|
IaaS - Infrastructure as a Service |
Provides virtualized computing resources (servers, storage, networking) |
AWS EC2, Microsoft Azure VMs, Google Compute Engine |
Misconfigured VMs, insecure APIs, data breaches, insufficient access controls |
Sysadmins, DevOps, IT Teams |
C4: Insecure Config, C6: Broken AuthZ, C1: Identity & Access Mgmt |
|
PaaS - Platform as a Service |
Platform to develop, run, and manage applications without infrastructure management |
Heroku, Google App Engine, Azure App Service |
Insecure development environments, vulnerable runtime libraries, unauthorized access |
Developers, Software Engineers |
C7: Insecure Workload Mgmt, C2: CI/CD Security, C6: Broken AuthZ |
|
SaaS - Software as a Service |
Delivers software applications over the internet |
Google Workspace, Microsoft 365, Salesforce |
Data leakage, weak authentication, lack of data ownership control, phishing |
End Users, Business Teams |
C1: Identity & Access Mgmt, C6: Broken AuthZ, C9: Dependencies |
|
FaaS - Function as a Service |
Event-driven code execution without server management (Serverless computing) |
AWS Lambda, Azure Functions, Google Cloud Functions |
Insecure code execution, event injection, broken function isolation, insecure dependencies |
Developers, Event-Driven Systems |
C3: Secrets Mgmt, C7: Insecure Workload Mgmt, C9: Dependencies |
|
CaaS - Container as a Service |
Container orchestration and management |
Google Kubernetes Engine, Azure Kubernetes Service, AWS Fargate |
Container escape, insecure images, misconfigured orchestration, secrets leakage |
DevOps, Cloud Architects |
C4: Insecure Config, C3: Secrets Mgmt, C7: Insecure Workload Mgmt |
|
BaaS - Backend as a Service |
Ready-made backend services (e.g., auth, database, storage) for apps |
Firebase, AWS Amplify, Supabase |
Data exposure via misconfigured endpoints, insecure mobile client integration |
Web/Mobile App Developers |
C4: Insecure Config, C1: Identity & Access Mgmt, C8: Observability |
|
DBaaS - Database as a Service |
Fully managed database provisioning, scaling, and backups |
Amazon RDS, MongoDB Atlas, Azure SQL Database |
Unauthorized access, SQL injection, unpatched engines, insecure backups |
Developers, Data Engineers |
C6: Broken AuthZ, C4: Insecure Config, C9: Dependencies |
|
DaaS - Desktop as a Service |
Cloud-hosted virtual desktops accessible from anywhere |
Amazon WorkSpaces, Citrix DaaS, Windows 365 |
Session hijacking, data leakage via clipboard/print, weak endpoint security |
Remote Workers, IT Teams |
C1: Identity & Access Mgmt, C6: Broken AuthZ, C8: Observability |
|
STaaS - Storage as a Service |
On-demand scalable cloud storage |
Amazon S3, Google Cloud Storage, Azure Blob Storage |
Unsecured buckets, accidental exposure, ransomware, poor access control |
Businesses, Backup Providers |
C4: Insecure Config, C6: Broken AuthZ, C1: Identity & Access Mgmt |
|
AIaaS - AI as a Service |
Pre-trained AI/ML models and tools as a service |
Azure Cognitive Services, AWS SageMaker, Google Vertex AI |
Model poisoning, adversarial input, data privacy violations, bias |
Data Scientists, Developers |
C9: Dependencies, C5: Supply Chain, C8: Observability |
|
MLaaS - Machine Learning as a Service |
Managed machine learning tools and infrastructure |
Amazon SageMaker, Google AI Platform, Azure Machine Learning |
Data leakage, model theft, insecure training data, misuse |
ML Engineers, Researchers |
C9: Dependencies, C5: Supply Chain, C3: Secrets Mgmt |
|
SECaaS - Security as a Service |
Cloud-delivered cybersecurity services (e.g., firewalls, antivirus, threat monitoring) |
Cloudflare, Zscaler, Palo Alto Prisma Access |
Overreliance on third parties, misconfigs, false sense of protection |
Security Teams, Enterprises |
C4: Insecure Config, C10: Governance & Compliance, C8: Observability |
|
NaaS - Network as a Service |
On-demand network services like VPNs, bandwidth, and routing |
Megaport, Aryaka, AWS Cloud WAN |
Traffic interception, DNS poisoning, insecure VPN setups, DDoS |
Network Engineers, Enterprises |
C6: Broken AuthZ, C4: Insecure Config, C8: Observability |
|
IDaaS - Identity as a Service |
Identity and access management delivered via the cloud |
Okta, Azure AD, Auth0 |
Credential theft, session hijacking, inadequate MFA |
IT Security Teams, Enterprises |
C1: Identity & Access Mgmt, C6: Broken AuthZ, C10: Governance |
|
UCaaS - Unified Communications as a Service |
Integrated communication tools like VoIP, messaging, video meetings |
Zoom, RingCentral, Microsoft Teams |
Eavesdropping, MITM attacks, unencrypted chat, phishing |
Enterprises, Call Centers |
C1: Identity & Access Mgmt, C8: Observability, C6: Broken AuthZ |