The IaaS-PaaS-SaaS triad is only the beginning. Modern cloud platforms offer Function as a Service, Container as a Service, Database as a Service, and Security as a Service — each with its own shared responsibility boundary and distinct attack surface.
Sign in to mark this article as read and track your progress.
NIST SP 800-145 defined cloud computing around three service models: IaaS, PaaS, and SaaS. That classification was adequate for 2011. By 2024, the cloud ecosystem had fractured into specialised delivery models, each placing the shared responsibility boundary at a different point in the stack. Understanding where your responsibility begins and ends is not optional — it is the first question a cloud security professional must answer before designing any control.
FaaS platforms — AWS Lambda, Azure Functions, Google Cloud Functions — allow developers to run individual functions in response to events (HTTP request, S3 upload, database trigger) without managing any underlying server. The provider handles patching, scaling, and availability.
| Security Dimension | Risk in FaaS | Mitigation |
|---|---|---|
| Execution environment | Shared container runtime across tenants | Avoid processing sensitive data in environment variables |
| Trigger surface | Any misconfigured event source (public URL, open queue) becomes an injection point | Authenticate all triggers; use API Gateway authorisers |
| Cold-start timing | Startup latency can signal whether a function was recently active | Not generally exploitable but relevant in timing side-channels |
| Over-privileged execution role | Lambda functions routinely carry admin-level IAM roles | Apply least privilege: grant only the exact S3 paths, DynamoDB tables needed |
| Dependency supply chain | Function packages contain many npm/pip packages | Pin versions; run Dependabot; scan with Grype or Trivy |
A 2023 Datadog survey found that 36% of AWS Lambda functions carried at least one critical-severity misconfigured permission. FaaS does not eliminate security responsibility — it concentrates it at the code and configuration layer.
CaaS gives you a managed control plane for containers. AWS ECS (Elastic Container Service), GKE (Google Kubernetes Engine), and Azure Kubernetes Service (AKS) manage the scheduling, networking, and lifecycle of containers while you provide the container image.
| Responsibility | CaaS — Provider Owns | CaaS — Customer Owns |
|---|---|---|
| Node OS patching | Yes (managed node groups) | Customer-managed node groups: customer |
| Control plane security | Yes | N/A |
| Network policies | N/A | Customer must configure (not default) |
| Container image CVEs | No | Customer must scan all images |
| Secrets in environment variables | No | Customer: use Secrets Manager, not env vars |
| Kubernetes RBAC | Default permissive roles provided | Customer must restrict |
Critical: CaaS does not isolate you from image vulnerabilities. A base image pulled from Docker Hub and not scanned can introduce dozens of known CVEs into production before the first line of your application code runs.
DBaaS platforms (AWS RDS, Cloud SQL, Azure Cosmos DB, MongoDB Atlas) manage the database engine, backups, and replication. The customer owns data schema, access control, and query design.
Key security considerations:
SECaaS delegates security functions to a third-party cloud provider. The most common forms in Indian enterprise deployments are:
| SECaaS Category | Examples | What the Provider Sees |
|---|---|---|
| Web Application Firewall | Cloudflare WAF, AWS WAF | Full request/response, decrypted TLS (if traffic proxied) |
| Email Security | Proofpoint, Mimecast | All inbound/outbound email content |
| CASB | Netskope, Microsoft MCAS | API metadata + inline traffic to SaaS |
| DDoS Protection | AWS Shield Advanced, Akamai | Traffic volume, source IPs |
| SIEM-as-a-Service | Microsoft Sentinel, Sumo Logic | All log data from your environment |
The critical question for each SECaaS engagement is: What data is the provider processing, and what contractual, technical, and jurisdictional controls govern that data? For RBI-regulated entities and Critical Information Infrastructure (CII) operators, an SECaaS provider must satisfy CERT-In 2022 audit requirements and maintain logs within Indian jurisdiction.
| Model | Provider Controls Down To | Customer Controls From |
|---|---|---|
| IaaS | Hypervisor + physical | OS, runtime, app, data |
| PaaS | Runtime + middleware | App, data |
| SaaS | Entire stack | Configuration, data input |
| FaaS | Container runtime | Function code, IAM role, triggers |
| CaaS | Control plane | Node OS (if self-managed), images, RBAC |
| DBaaS | Database engine | Schema, access policies, audit config |
| SECaaS | Security tooling | Policy configuration, integration scope |
Understanding this table is the foundation. Every control design decision in this course depends on knowing which row your workload sits in.