Cloud Security Models: IaaS, PaaS, SaaS, and Shared Responsibility

Cloud security covers the policies, controls, and technologies that protect cloud-based systems and data. The shared responsibility model defines which security tasks are handled by the cloud provider vs the customer.

Cloud Service Models

Infrastructure as a Service (IaaS) — provides virtualized computing resources over the internet. You manage the OS, applications, and data; the provider manages the physical infrastructure. Examples: AWS EC2, Microsoft Azure VMs, Google Compute Engine.

Platform as a Service (PaaS) — provides a platform for developing, running, and managing applications. You manage code and data; the provider manages the OS, runtime, and infrastructure. Examples: Heroku, AWS Elastic Beanstalk, Google App Engine.

Software as a Service (SaaS) — provides fully managed software applications accessed via a browser. You manage only your data and user configuration. Examples: Google Workspace, Office 365, Salesforce.

The key concept: as you move from IaaS to SaaS, the provider handles more of the security responsibilities and you have less control. For the Security+ exam, know which model gives you the most (IaaS) and least (SaaS) control.

  • IaaS: you manage OS, apps, data — provider manages hardware, networking, virtualization
  • PaaS: you manage apps and data — provider manages runtime, OS, infrastructure
  • SaaS: you manage data and users — provider manages everything else
  • IaaS = most customer control and responsibility; SaaS = least

The Shared Responsibility Model

In cloud computing, security is a shared responsibility between the provider and the customer. Exactly what each party is responsible for depends on the service model.

For IaaS: Provider handles physical security, network infrastructure, and hypervisor security. Customer handles OS patching, application security, network configuration, data encryption, and identity management.

For PaaS: Provider handles physical, network, hypervisor, and OS security. Customer handles application security, data encryption, and identity management.

For SaaS: Provider handles nearly everything. Customer handles data classification, user access, and client-side security.

Regardless of model, the customer is ALWAYS responsible for: data classification and accountability, user and identity management, and client-side/endpoint security.

  • Security responsibility shifts from customer to provider as you move IaaS → PaaS → SaaS
  • Customer is ALWAYS responsible for their own data and user access
  • Provider is ALWAYS responsible for physical security of data centers
  • Misconfiguration is the #1 cause of cloud data breaches (not provider failures)

Cloud Deployment Models

Public Cloud — resources are owned and operated by a third-party provider and shared across multiple tenants (organizations). Cost-effective and scalable, but less control over security.

Private Cloud — resources are used exclusively by one organization. Can be on-premises or hosted by a third party. More control over security and compliance, but higher cost.

Hybrid Cloud — combines public and private clouds, allowing data and applications to be shared between them. Offers flexibility — keep sensitive data in private cloud, run scalable workloads in public cloud.

Community Cloud — shared by several organizations with common concerns (compliance, security requirements). Often used in government, healthcare, and finance.

Multi-Cloud — using multiple public cloud providers (e.g., AWS + Azure) to avoid vendor lock-in.

  • Public: multi-tenant, cost-effective, less control
  • Private: single-tenant, more control and cost
  • Hybrid: best of both — sensitive data on private, scalable workloads on public
  • Community: shared by organizations with common requirements

Cloud Security Risks and Controls

Major cloud security risks include: misconfiguration (publicly accessible S3 buckets), insecure APIs, data breaches, insufficient identity management, account hijacking, and compliance violations.

Cloud security controls include: CASB (Cloud Access Security Broker — sits between users and cloud providers to enforce security policies), Cloud Security Posture Management (CSPM — continuously monitors for misconfigurations), Infrastructure as Code (IaC) security scanning (checking Terraform/CloudFormation templates for security issues), and cloud workload protection platforms (CWPP).

  • Misconfiguration is the #1 cloud security risk
  • CASB: intermediary enforcing security policies between users and cloud apps
  • CSPM: monitors cloud configurations against security benchmarks
  • Encryption: encrypt data at rest (AES-256) and in transit (TLS 1.3)
  • Cloud audits: review provider compliance certifications (SOC 2, ISO 27001)

Exam Tip

Know the service models IaaS/PaaS/SaaS in order of customer control (IaaS most, SaaS least). Shared responsibility: customer always owns data and users. CASB is the key cloud security control for the exam.