4.1.1. Cloud and Infrastructure Concepts
š” First Principle: The cloud doesn't eliminate security responsibilities ā it redistributes them between you and the cloud provider according to the shared responsibility model. What changes is who manages each layer, not whether it needs protection.
Responsibility matrix across service models:
| Layer | IaaS | PaaS | SaaS |
|---|---|---|---|
| Data | You | You | You |
| Applications | You | You | Provider |
| Runtime | You | Provider | Provider |
| OS | You | Provider | Provider |
| Virtualization | Provider | Provider | Provider |
| Physical | Provider | Provider | Provider |
Hybrid considerations ā most organizations use a mix of on-premises, public cloud, and private cloud. Hybrid architectures require consistent security policies across environments and secure connections between them (VPN, dedicated connections).
Third-party vendors introduce risk through API integrations, shared data, and access permissions. Vendor security must be assessed through contracts, SLAs, and regular audits.
Infrastructure as Code (IaC) defines infrastructure through code templates (Terraform, CloudFormation, ARM templates). IaC enables repeatable, auditable, version-controlled deployments. Security benefit: configuration drift is detectable because the code defines the expected state. Risk: secrets hardcoded in templates become vulnerabilities.
Serverless architectures eliminate server management but introduce new considerations: each function needs minimal permissions (least privilege), execution time should be limited, and dependencies must be scanned for vulnerabilities.
Microservices decompose applications into small, independently deployable services. Security implication: more services means more network connections to secure, but compromise of one service doesn't necessarily compromise all.
Containerization packages applications with their dependencies. Containers share the host OS kernel, which means container escape vulnerabilities can compromise the host. Container images must be scanned for vulnerabilities, pulled from trusted registries, and run with minimal privileges.
ā ļø Exam Trap: In IaaS, you're responsible for the OS and everything above it. In SaaS, you're only responsible for your data and access management. If a question asks who is responsible for patching the OS in a PaaS deployment, it's the provider ā not you.
