Managing Risk in the Cloud

The differing approaches in the three service models

Whether your organization is a U.S.-centric DoD contractor, or if it is distributed globally will also determine whether geographic boundaries are an important factor in decision making. For example, consider the laws of the European Union, which have significantly more individual privacy requirements than North America. If you are building a global, enterprise security system, these considerations should be at the core of any strategy.


The Cloud Service Models

This article focuses primarily on the “3” in the “3-4-5 framework” — namely the three Cloud Service Models, and the differing approaches to managing risk. The approach depends on the degree of technical participation that the end-user is responsible for, or has under their direct control.

The cloud service model is often referred to as the “SPI model,” which stands for Software, Platform and Infrastructure. Depending on requirements and risk posture — some of which may be dictated by compliance requirements or regulation — choices are available about the amount of “hands-on” control an organization might require when deciding to use or move an application to the cloud.

The three types of service models are:

SaaS (Software as a Service): This is a software, or Turnkey Solution (e.g. or SaaS offers the most integrated user experience, but is the least extensible. As a turnkey solution, the software, platform and infrastructure are all managed for you. Functionality and system security is built in “as-is.” For an introduction to Software as a Service for the Physical Security Practitioner, see the work of the ASIS International IT Security Council at:

PaaS (Platform as a Service): This is considered a “BYO Application” (such as Microsoft Windows Azure or Google App Engine). Although PaaS options were once generally restricted to using the application or development environment(s) specified by the provider, some are now offering support for multiple environments (e.g. – Windows Azure allows Java and other technologies in addition to Microsoft’s own tools). PaaS is more extensible than SaaS. Built-in capabilities are less complete, but more flexibility exists to layer in additional security. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage; however, the end-user has control over the deployed applications and possibly some of the application hosting environment configurations.

IaaS (Infrastructure as a Service, pronounced “ice”): This is considered a “BYO operating systems and applications” service, such as Amazon Web Services (AWS). Users do not manage or control the underlying cloud infrastructure, but have control over operating systems, storage, deployed applications, and possibly limited control of select networking components, such as host firewalls.


Matching Service Model Questions with Business Requirements

While the outline above can quickly lead to deep technical discussion, one approach to determining service models and cloud choices to meet business requirements is to consider the following five questions:

1. Location: Is the desired solution an on-premises, off-premises or a combination hybrid?

2. Infrastructure: Will it require exclusive or shared infrastructure?

3. Investment: How much capital is required, or is it an operational expenditure decision?

4. Ownership: Do I need to own the solution, or can I lease or rent it?

5. Management: Will it be managed in-house, or will a third party manage it?

Asking these questions will likely engage every stakeholder and division of the business, and provide fertile ground for a business-related discussion. The careful crafting of questions is a powerful tool to align business requirements with any cloud-centric strategy and obtain buy-in from stakeholders, especially when presented with choices about the risks (and rewards) of each option.


Managing Risk

Each service model has a slightly different approach to risk mitigation. These approaches are detailed in the Cloud Security Alliance guidance documents available at

In the graphic above, the “all inclusive” nature of SaaS means that risk is most effectively controlled by contract terms, and few engineering choices exist because a standardized application, platform and infrastructure is shared across a large base of users.