Part Four: PaaS, SaaS, and IaaS
Start course

In this course, we take a look at company culture and how to make it focus on security. We look at how to close the gap between current state and desired state and how to build security in your environments. You'll also learn about security in the cloud before moving on to look at the various metrics available for assessing security in your workflows.

If you have any feedback relating to this course, feel free to contact us at

Learning Objectives

  • Learn how to create a security-aware culture in your organization
  • Understand how to close the gap between current state and desired state
  • Learn how to build security into your IT architecture
  • Learn about security in the Cloud in relation to PaaS, SaaS, and IaaS
  • Understand how to use metrics to measure the performance of our infrastructure

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field. 



So let's look at some of the key advantages of each of these three service platforms. With software as a service there is the promise of an overall reduction in maintenance costs, licensing costs and complexities, reduced support costs and backend systems and capabilities costs. In this mode the customer is essentially an end user and the costs listed here are not presented as they would be if the applications were being used in a traditional setting.

With platform as a service the advantages include the ability to install and uninstall different operational environments to support different development needs, a great deal of flexibility, the ability to auto-scale as additional capacities are required or need to be released and the ability to turn this service off when it's not needed without impacting operations.

Infrastructure as a service allows the user to operate their application system on whatever operating system they wish and with whatever other attributes they wish as if they were running it in a more traditional setting in their own shop. In this particular mode the customer gets to benefit from the economies of scale through consuming and paying for only what they consume.

The ability to change environments when, and as they need to in a more attractive timescale, a very much more do it yourself on your own initiative type of environment, and the benefit of having the cloud provider perform a number of services as part of the package to safeguard the information.

The cloud deployment models, which are independent of the service models have their own benefits. So let's explore these for the next few minutes. We start with the private deployment model. This model is owned or leased by a single organization and is operated solely for their organization in a manner very similar to what they would do in their own shop. Even though this is a complete virtual environment that the organization occupies, the given organization is the only inhabitant of that environment and they are logically isolated from all others.

At the other extreme is the public deployment model. This one is owned by an organization and provides services to a general public or a very large industry group, more as individuals than as a single organization. An example of this would be each person operating as an individual using their Gmail account on Google.

Between public and private there exists a hybrid deployment model. This hybrid uses elements of both public and private and provides a service based on the private with the ability to auto scale to include additional resources as certain thresholds are retained or breached drawn from the public side of the cloud.

The fourth deployment model is the community, a model shared by several organizations, supporting that community of those organizations with a single shared set of goals or objectives. Now, to elaborate a bit on the private cloud deployment model, we need to look at a few things.

The cloud deployment model refers to a virtual environment that contains what appears to be a proprietary network and a data center, all of which is owned or designed for the use of a specific organization. All the resources contained within this private cloud are there to serve that organization in a manner virtually identical to what they would do in their own shop on their own premises.

The fact is though, this is a cloud provided service that looks exactly like and performs exactly like that private in-house computing capability with all of the benefits of that and with the added benefits of, to a degree being operated by someone else on behalf of the entity.

So the key benefits provided the same level of control over our data, the underlying systems, and applications processing mandated. In this particular model, the customer is the organization essentially owning that private cloud and retains ownership and governance control over the data in the systems and operations.

To a degree, they have assurance that only certain locations in the cloud will be used while others will be restricted from use. In the public cloud the services are available to the general public over the internet. In this a customer, typically an individual, is able to access it over high-speed connections from almost anywhere. And these resources are available to them on a consumption-based rather than an ownership based model.

The benefits with the public cloud include easy and an inexpensive setup which requires almost no technical knowledge, ease of use and of provisioning resources, the ability to scale to meet customer needs and again, based on pay per use subscription model.

The customer has the ability to store and process all the data that they need to and they retain control over access and the movement of their data within the cloud structure. They have the ability to share their data through certain mechanisms that ensure that their data will be under their control and under their security rules at all times.

Now in the hybrid cloud, as I'd mentioned, this is a combination of multiple forms, predominantly a combination of public and private clouds. In the hybrid cloud, the service level agreement describes a baseline of service that defines the private cloud and its boundaries.

That service level agreement goes on to describe how the so-called cloud bursting will take place that will provide additional services should the customer run into a situation requiring additional resource and provision that an additional automatically.

In its operation, it is quite similar to a model we find in networking with frame relay in the form of permanent virtual circuits, or PVCs and switched virtual circuits, or SVCs. The concern often is that when the hybrid function initiates and brings in additional capacities, is it going to be operated as securely as the private cloud normally is? This is followed by the additional question, once that threshold has been passed and the resources are returned to the public cloud from which they're drawn, what happens to the data that may have occupied those resources provided from the public cloud? The answer to this is when the services are provided from the public cloud and included there in the private cloud, the capacities and resources brought in to the private cloud area will fall under the rules of security and privacy protections already in place in the private cloud portion.

When those same resources are returned to the pool of the public cloud sanitation of those resources will be done before this resource is released back into the private cloud. The community cloud is a multi-tenant configuration that allows several different companies to work collaboratively in a shared environment within the same platform.

In subscribing to the community cloud it is established that these parameters exist and that they are part of the collaborating community and must be adhered to by all subscribing members. A community cloud and its construction could be partially in the cloud itself and partially on the premise of one or more of the member organizations.

In terms of the security and privacy protections in this community, typically the rules and capabilities established will function in like manner for each member organization. In addition, each member organization may have additional controls that they can put in place governing their portions independently, or in addition to the ones provided by the community cloud service provider.

So in general, the advantages of cloud computing that a consumer may enjoy include scalability supporting virtually unlimited resource pools, scalability that can enable better performance and responsiveness of applications, pay for what you use instead of pay for all regardless of consumption levels, changing of the expenditures picture from capital to operational, a lot of do it yourself management, a simplification of software maintenance, upgrading and management, and built-in services such as redundancy and fail over to support disaster recovery efforts when needed.

Now in our discussion thus far it appears that cloud computing has only advantages. This of course is not true as it has not been true of any technological construct like a data center or cloud computing. There are risks associated with cloud computing that are unique to it and yet many of the risks we face in a traditional data center setup are similar or identical to what we will find in the cloud. Therefore, it is crucial that any decision to go to the cloud must consider the risks associated with the cloud but not ignore those risks that were associated with the traditional data setup that is being considered to be moved from.

Some of the disadvantages you see here change from traditional to cloud potentially increases risk. There may be a lack of transparency on the provider side meaning the data location may not be readily apparent or even discoverable. Data may cross jurisdictional boundaries and be subject to specific rules or penalties of the new jurisdiction.

Audit log availability may not always be a guaranteed deliverable. The robustness of security controls may not be visible to the client. Another consideration is what should be put in the cloud and what data should not be. Some data given its character may not be suitable for exposure to the web even in the most secure cloud type of an environment. But that decision is up to the individual enterprise and the security and legal staff. It is nonetheless a critical consideration before venturing into the cloud.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.