Chapter 58 Β· Concepts

Cloud Infrastructure β€” Key Concepts

Quick-reference tables, responsibility matrices, architecture comparisons, and decision frameworks.

Shared Responsibility β€” Who Owns Each Layer

LayerOn-PremisesIaaSPaaSSaaS
Physical / data centerCustomerProviderProviderProvider
Network infrastructureCustomerProviderProviderProvider
Hypervisor / virtualizationCustomerProviderProviderProvider
Operating systemCustomerCustomerProviderProvider
Runtime / middlewareCustomerCustomerProviderProvider
ApplicationCustomerCustomerCustomerProvider
DataCustomerCustomerCustomerCustomer
Access managementCustomerCustomerCustomerCustomer

Bold rows are constant across all models β€” data and access management are always the customer's responsibility. No matter how much the provider manages, the customer owns who can access the data and what happens to it.

Cloud Deployment Model Comparison

Public Cloud
Shared infrastructure, multiple unrelated tenants. Provider manages all hardware. Broadest scalability, lowest cost. Multi-tenancy risk: logical isolation must be enforced by the provider. Examples: AWS, Azure, GCP.
Private Cloud
Dedicated to one organization. Can be on-premises (org-owned hardware) or hosted (provider hardware, org-exclusive). Maximum control and compliance fit. Higher cost. No multi-tenancy isolation concerns.
Community Cloud
Shared among organizations with common requirements (e.g., government agencies sharing FedRAMP infrastructure, healthcare orgs sharing HIPAA-compliant platform). Shared governance, shared trust relationship among members.
Hybrid Cloud
Combination of private + public (and/or community). Sensitive data on private; elastic workloads on public. Most operationally complex β€” requires secure interconnection, identity federation, and consistent policy enforcement across environments.

Hybrid Cloud Security Challenges

ChallengeRoot CauseMitigation
Inconsistent network protectionOn-premises uses physical firewall rules; cloud uses virtual security groups β€” different systems, different syntax, different teamsUnified security policy document; explicit mapping of on-prem rules to cloud security group equivalents; periodic audit comparing both
Authentication managementOn-premises AD and cloud IAM are separate systems with separate credentials by defaultIdentity federation (SAML/OIDC/OAuth) linking AD to cloud IAM; single sign-on; centralized MFA enforcement; automatic account disable propagation
Diverse monitoring systemsOn-prem SIEM receives on-prem logs; cloud logs stored in provider's proprietary service (CloudTrail, Azure Monitor) in different formatsCloud log export to SIEM; normalized log format; unified SOC visibility across both environments; cross-environment correlation rules
Data transfer riskData moving between private and public environments traverses public internet without dedicated connectionAWS Direct Connect / Azure ExpressRoute (dedicated private circuit); encryption of all data in transit; data classification policy limiting which data can traverse the boundary

IaC Security β€” Benefits vs. Risks

Security Benefits
  • Version control β€” every infrastructure change tracked and attributed
  • Code review β€” security review before deployment, not after
  • Consistency β€” dev/staging/production environments identical
  • Configuration drift prevention β€” code wins over manual changes
  • Repeatability β€” disaster recovery means running the template
  • Audit trail β€” git history shows who changed what and when
Security Risks
  • Secrets hardcoded in templates β†’ exposed in version control
  • Misconfigurations deploy at scale β€” one error affects every environment
  • Compromised IaC repo = infrastructure control for the attacker
  • Overly permissive IAM roles defined in templates
  • Misconfigured security groups opened too broadly
  • No IaC template scanning = misconfigurations reach production

Serverless Security Model β€” Customer Responsibilities

Responsibility AreaOwnerRisk if Neglected
Physical hardware, hypervisor, OS, runtime, scalingProviderN/A β€” provider's problem
Function code security (injection, auth, logic)CustomerExploitable vulnerability in function code regardless of infrastructure security
IAM permissions on the functionCustomerOver-privileged function β€” attacker who exploits function inherits its permissions (may include full account access)
Input validation (event payloads)CustomerEvent injection β€” malicious trigger payload causes unintended function behavior
Secrets management (no hardcoding)CustomerAPI keys/passwords in deployment package accessible to anyone who can view function code or logs
Third-party library securityCustomerVulnerable dependency compromises function even if function code itself is secure

Monolith vs. Microservices β€” Security Comparison

DimensionMonolithMicroservices
Breach impactA breach in any component potentially exposes all functionality and dataA breach in one service is isolated β€” attacker must separately compromise each service they want to reach
PatchingSecurity fix requires full application deploymentVulnerable service patched and redeployed independently
Credentials/permissionsAll components typically share one credential set with broad permissionsEach service has its own credential with only the permissions it needs (least privilege per service)
Internal communicationIn-process function calls β€” no network attack surface between componentsNetwork API calls between services β€” each call is an attack surface requiring authentication, authorization, and input validation
Attack surfaceSingle application with one entry pointMany services with many API endpoints β€” larger attack surface requiring consistent API security across all
Failure isolationOne component crashing can take down the entire applicationFailure in one service does not cascade (if designed for resilience)

Vendor Risk Assessment Lifecycle

PHASE 1 Β· PRE-CONTRACT
SOC 2 Type II report review; ISO 27001 certification; penetration test results; vulnerability disclosure policy; data handling practices; sub-processor chain
PHASE 2 Β· CONTRACT
SLA commitments; breach notification timeline (must meet regulatory minimums β€” GDPR: 72h); right-to-audit clause; data residency requirements; data deletion on termination; liability terms
PHASE 3 Β· ONGOING
Annual re-assessment; monitoring for announced vendor incidents; tracking certification renewals; reviewing access scope changes; SIEM alerts for anomalous vendor activity
PHASE 4 Β· INCIDENT
Vendor escalation contacts in IR plan; defined responsibility split when vendor is the source; tabletop exercises including vendor scenarios; communication plan for customer data breach via vendor