Cloud Architecture & Security

Computer Security Lecture, Dr. Lawlor

Layer
Sharing this layer uses...
Examples
Security Implications
Application
Software as a Services (SaaS): your users access software directly from provider.
Facebook, Google Docs
You're relying entirely on the provider's security, including account authentication & reset procedure.
Code Runtime Environment
Platform as a Service (PaaS): your code runs on top of provider's Python, PHP, Java, or Node.js development environment. 
Google App Engine, AWS Lambda
API keys tend to leak, and can allow much more access than you intend. 
SQL or JS injection is still a problem.
OS Kernel
Containers: combine application and runtime libraries into a single portable image, run on shared kernel.
Docker, rkt, Microsoft Azure
Kernel-level vulnerabilities are accessible to any containerized application.
Server box
Infrastructure as a Service (IaaS): virtual machines use a hypervisor to mediate your access to provider's hardware.
Amazon EC2, Digital Ocean, Rackspace
An attacker might be sharing your CPU (including branch history table and L1 cache), your RAM, and your network connection, making very fine-grained timing attacks possible. 
Virtual server sprawl plus the need to patch VMs individually means some VMs may be running old vulnerable kernels. 
Datacenter
Colocation (colo): rent rack space in your ISP's datacenter for your server hardware. 
GCI, ACS
Everything about your server's security (patching, configuration, firewalls) is up to you. 
An attacker can gain physical access to colo hardware by just renting space.  (Countermeasure: locking cabinets, video recording.)