Cloud Computing Risks by Service Model
- Each service model also inherits the risks of each deployment model it is used with
Infrastructure as a Service (Iaas)
- customer has most control over their resources
- alleviates some concerns about trusting the cloud provider
- Risks:
- Personnel threats
- malicious or negligent insiders
- have physical access to resources where customer’s data resides
- External threats
- malware, hacking, DDoS, on-path (man-in-the-middle)
- Lack of specific skillsets
- environment is administered by the customer
- take on operational and security functions
- may not have sufficient personnel with training and experience
- Includes risk in IaaS
- Risks:
- Interoperability issues
- OS is administered by provider
- customer’s software may or may not function with each adjustment to the environment
- Persistent backdoors
- PaaS is often used for software development and DevOps
- customer can install any software
- often used as testing environment
- devs may leave remote access methods installed after testing
- Virtualization
- PaaS uses VMs, so threats inherent to virtualization exist here
- see section on virtualization
- Resource sharing
- programs and instances run on same hardware as other customers
- risk of information bleed and side-channel attacks
Software as a Service (SaaS)
- Includes inherent risks in PaaS and IaaS
- Risks:
- Proprietary formats
- provider may use propriety data formats that lead to vendor lock-in
- decreases portability
- Virtualization
- virtualization risks are enhanced in SaaS
- more resource sharing and simultaneous multitenancy occurs
- Web application security
- Typically use APIs
- is an attack vector and risk