Cloud Deployment and Service Models

Cloud Deployment Models

A cloud deployment model defines how a service is owned and provided. It’s important to understand the different impacts each deployment model has on threats and vulnerabilities. Cloud deployment models can be broadly categorized as follows:

i. Public (or multi-tenant)?—?This model is offered over the Internet by cloud service providers (CSPs) to cloud users. Businesses can offer subscriptions or pay-as-you-go options, with lower-tier services often being free. Since resources are shared, there are risks related to performance and security. In multi-cloud setups, an organization uses services from multiple CSPs.

ii. Hosted Private?—?This model is hosted by a third party but used exclusively by one organization. It provides more security and better performance guarantees, but it also costs more.

iii. Private?—?In this model, the cloud infrastructure is entirely private and owned by the organization. One business unit may manage the cloud, while other units use it. With a private cloud, organizations have more control over privacy and security. This is often used for banking and government services, which require strict access controls. The cloud can be either on-premise or offsite. Onsite clouds usually offer better performance and fewer outages, while offsite facilities may provide better-shared access for users in different locations.

iv. Community?—?In this model, several organizations share the cost of either a hosted private or fully private cloud. This pooling of resources is typically done for shared needs like standardization or security policies.

Some cloud computing solutions use a mix of public, private, community, hosted, onsite, or offsite models. For example, a travel company may use a private cloud for most of the year but switch to a public cloud during peak times when higher usage is expected. Flexibility is a key benefit of cloud computing, but it’s essential to understand the risks, especially when moving data between private and public storage environments.

Cloud Service?Models

Besides the ownership model (like public, private, hybrid, or community), cloud services are often distinguished by how much complexity and pre-configuration they provide. These services are called “something as a service” or anything as a service (XaaS). The three most common types are infrastructure, software, and platform.

Infrastructure as a Service?(IaaS)

Infrastructure as a service (IaaS) is a way to quickly get IT resources like servers, load balancers, and storage components. Instead of buying these components and the internet connections they need, you rent them as needed from the service provider’s data centre. Examples of IaaS include Amazon Elastic Compute Cloud (aws.amazon.com/ec2 ), Microsoft Azure Virtual Machines (azure.microsoft.com/services/virtual-machines ), Oracle Cloud (oracle.com/cloud ), and OpenStack (openstack.org ).

Software as a?Service

Software as a Service (SaaS) is another model for providing software applications. Instead of buying software licenses for a certain number of users, a business can access software hosted on the supplier’s servers through a pay-as-you-go or lease plan (on-demand). The virtual infrastructure allows developers to create and launch applications much faster than before. These applications can be built and tested directly in the cloud, without needing to test and deploy them on individual client computers. Examples of SaaS include Microsoft Office 365 (microsoft.com/en-us/microsoft365/enterprise ), Salesforce (salesforce.com ), and Google G Suite (gsuite.google.com ).

Platform as a?Service

Platform as a Service (PaaS) offers resources that sit between SaaS and IaaS. A typical PaaS solution provides servers and storage like IaaS but also includes a multi-tier web application/database platform on top. This platform could use technologies like Oracle, MS SQL, or PHP with MySQL. Examples of PaaS include Oracle Database (oracle.com/database ), Microsoft Azure SQL Database (azure.microsoft.com/services/sql-database ), and Google App Engine (cloud.google.com/appengine ). Unlike SaaS, the platform in PaaS isn’t pre-configured to do specific tasks. Your developers have to create the software (such as a CRM or e-commerce app) that runs on the platform. The service provider takes care of the platform’s reliability and availability, but you’re responsible for securing the application you build on top of it.

Anything as a?Service

There are many other types of XaaS, showing that just about anything can be provided as a cloud service. For example, Database as a Service (DBaaS) and Network as a Service (NaaS) are specific types of Platform as a Service (PaaS). The main security concern with all these models is understanding who is responsible for what. This is often described as “security in the cloud” versus “security of the cloud.” Security in the cloud is what you are responsible for, like your applications and data. Security of the cloud is managed by the cloud service provider (CSP), like the underlying infrastructure.

Security as a?Service

The wide range of technologies that need specialized security knowledge means that companies will likely need third-party support at some point. This support can be grouped into three general “tiers”:

i. Consultants: The experience and perspective of a third-party expert can be very helpful for improving security awareness and capabilities in any organization, whether small or large. Consultants can be used for “big picture” analysis and alignment, or for specific, product-focused projects like pentesting or SIEM implementation. Costs are usually easier to control with consultants if they help develop capabilities rather than implementing them directly. However, if consultants take on full control of the security function, it can be challenging to end or change that relationship later.

ii. Managed Security Services Provider (MSSP): This type of service fully outsources the responsibility for information security to a third party. It’s an expensive option but can work well for small and medium enterprises (SMEs) that have grown quickly and don’t have in-house security expertise. Of course, this type of outsourcing requires a high level of trust in the MSSP. To effectively oversee the MSSP, you need good internal security awareness and expertise. It can also be difficult for industries with strict regulations regarding data processing to work with an MSSP.

iii. Security as a Service (SECaaS): SECaaS can mean different things but is usually different from an MSSP because it involves implementing a specific security control?—?like virus scanning or SIEM-like functionality?—?in the cloud. Typically, there is a connector installed locally to the cloud service. For example, an antivirus agent might scan files locally but is managed and updated through the cloud provider. Similarly, a log collector might send events to the cloud service for aggregation and analysis. Examples of SECaaS include Cloudflare (cloudflare.com/saas ), Mandiant/FireEye (fireeye.com/mandiant/managed-detection-and-response.html ), and SonicWall (sonicwall.com/solutions/service-provider/security-as-a-service ).

As a DevSecOps enthusiast, I hope you enjoy this article. In this column called “Mindful Monday Musings” here every Monday, I will share articles on Dev(Sec)Ops and Cloud. You can support M3 (aka Mindful Monday Musings) by following me and sharing your opinions. Please send me your contributions, criticisms, and comments, it would make me glad.