||Sharing this layer uses...
||Software as a Services (SaaS): your users
access software directly from provider.
||Facebook, Google Docs
||You're relying entirely on the provider's
security, including account authentication & reset
|Code Runtime Environment
||Platform as a Service (PaaS): your code runs
on top of provider's Python, PHP, Java, or Node.js
App Engine, AWS Lambda
||API keys tend to leak, and can allow much
more access than you intend.
SQL or JS injection is still a problem.
||Containers: combine application and runtime
libraries into a single portable image, run on shared
||Docker, rkt, Microsoft Azure
||Kernel-level vulnerabilities are accessible
to any containerized application.
||Infrastructure as a Service (IaaS): virtual
machines use a hypervisor to mediate your access to
||Amazon EC2, Digital Ocean, Rackspace
||An attacker might be sharing your CPU
(including branch history table and L1 cache), your RAM, and
your network connection, making very fine-grained timing
Virtual server sprawl plus the need to patch VMs individually means some VMs may be running old vulnerable kernels.
||Colocation (colo): rent rack space in your
ISP's datacenter for your server hardware.
||Everything about your server's security
(patching, configuration, firewalls) is up to you.
An attacker can gain physical access to colo hardware by just renting space. (Countermeasure: locking cabinets, video recording.)