentation
- Data encryption
- Identity and access management
IaaS Key Security Characteristics (Exam Points)
- Highest flexibility and control
- Highest customer security responsibility
- Similar to managing on-premises systems
- Requires strong security expertise
- Misconfiguration is a major risk
Comparison Summary (Very Important for Exam)
| Feature | SaaS | PaaS | IaaS |
|---|---|---|---|
| User control | Very low | Medium | High |
| OS management | No | No | Yes |
| Application management | No | Yes | Yes |
| Infrastructure management | No | No | No |
| Security responsibility (customer) | Lowest | Medium | Highest |
| Deployment speed | Fastest | Fast | Slower |
| Flexibility | Low | Medium | High |
Security Relevance for Cisco 350-701 Exam
You must understand:
- Which security controls belong to the provider
- Which security controls belong to the customer
- How responsibility shifts between SaaS, PaaS, and IaaS
- Why misconfiguration is more common in IaaS
- Why identity and access management is critical in all models
Key Exam Takeaways
- SaaS = Provider manages almost everything
- PaaS = Provider manages platform, customer secures applications
- IaaS = Customer manages OS, applications, and security
- Security responsibility increases from SaaS → PaaS → IaaS
- NIST 800-145 clearly defines these models
