Cloud Service Provider Security Models — Secure In Security

Secure In Security — Cloud Service Provider Security Models

Cloud Service Provider
Security Models

Cybersecurity & Information Security

Learning Objectives

Upon completing this module, learners will be able to: (1) Define cloud computing and its core service delivery models; (2) Explain key cybersecurity concepts as applied to cloud environments; (3) Identify the primary security differences between traditional on-premises IT and cloud-based infrastructure; (4) Recognize the major cloud service providers and their security postures.

What Is Cloud Computing?

Cloud computing is the delivery of computing services — including servers, storage, databases, networking, software, analytics, and intelligence — over the internet (‘the cloud’) to offer faster innovation, flexible resources, and economies of scale. Rather than owning and maintaining physical data centers and servers, organizations can access technology services on an as-needed basis from a cloud provider.

Core Characteristics (NIST SP 800-145)

On-demand self-service — consumers provision computing capabilities without requiring human interaction with each service provider.
Broad network access — capabilities are available over the network and accessed through standard mechanisms.
Resource pooling — provider resources serve multiple consumers using a multi-tenant model.
Rapid elasticity — capabilities can be elastically provisioned and released to scale with demand.
Measured service — cloud systems automatically control and optimize resource use by leveraging metering capabilities.

Why Cloud Security Matters

Organizations are migrating critical workloads, intellectual property, and sensitive customer data to cloud environments at an accelerating pace. With this migration comes a fundamental shift in security responsibilities and threat exposure. The 2024 Cloud Security Alliance (CSA) State of Cloud Security report found that 81% of organizations experienced at least one cloud security incident in the prior 12 months, highlighting the critical importance of understanding cloud security models.

Key Security Differences: Cloud vs. On-Premises

Dimension	Key Distinction
Perimeter	Traditional network perimeter dissolves; identity becomes the new perimeter in cloud.
Control	Physical hardware control is relinquished; logical controls and APIs become primary security mechanisms.
Visibility	Log aggregation and monitoring require deliberate architecture; native cloud tools essential.
Elasticity	Attack surface expands and contracts dynamically; security must scale automatically.
Multi-tenancy	Shared underlying infrastructure introduces data isolation and side-channel attack concerns.
Configuration	Misconfiguration is the leading cause of cloud breaches; security posture management critical.

Major Cloud Service Providers

Three hyperscalers dominate the global cloud market and each maintains extensive security programs, certifications, and tools:

Provider	Security Platform / Tools	Key Security Certifications
AWS	AWS Security Hub, GuardDuty, Inspector, Macie, IAM, CloudTrail, Shield	FedRAMP, ISO 27001, SOC 1/2/3, PCI DSS, HIPAA, DoD IL2–IL6
Microsoft Azure	Microsoft Defender for Cloud, Sentinel, Azure Policy, Entra ID, Monitor	FedRAMP High, ISO 27001/27018, SOC 1/2/3, HIPAA, HITRUST
Google Cloud	Security Command Center, Chronicle SIEM, Cloud Armor, BeyondCorp, IAP	FedRAMP High, ISO 27001, SOC 1/2/3, PCI DSS, HIPAA

Learning Objectives

Upon completing this module, learners will be able to: (1) Distinguish between IaaS, PaaS, SaaS, and emerging XaaS models; (2) Analyze the security implications unique to each service model; (3) Apply the correct security controls framework based on the service model in use; (4) Evaluate the tradeoffs between flexibility and security responsibility across models.

Infrastructure as a Service (IaaS)

IaaS provides virtualized computing resources over the internet. The provider manages physical hardware, networking, and virtualization. The customer controls operating systems, middleware, runtime, data, and applications.

IaaS Security Responsibilities (Customer)

Operating system hardening, patching, and lifecycle management
Network security groups, firewall rules, and virtual network configuration
Identity and access management for workloads and administrators
Endpoint protection and anti-malware on virtual machines
Data encryption at rest and in transit
Backup, recovery, and business continuity planning

IaaS Examples

Amazon EC2, Microsoft Azure Virtual Machines, Google Compute Engine, DigitalOcean Droplets

Platform as a Service (PaaS)

PaaS provides a platform allowing customers to develop, run, and manage applications without managing the underlying infrastructure. The provider manages the runtime, middleware, OS, virtualization, servers, storage, and networking.

PaaS Security Responsibilities (Customer)

Application code security and secure development lifecycle (SDLC)
Application-level access controls and authentication mechanisms
Input validation and protection against OWASP Top 10 vulnerabilities
Secrets management (API keys, connection strings, certificates)
Data classification and protection within the application

PaaS Security Considerations (Shared)

Platform API security and service endpoint protection
Dependency and library vulnerability management
Logging, monitoring, and alerting integration

PaaS Examples

AWS Elastic Beanstalk, Azure App Service, Google App Engine, Heroku, Salesforce Platform

Software as a Service (SaaS)

SaaS delivers software applications over the internet, on-demand and typically on a subscription basis. The provider manages the entire stack from infrastructure through the application; the customer primarily manages data, user access, and configuration.

SaaS Security Responsibilities (Customer)

User provisioning, deprovisioning, and access governance
Data governance — what data is stored, how it is classified, and retention policies
Single Sign-On (SSO) and Multi-Factor Authentication (MFA) configuration
Third-party integration and OAuth permission scoping
Data Loss Prevention (DLP) policy configuration where available
Vendor risk assessment and supply chain security review

SaaS Examples

Microsoft 365, Salesforce, Google Workspace, ServiceNow, Slack, Zoom, Workday

Shared Responsibility Model

The shared responsibility model is the foundational security framework in cloud computing. It delineates which security obligations belong to the cloud provider and which belong to the customer. Failure to understand this boundary is one of the most significant causes of cloud security incidents.

Responsibility Area	On-Premises	IaaS	PaaS	SaaS
Data & Content	Customer	Customer	Customer	Customer
Applications	Customer	Customer	Customer / Shared	Provider
Runtime / Middleware	Customer	Customer	Provider	Provider
Operating System	Customer	Customer	Provider	Provider
Virtualization	Customer	Provider	Provider	Provider
Servers / Storage / Net.	Customer	Provider	Provider	Provider
Physical Security	Customer	Provider	Provider	Provider

Critical Insight: The Responsibility Gap

Many breaches occur not because either party failed in their defined responsibilities, but because customers assume the provider handles more than they actually do. Always verify responsibility boundaries in the provider’s official Shared Responsibility documentation and incorporate them into your security governance program.

Learning Objectives

Upon completing this module, learners will be able to: (1) Explain why identity is the new security perimeter; (2) Implement least privilege and zero trust principles in cloud IAM; (3) Configure multi-factor authentication and federated identity; (4) Identify and remediate common IAM misconfigurations.

Identity as the New Perimeter

In traditional IT, the network perimeter (firewalls, DMZs) provided a clear security boundary. Cloud computing dissolves this perimeter — resources are accessed from anywhere, by any device, over the public internet. Identity becomes the primary control plane. Compromised credentials are now the leading initial attack vector in cloud breaches.

Core IAM Concepts

Concept	Definition
Authentication (AuthN)	Verifying the identity of a user or system. Answers: ‘Who are you?’
Authorization (AuthZ)	Determining what an authenticated identity is permitted to do. Answers: ‘What can you do?’
Principle of Least Privilege	Grant only the minimum permissions required to perform a specific task.
Zero Trust	Never implicitly trust; always verify — regardless of network location or prior authentication.
Federation	Allowing external identity providers (e.g., Azure AD, Okta) to authenticate users for cloud services.
Service Account / Role	Non-human identity assigned to applications or services to access cloud resources.

Multi-Factor Authentication (MFA)

MFA requires users to provide two or more verification factors to gain access. It is one of the single most effective controls against credential-based attacks. Industry data consistently shows MFA blocks over 99% of automated account attacks.

MFA Factor Types

Something you know — password, PIN, security question
Something you have — hardware token (YubiKey), TOTP app (Google Authenticator, Authy), SMS code
Something you are — fingerprint, facial recognition, iris scan (biometrics)

Best Practice

Require MFA for ALL privileged accounts (administrators, root, break-glass accounts). Enforce MFA at the identity provider level, not just the application level. Phishing-resistant MFA (FIDO2/WebAuthn) is strongly preferred over SMS-based MFA.

Common IAM Misconfigurations

IAM misconfigurations are consistently the leading source of cloud security incidents. The following are the most prevalent:

Overly permissive policies — use of wildcards (*) in IAM policies granting excessive permissions
Mitigation: Regular access reviews, AWS IAM Access Analyzer, Azure Permissions Management
Unused credentials — dormant accounts, old API keys, unused roles still attached to resources
Mitigation: Credential rotation enforcement, lifecycle management, automated deprovisioning
Missing MFA on root/administrator accounts
Mitigation: Enforce MFA via Conditional Access policies or Service Control Policies (SCPs)
Publicly exposed cloud storage — S3 buckets, Azure Blob containers without ACL controls
Mitigation: Block public access at the account/organization level, enable CSPM scanning
Hard-coded credentials in source code or container images
Mitigation: Secrets management tools (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)

Learning Objectives

Upon completing this module, learners will be able to: (1) Identify the top threats to cloud environments per the CSA Egregious Eleven; (2) Explain cloud-specific attack techniques including cloud hopping, cryptojacking, and SSRF; (3) Map threats to mitigations using the MITRE ATT&CK Cloud matrix; (4) Implement detective controls to identify active threats.

Top Cloud Security Threats

The Cloud Security Alliance (CSA) Pandemic Eleven identifies the most critical threats facing cloud environments:

#	Threat	Description	Severity
1	Insufficient IAM	Weak or misconfigured identity controls allowing unauthorized access to cloud resources.	Critical
2	Insecure Interfaces/APIs	Exposed or poorly secured APIs that can be exploited to access or manipulate cloud resources.	Critical
3	Misconfiguration	Improperly configured cloud services exposing data or enabling lateral movement.	Critical
4	Lack of Cloud Architecture Strategy	Ad-hoc cloud adoption without a governance or security architecture framework.	High
5	Account Hijacking	Credential theft enabling attackers to take over cloud accounts and access all associated resources.	Critical
6	Insider Threats	Malicious or negligent employees with cloud access causing data theft or sabotage.	High
7	Advanced Persistent Threats	Sophisticated attackers establishing persistent footholds within cloud environments.	High
8	Data Breaches	Unauthorized access to sensitive data stored in cloud services.	Critical
9	Limited Cloud Visibility	Insufficient monitoring and logging preventing detection and response to incidents.	High
10	Abuse of Cloud Services	Criminals using cloud resources for cryptojacking, phishing infrastructure, malware hosting.	Medium
11	Supply Chain Vulnerabilities	Compromised third-party services, libraries, or providers used within cloud environments.	High

Cloud-Specific Attack Techniques

Attack Technique Cryptojacking

Attackers compromise cloud accounts to deploy cryptocurrency mining software, running at the victim’s expense. This is often the first malicious action after IAM credential theft due to ease of execution and financial gain.

Detection: Sudden spike in compute costs, unexpected EC2/VM instances, unusual API calls (RunInstances, CreateVM)
Prevention: Budget alerts, cost anomaly detection, least-privilege IAM for instance creation

Attack Technique Server-Side Request Forgery (SSRF)

SSRF exploits vulnerable web applications to make server-side HTTP requests to internal resources. In cloud environments, this is particularly dangerous because the Instance Metadata Service (IMDS) is accessible at 169.254.169.254 and can return temporary credentials.

Detection: Unusual HTTP requests to metadata IPs, credential usage from unexpected locations
Prevention: IMDSv2 enforcement (token-required requests), WAF rules blocking metadata IP access from applications

Attack Technique Cloud Hopping / Lateral Movement

Once an attacker gains access to one cloud resource, they use it as a pivot point to access additional resources, accounts, or connected on-premises systems.

Detection: Unusual AssumeRole calls, cross-account access from unexpected sources, CloudTrail anomalies
Prevention: Strict trust policies for cross-account roles, AWS Organizations SCPs, conditional access policies

Learning Objectives

Upon completing this module, learners will be able to: (1) Map major compliance frameworks to cloud security controls; (2) Explain how cloud providers support compliance through certifications and audit artifacts; (3) Implement cloud security policies aligned to NIST, ISO 27001, and SOC 2; (4) Conduct a cloud vendor risk assessment using established methodologies.

Key Compliance Frameworks

NIST Cybersecurity Framework (CSF) 2.0

The NIST CSF provides a voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity risk. The 2.0 update adds a Govern function:

GVGovern

IDIdentify

PRProtect

DEDetect

RSRespond

RCRecover

GOVERN — Establish and monitor organizational cybersecurity strategy, expectations, and policy
IDENTIFY — Develop understanding of systems, assets, data, and risks
PROTECT — Implement appropriate safeguards to ensure delivery of services
DETECT — Implement activities to identify cybersecurity events
RESPOND — Take action regarding detected cybersecurity incidents
RECOVER — Maintain resilience and restore capabilities affected by incidents

ISO/IEC 27001 & 27017

ISO 27001 is the international standard for Information Security Management Systems (ISMS). ISO 27017 extends 27001 with cloud-specific controls, providing additional guidance on:

Shared roles and responsibilities between cloud provider and customer
Removal and return of assets at contract termination
Protection and separation of virtual environments
Virtual machine hardening
Administrative operations and procedures in cloud environments

SOC 2 Type II

SOC 2 is an auditing procedure developed by the AICPA that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients. Type II reports cover operational effectiveness over a period (typically 6–12 months) across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by U.S. federal agencies. FedRAMP authorizations (Low, Moderate, High) signal the sensitivity level of federal data the system may host.

Compliance Mapping to Cloud Controls

Control Domain	NIST CSF 2.0	ISO 27001/27017	SOC 2 TSC
Access Control	PR.AA (Protect: Identity Mgmt)	A.9 / CLD.9	CC6.1 – Logical Access
Incident Response	RS.MA (Respond: Mgmt)	A.16	CC7.3 – Incident Response
Encryption	PR.DS (Protect: Data Security)	A.10 / CLD.13	CC6.7 – Data in Transit/Rest
Vulnerability Mgmt	ID.RA (Identify: Risk Assessment)	A.12.6	CC7.1 – Vulnerability Mgmt
Logging & Monitoring	DE.AE (Detect: Anomalies)	A.12.4 / CLD.12.4	CC7.2 – Monitoring
Change Management	PR.IP (Protect: Processes)	A.12.1	CC8.1 – Change Management

Learning Objectives

Upon completing this module, learners will be able to: (1) Design a secure cloud architecture using defense-in-depth; (2) Implement a Cloud Security Posture Management (CSPM) program; (3) Apply data protection and encryption best practices; (4) Build and exercise a cloud-specific incident response plan.

Defense-in-Depth for Cloud

Defense-in-depth applies multiple layers of security controls across the cloud stack, ensuring that a failure in one layer does not lead to a total compromise.

Layer	Controls & Best Practices
Data	Encryption at rest (AES-256) and in transit (TLS 1.2+), DLP policies, data classification, key management (HSM/KMS)
Application	Secure SDLC, DAST/SAST scanning, WAF, API gateway with auth, dependency scanning, container image signing
Identity	MFA, least privilege IAM, PAM solution, just-in-time access, federated SSO, privileged identity management
Endpoint / Workload	EDR on VMs, container security scanning, runtime protection, patch management, hardened OS baselines
Network	VPC/VNET segmentation, security groups, NACLs, Private Link/Endpoints, micro-segmentation, DDoS protection
Infrastructure	CSPM tool, CIS Benchmarks, Infrastructure as Code (IaC) scanning, immutable infrastructure patterns
Physical	Provider responsibility — verify via certifications (SOC 2, ISO 27001), site audit rights, compliance attestations

Cloud Security Posture Management (CSPM)

CSPM tools continuously monitor cloud environments for security misconfigurations, compliance violations, and risky exposure. They are a critical component of any mature cloud security program.

Core CSPM Capabilities

Continuous visibility across multi-cloud environments (AWS, Azure, GCP)
Automated compliance checking against CIS Benchmarks, NIST, PCI DSS, HIPAA
Detection and remediation of misconfigured resources (open S3 buckets, exposed ports, public snapshots)
Security score / cloud security benchmark reporting
Auto-remediation workflows via Lambda functions, Azure Functions, or playbooks

Leading CSPM Tools

AWS Security Hub, Microsoft Defender for Cloud, Google Security Command Center, Wiz, Orca Security, Lacework, Prisma Cloud (Palo Alto Networks)

Data Protection & Encryption

Encryption Key Management

Who controls the encryption keys determines who ultimately controls access to your data. Three key management models exist in cloud:

Provider-Managed Keys (PMK)

Provider manages all key operations. Simplest but least control.

Customer-Managed Keys (CMK)

Customer manages keys within the provider’s KMS (AWS KMS, Azure Key Vault). Balanced control.

Customer-Held Keys (BYOK/HYOK)

Customer manages keys entirely outside the provider’s infrastructure. Maximum control, maximum complexity.

Principle

For regulated data (PII, PHI, financial records), always use Customer-Managed Keys at minimum. The provider’s infrastructure cannot be subpoenaed for customer-held keys.

Cloud Incident Response

Cloud incident response requires significant adaptations from traditional IR processes. Speed of containment is amplified by cloud’s API-driven control plane.

Cloud IR Playbook — Core Steps

Preparation
Maintain IR runbooks, pre-authorize response roles, configure CloudTrail/Activity Log retention, test playbooks quarterly
Detection & Analysis
Use SIEM/cloud-native detection, triage alerts by severity, preserve logs immediately (logs may auto-expire)
Containment
Isolate compromised resources (security group deny-all), revoke IAM credentials, snapshot affected instances for forensics
Eradication
Remove malware, terminate unauthorized resources, rotate all potentially exposed credentials, patch vulnerabilities
Recovery
Restore from known-good snapshots, verify integrity, re-enable services incrementally, monitor closely
Post-Incident Activity
Root cause analysis, lessons learned, update controls and runbooks, report per regulatory requirements

Term	Definition
CASB	Cloud Access Security Broker — security policy enforcement point between users and cloud service providers.
CNAPP	Cloud-Native Application Protection Platform — unified platform combining CSPM, CWPP, and CIEM capabilities.
CSPM	Cloud Security Posture Management — tools that identify misconfiguration and compliance risks in cloud environments.
CWPP	Cloud Workload Protection Platform — security for workloads (VMs, containers, serverless) running in cloud.
IAM	Identity and Access Management — framework of policies and controls for managing digital identities and access.
IaC	Infrastructure as Code — provisioning infrastructure through machine-readable configuration files rather than manual processes.
IMDSv2	Instance Metadata Service v2 — session-oriented method to access EC2 metadata that mitigates SSRF attacks.
KMS	Key Management Service — managed service for creating and controlling cryptographic keys for data encryption.
MFA	Multi-Factor Authentication — authentication method requiring two or more verification factors.
SIEM	Security Information and Event Management — tool for real-time analysis of security alerts from applications and hardware.
SCP	Service Control Policy — in AWS Organizations, guardrails limiting actions available to accounts within the organization.
SSRF	Server-Side Request Forgery — attack where an attacker causes the server to make HTTP requests to unintended locations.
VPC	Virtual Private Cloud — logically isolated virtual network within a cloud provider’s infrastructure.
Zero Trust	Security model that assumes no implicit trust; requires verification of every user and device attempting access.

References & Further Reading

NIST SP 800-145: The NIST Definition of Cloud Computing
NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing
NIST Cybersecurity Framework 2.0 — csrc.nist.gov/projects/cybersecurity-framework
CSA Cloud Controls Matrix (CCM) v4 — cloudsecurityalliance.org
CSA Top Threats to Cloud Computing: Pandemic Eleven
ISO/IEC 27001:2022 — Information Security Management Systems
ISO/IEC 27017:2015 — Code of Practice for Information Security Controls for Cloud Services
CIS Benchmarks for AWS, Azure, and GCP — cisecurity.org/cis-benchmarks
MITRE ATT&CK Cloud Matrix — attack.mitre.org/matrices/enterprise/cloud
FedRAMP Program Documentation — fedramp.gov
AWS Well-Architected Framework: Security Pillar
Microsoft Azure Security Benchmark v3
Google Cloud Security Foundations Guide