Cloud Service Delivery Models

Three archetypal models and the derivative combinations thereof

generally describe cloud service delivery. The three individual models are
often referred to as the SPI MODEL, where SPI refers to Software,
Platform and Infrastructure (as a service) respectively (CSA Security
Guidance, 2009).
Software as a Service (SaaS): The capability provided to the consumer
is to use the providers applications running on a cloud infrastructure and
accessible from various client devices through a thin client interface such
as web browser. In other words, in this model, a complete application is
offered to the customer as a service on demand. A single instance of the
service runs on the cloud and multiple end users are services. On the
customers side, there is no need for upfront investment in servers or
software licenses, while for the provider, the costs are lowered, since
only a single application needs to be hosted and maintained. In summary, in
this model, the customers do not manage or control the underlying cloud
infrastructure, network, servers, operating systems, storage, or even
individual application capabilities, with the possible exception of limited
user-specific application configuration settings. Currently, SaaS is
offered by companies such as Google, Salesforce, Microsoft, Zoho etc.
Platform as a Service (PaaS): In this model, a layer of software or
development environment is encapsulated and offered as a service, upon
which other higher levels of service are built. The customer has the
freedom to build his own applications, which run on the providers
infrastructure. Hence, a capability is provided to the customer to deploy
onto the cloud infrastructure customer-created applications using
programming languages and tools supported by the provider (e.g., Java,
Python, .Net etc.). Although the customer does not manage or control the
underlying cloud infrastructure, network, servers, operating systems, or
storage, but he/she has the control over the deployed applications and
possibly over the application hosting environment configurations. To meet
manageability and scalability requirements of the applications, PaaS
1

providers offer a predefined combination of operating systems and

application servers, such as LAMP (Linux, Apache, MySql and PHP)
platform, restricted J2EE, Ruby etc. Some examples of PaaS are:
Googles App Engine, Force.com, etc.
Infrastructure as a Service (IaaS): This model provides basic storage
and computing capabilities as standardized services over the network.
Servers, storage systems, networking equipment, data center space etc.
are pooled and made available to handle workloads. The capability
provided to the customer is to rent processing, storage, networks, and
other fundamental computing resources where the customer is able to
deploy and run arbitrary software, which can include operating systems
and applications. The customer does not manage or control the underlying
cloud infrastructure but has the control over operating systems, storage,
deployed applications, and possibly select networking components (e.g.,
firewalls, load balancers etc.). Some examples of IaaS are: Amazon,
GoGrid, 3 Tera etc.

 First on the list are data breaches. To illustrate the potential

magnitude of this threat, CSA pointed to a research paper from
last November describing how a virtual machine could use sidechannel timing information to extract private cryptographic keys in
use by other VMs on the same server. A malicious hacker wouldn't
necessarily need to go to such lengths to pull off that sort of feat,
though. If a multitenant cloud service database isn't designed
properly, a single flaw in one client's application could allow an
attacker to get at not just that client's data, but every other
clients' data as well.
The second-greatest threat is data loss: the prospect of seeing
your valuable data disappear into the ether without a trace. A
malicious hacker might delete a target's data out of spite -- but
then, you could lose your data to a careless cloud service provider
or a disaster, such as a fire, flood, or earthquake. Compounding the
challenge, encrypting your data to ward off theft can backfire if
you lose your encryption key.
The third-greatest cloud computing security risk is account or
service traffic hijacking. Cloud computing adds a new threat to
this landscape, according to CSA. If an attacker gains access to
your credentials, he or she can eavesdrop on your activities and
transactions, manipulate data, return falsified information, and
redirect your clients to illegitimate sites. "Your account or services
instances may become a new base for the attacker. From here, they
may leverage the power of your reputation to launch subsequent
attacks," according to the report.
Fourth on the list of threats are insecure interfaces and APIs.
IT admins rely on interfaces for cloud provisioning, management,
orchestration, and monitoring. APIs are integral to security and
availability of general cloud services. From there, organizations and
third parties are known to build on these interfaces, injecting addon services. "This introduces the complexity of the new layered
API; it also increases risk, as organizations may be required to
3

relinquish their credentials to third parties in order to enable their

agency," the report notes.
The fifth-greatest security threat to cloud computing is Denial
of service: DoS has been an Internet threat for years, but it
becomes more problematic in the age of cloud computing when
organizations are dependent on the 24/7 availability of one or more
services.

DoS

outages

can

cost

service

providers

customers and prove pricey to customers who are billed based on

compute cycles and disk space consumed. While an attacker may not
succeed in knocking out a service entirely, he or she "may still cause
it to consume so much processing time that it becomes too
expensive for you to run and you'll be forced to take it down
yourself," the report says.
No. 6 on the list is malicious insiders, which can be a current or
former employee, a contractor, or a business partner who gains
access to a network, system, or data for malicious purposes. In an
improperly designed cloud scenario, a malicious insider can wreak
even greater havoc. From IaaS to PaaS to SaaS, the malicious
insider has increasing levels of access to more critical systems and
eventually to data. In situations where a cloud service provider is
solely responsible for security, the risk is great. "Even if encryption
is implement, if the keys are not kept with the customer and are
only available at data-usage time, the system is still vulnerable to
malicious insider attack," according to CSA.
Seventh on the list is cloud abuse, such as a bad guy using a cloud
service to break an encryption key too difficult to crack on a
standard computer. Another example might be a malicious hacker
using cloud servers to launch a DDoS attack, propagate malware, or
share pirated software. The challenge here is for cloud providers to
define what constitutes abuse and to determine the best processes
for identify it.
Eight on the list of top security threats to cloud computing is
insufficient due diligence; that is, organizations embrace the cloud
without fully understanding the cloud environment and associated
4

risks. For example, entering the cloud can generate contractual

issues with providers over liability and transparency. What's more,
operational and architectural issues can arise if a company's
development team isn't sufficiently familiar with cloud technologies
as it pushes an app to the cloud. CSA's basic advice is for
organizations to make sure they have sufficient resources and to
perform extensive due diligence before jumping into the cloud.
CSA has pegged shared technology vulnerabilities as the ninthlargest

security

threat

to

cloud

computing. Cloud service

providers share infrastructure, platforms, and applications to

deliver their services in a scalable way. "Whether it's the
underlying components that make up this infrastructure (e.g. CPU
caches, GPUs, etc.) that were not designed to offer strong isolation
properties for a multi-tenant architecture (IaaS), re-deployable
platforms (PaaS), or multi-customer applications (SaaS), the threat
of shared vulnerabilities exists in all delivery models," according to
the report.

The STRIDE Threat Model

When you are considering threats, it is useful to ask questions such as
these:
How can an attacker change the authentication data?
What is the impact if an attacker can read the user profile data?
What happens if access is denied to the user profile database?
You can group threats into categories to help you formulate these kinds
of pointed questions. One model you may find useful is STRIDE, derived
from an acronym for the following six threat categories:

 Spoofing identity. An example of identity spoofing is illegally

accessing and then using another user's authentication information,
such as username and password.
Tampering with data. Data tampering involves the malicious
modification of data. Examples include unauthorized changes made
to persistent data, such as that held in a database, and the
alteration of data as it flows between two computers over an open
network, such as the Internet.
Repudiation. Repudiation threats are associated with users who
deny performing an action without other parties having any way to
prove otherwisefor example, a user performs an illegal operation
in a system that lacks the ability to trace the prohibited
operations. Nonrepudiation refers to the ability of a system to
counter repudiation threats. For example, a user who purchases an
item might have to sign for the item upon receipt. The vendor can
then use the signed receipt as evidence that the user did receive
the package.
Information disclosure. Information disclosure threats involve the
exposure of information to individuals who are not supposed to have
access to itfor example, the ability of users to read a file that
they were not granted access to, or the ability of an intruder to
read data in transit between two computers.
Denial of service. Denial of service (DoS) attacks deny service to
valid usersfor example, by making a Web server temporarily
unavailable or unusable. You must protect against certain types of
DoS threats simply to improve system availability and reliability.
Elevation of privilege. In this type of threat, an unprivileged user
gains privileged access and thereby has sufficient access to
compromise or destroy the entire system. Elevation of privilege
threats include those situations in which an attacker has
effectively penetrated all system defenses and become part of the
trusted system itself, a dangerous situation indeed.