EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityFaaSCaaSDBaaS

Extended Cloud Service Models: FaaS, CaaS, DBaaS and SECaaS

The IaaS-PaaS-SaaS triad is only the beginning. Modern cloud platforms offer Function as a Service, Container as a Service, Database as a Service, and Security as a Service — each with its own shared responsibility boundary and distinct attack surface.

Ashish Revar3 July 202618 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Tech Talk EP 07 — The Hypervisor Is Your True Security Perimeter

Audio deep-dive covering NIST SP 800-145, the SPI stack, shared responsibility, deployment models, Type-1/2 hypervisors, and Spectre/Meltdown side-channel attacks. ~30 min.

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

AWS Lambda Security Best Practices

Official AWS guidance on IAM, VPC, code signing, and runtime security for Lambda functions.

AWS Lambda Security Best Practices

Official AWS guidance on IAM, VPC, code signing, and runtime security for Lambda functions.

NIST SP 800-204: Security Strategies for Microservices

NIST guidance covering FaaS, CaaS, and container security patterns.

NIST SP 800-204: Security Strategies for Microservices

NIST guidance covering FaaS, CaaS, and container security patterns.

CSA Security Guidance for Critical Areas: Serverless

Cloud Security Alliance working group papers on serverless architecture risks.

CSA Security Guidance for Critical Areas: Serverless

Cloud Security Alliance working group papers on serverless architecture risks.

AWS Container Security Overview

AWS overview of container and CaaS security across ECS and EKS.

AWS Container Security Overview

AWS overview of container and CaaS security across ECS and EKS.

More articlesTest your knowledge

Beyond the Basic Triad

NIST SP 800-145 defined cloud computing around three service models: IaaS, PaaS, and SaaS. That classification was adequate for 2011. By 2024, the cloud ecosystem had fractured into specialised delivery models, each placing the shared responsibility boundary at a different point in the stack. Understanding where your responsibility begins and ends is not optional — it is the first question a cloud security professional must answer before designing any control.

Function as a Service (FaaS)

FaaS platforms — AWS Lambda, Azure Functions, Google Cloud Functions — allow developers to run individual functions in response to events (HTTP request, S3 upload, database trigger) without managing any underlying server. The provider handles patching, scaling, and availability.

Security DimensionRisk in FaaSMitigation
Execution environmentShared container runtime across tenantsAvoid processing sensitive data in environment variables
Trigger surfaceAny misconfigured event source (public URL, open queue) becomes an injection pointAuthenticate all triggers; use API Gateway authorisers
Cold-start timingStartup latency can signal whether a function was recently activeNot generally exploitable but relevant in timing side-channels
Over-privileged execution roleLambda functions routinely carry admin-level IAM rolesApply least privilege: grant only the exact S3 paths, DynamoDB tables needed
Dependency supply chainFunction packages contain many npm/pip packagesPin versions; run Dependabot; scan with Grype or Trivy

A 2023 Datadog survey found that 36% of AWS Lambda functions carried at least one critical-severity misconfigured permission. FaaS does not eliminate security responsibility — it concentrates it at the code and configuration layer.

Container as a Service (CaaS)

CaaS gives you a managed control plane for containers. AWS ECS (Elastic Container Service), GKE (Google Kubernetes Engine), and Azure Kubernetes Service (AKS) manage the scheduling, networking, and lifecycle of containers while you provide the container image.

ResponsibilityCaaS — Provider OwnsCaaS — Customer Owns
Node OS patchingYes (managed node groups)Customer-managed node groups: customer
Control plane securityYesN/A
Network policiesN/ACustomer must configure (not default)
Container image CVEsNoCustomer must scan all images
Secrets in environment variablesNoCustomer: use Secrets Manager, not env vars
Kubernetes RBACDefault permissive roles providedCustomer must restrict

Critical: CaaS does not isolate you from image vulnerabilities. A base image pulled from Docker Hub and not scanned can introduce dozens of known CVEs into production before the first line of your application code runs.

Database as a Service (DBaaS)

DBaaS platforms (AWS RDS, Cloud SQL, Azure Cosmos DB, MongoDB Atlas) manage the database engine, backups, and replication. The customer owns data schema, access control, and query design.

Key security considerations:

  • Encryption at rest: Most DBaaS platforms enable this by default using provider-managed KMS keys. For DPDP Act 2023 compliance and sovereignty requirements, use customer-managed keys (CMK).
  • Audit logging: RDS does not enable database activity streams by default. Enable Aurora Advanced Auditing or RDS CloudWatch Logs explicitly.
  • Network isolation: Place RDS instances in private subnets with no public accessibility. The Security Group must allow inbound 3306/5432 only from the application tier.
  • Automatic minor version upgrades: Enabled by default on RDS — this can change behaviour. Test upgrades in staging.

Security as a Service (SECaaS)

SECaaS delegates security functions to a third-party cloud provider. The most common forms in Indian enterprise deployments are:

SECaaS CategoryExamplesWhat the Provider Sees
Web Application FirewallCloudflare WAF, AWS WAFFull request/response, decrypted TLS (if traffic proxied)
Email SecurityProofpoint, MimecastAll inbound/outbound email content
CASBNetskope, Microsoft MCASAPI metadata + inline traffic to SaaS
DDoS ProtectionAWS Shield Advanced, AkamaiTraffic volume, source IPs
SIEM-as-a-ServiceMicrosoft Sentinel, Sumo LogicAll log data from your environment

The critical question for each SECaaS engagement is: What data is the provider processing, and what contractual, technical, and jurisdictional controls govern that data? For RBI-regulated entities and Critical Information Infrastructure (CII) operators, an SECaaS provider must satisfy CERT-In 2022 audit requirements and maintain logs within Indian jurisdiction.

Responsibility Mapping: A Quick Reference

ModelProvider Controls Down ToCustomer Controls From
IaaSHypervisor + physicalOS, runtime, app, data
PaaSRuntime + middlewareApp, data
SaaSEntire stackConfiguration, data input
FaaSContainer runtimeFunction code, IAM role, triggers
CaaSControl planeNode OS (if self-managed), images, RBAC
DBaaSDatabase engineSchema, access policies, audit config
SECaaSSecurity toolingPolicy configuration, integration scope

Understanding this table is the foundation. Every control design decision in this course depends on knowing which row your workload sits in.