EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityNISTIaaSPaaS

Cloud Computing Fundamentals & Service Models

From the NIST five essential characteristics to IaaS, PaaS, SaaS and beyond — the building blocks every cloud security practitioner must understand before touching a single control.

Ashish Revar3 July 202612 min read8 views
Quick Bite

⚡ Quick Bite · 20s

Cloud IAM Explained: Your New Security Perimeter

Identity IS the new perimeter — IAM and the principle of least privilege as the foundation of Zero Trust cloud architecture.

Watch this 20-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

What Cloud Computing Actually Is

The National Institute of Standards and Technology (NIST) defines cloud computing in SP 800-145 as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction." That sentence is dense, so let us unpack it through the five essential characteristics that make a service genuinely cloud-based.

The Five Essential Characteristics

CharacteristicWhat It MeansSecurity Implication
On-demand self-serviceProvision compute, storage, and network without human interactionDevelopers can spin up insecure resources without IT review
Broad network accessAvailable over the network from any standard deviceAttack surface spans all devices and networks
Resource poolingProvider serves multiple customers from shared infrastructureData co-residence; noisy-neighbour and side-channel risks
Rapid elasticityScale up and down automaticallyEphemeral resources can disappear before forensic acquisition
Measured serviceUsage is metered and billedCompromised credentials lead to runaway billing (EDoS)

From a security perspective, rapid elasticity and measured service together create the most dangerous combination: an attacker can consume resources at speed, generate massive cost, and destroy evidence as instances auto-terminate.

The Three Core Service Models

Infrastructure as a Service (IaaS)

You get raw compute (VMs), storage (block/object), and networking. You are responsible for the operating system upward — patching, hardening, application security, and data protection. AWS EC2, Azure Virtual Machines, and GCP Compute Engine are the canonical examples.

Platform as a Service (PaaS)

The provider manages the OS, runtime, and middleware. You deploy code and data. AWS Elastic Beanstalk, Azure App Service, and GCP App Engine fall here. The security boundary narrows — but injection flaws and insecure application logic remain entirely yours.

Software as a Service (SaaS)

The provider runs everything. You configure and use the application. Microsoft 365, Salesforce, and Google Workspace are SaaS. Misconfiguration of sharing settings, permissions, and data residency is the primary risk you own.

Extended Service Models

Beyond the NIST triad, modern cloud ecosystems include:

ModelExampleSecurity Note
FaaS (Function as a Service)AWS Lambda, Azure FunctionsShort-lived; hard to monitor; cold-start injection risks
CaaS (Container as a Service)AWS ECS/EKS, GKEImage vulnerabilities, overprivileged service accounts
DBaaS (Database as a Service)RDS, Cloud SQL, Cosmos DBEncryption at rest defaults vary; audit logging must be enabled explicitly
SECaaS (Security as a Service)Cloudflare, ZscalerThird-party holds traffic; trust and SLA become security variables

Key Takeaway

The shared responsibility model begins at the service-model boundary. Knowing exactly where your responsibility starts — whether at the hypervisor (IaaS), the application (PaaS), or just configuration (SaaS) — is the first skill a cloud security professional develops. Every later chapter in this course builds on that boundary.

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Tech Talk EP 07 — The Hypervisor Is Your True Security Perimeter

Audio deep-dive covering NIST SP 800-145, the SPI stack, shared responsibility, deployment models, Type-1/2 hypervisors, and Spectre/Meltdown side-channel attacks. ~30 min.

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

NIST SP 800-145: The NIST Definition of Cloud Computing

The authoritative NIST definition covering five characteristics, three service models, and four deployment models.

paper
NIST SP 800-145: The NIST Definition of Cloud Computing

The authoritative NIST definition covering five characteristics, three service models, and four deployment models.

paper
CSA Security Guidance for Critical Areas of Cloud Computing

The Cloud Security Alliance guidance covering 14 domains of cloud security with practical recommendations.

paper
CSA Security Guidance for Critical Areas of Cloud Computing

The Cloud Security Alliance guidance covering 14 domains of cloud security with practical recommendations.

paper
AWS Well-Architected Security Pillar

AWS prescriptive guidance for building secure cloud architectures across identity, detection, infrastructure, data, and incident response.

blog
AWS Well-Architected Security Pillar

AWS prescriptive guidance for building secure cloud architectures across identity, detection, infrastructure, data, and incident response.

blog
ENISA Cloud Security Guide for SMEs

Practical cloud security guidance from the EU Agency for Cybersecurity, applicable beyond SMEs.

paper
ENISA Cloud Security Guide for SMEs

Practical cloud security guidance from the EU Agency for Cybersecurity, applicable beyond SMEs.

paper
More articlesTest your knowledge