Service and deployment models easily explained

Cloud & cybersecurity: How to understand cloud’s forms in a damn easy, simple way — CyberForged

Good morning everyone! Today on CyberForged, we’re going to talk again about cloud and cybersecurity. To further dig into the topic, in this article we’re going to try to explain the different forms that cloud can take and the cybersecurity that applies to each of the forms. If you missed the first part of this series, you can find it here

But wait, what the fuck are those forms? You probably haven’t read the word “form” associated with the cloud ever, or at least not in many places. At Cyberforged we refer to the forms of the cloud both in terms of the different service models (IaaS, SaaS, PaaS, XaaX…) and the deployment models you can find (Public, Private, Community, or Hybrid). Each of these service and deployment models affects cybersecurity in a different way, so we have to take into account what our company/project needs in order to adopt what suits us best and, of course, protect it in the best way.

Shall we start?

Service models and how it affects the cybersecurity in the cloud

Very simplified: The service model is how we consume what we need from a provider. Is it a web page? Is it a console where I can log in and do administrative tasks? Is it a server 100% operable in the cloud? Each of these questions would result in one of the 3 main service models that exist.

SaaS (Software as a Service)

According to NIST:

“…The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.”

This one is quite easy to identify: if the service we buy is accessed through a web page, it is a SaaS type. It is the service model in which the customer who buys the service has the least control over how the system works, but at the same time, it is the service model in which the customer has the least responsibility when it comes to looking at cybersecurity.

The customer has no control over the infrastructure (the physical server), nor over the operating system, and does not even have control over the operation of the application offered, so all this is the responsibility of the service provider to make it secure. In any case, we must emphasize that there is one thing that will always be the responsibility of the customer: The data and its governance. In other words, the customer will never be able to take full responsibility for the security of the data. Even if the provider suffers an attack, if the customer’s data were never there or the data hosted in the system were properly protected by the customer, nothing would ever happen, right? 😉

PaaS (Platform as a Service)

Let’s go back to NIST for a little help:

“The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.”

Let’s simplify it a lot: If the system allows you to upload applications created by yourself, you are looking at a PaaS type of service. If we compare this model to SaaS, we realize that, since the application is ours, we have control over it and its data, but at the same time it gives us more responsibility when it comes to cybersecurity. If we have some kind of vulnerability in our system, it will be our task to fix it so that it does not affect the system and we end up hacked.

As we can see, nothing comes without a price in terms of cybersecurity and control.

IaaS (Infrastructure as a Service)

NIST to the rescue:

“The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”

If we continue moving up the tower of responsibilities, we can see that IaaS is the model that leaves the most responsibility and control to the client. The customer is responsible for the data, applications, and even the operating system installed on the system. This means that he has a lot of flexibility to do with the system what he wants, but at the same time, it means that any vulnerabilities in the applications or in the operating system itself, it is the customer’s responsibility to fix them. Because of this, we can say that the cybersecurity in cloud deployments of type IaaS is the most complex of all.

This can add a lot of extra work to the DevOps team that should be studied before implementing an IaaS type system.

Cybersecurity, privacy, and cloud’s deployment models

By deployment models, we mean how the company/customer is going to use the cloud. In order to identify it, we should simply ask ourselves the following question

  • Can the services used by the customer be purchased by any other customer?
  • Does a customer’s data reside alongside other customer data in the same databases? (which of course is going to affect the privacy and cybersecurity in the cloud)
  • Are these services used by a single customer?
  • Do the services offered by the cloud have a single purpose, common to a group of customers?

Depending on the answers to the above questions, we will have one deployment model or another:

  • If the cloud services can be purchased by any customer, and the data of all clients reside together, logically separated but not physically, we are in a public cloud.
  • If the services are used by a single customer, we are in a private cloud.
  • If the services have a single purpose common to several customers, we are in a community cloud.

If the cloud has shared characteristics, we will say that it is a hybrid cloud. Simple, isn’t it?

So with this, we end today’s article about which are the most common service models and deployment models in today’s clouds and how it affects the cybersecurity in the cloud. Did you find it simple or do you have any questions? Let me know in the comments!

Originally published at on April 14, 2021.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store