To understand the risk and potential Threats which could harm your IT infrastructure/business, it is needed to identify the attack surface. Please select all relevant Cloud Services you are already using or are planning to use/implement and then click on the button 'Evaluate Selected'.
| Select | Cloud Models | Purpose / Use Case | Example Products | Typical Threats | Typical Users | OWASP Cloud-Native Control |
|---|---|---|---|---|---|---|
| IaaS - Infrastructure as a Service | Provides virtualized computing resources (servers, storage, networking) | AWS EC2, Microsoft Azure VMs, Google Compute Engine | Misconfigured VMs, insecure APIs, data breaches, insufficient access controls | Sysadmins, DevOps, IT Teams | C4: Insecure Config, C6: Broken AuthZ, C1: Identity & Access Mgmt | |
| PaaS - Platform as a Service | Platform to develop, run, and manage applications without infrastructure management | Heroku, Google App Engine, Azure App Service | Insecure development environments, vulnerable runtime libraries, unauthorized access | Developers, Software Engineers | C7: Insecure Workload Mgmt, C2: CI/CD Security, C6: Broken AuthZ | |
| SaaS - Software as a Service | Delivers software applications over the internet | Google Workspace, Microsoft 365, Salesforce | Data leakage, weak authentication, lack of data ownership control, phishing | End Users, Business Teams | C1: Identity & Access Mgmt, C6: Broken AuthZ, C9: Dependencies | |
| FaaS - Function as a Service | Event-driven code execution without server management (Serverless computing) | AWS Lambda, Azure Functions, Google Cloud Functions | Insecure code execution, event injection, broken function isolation, insecure dependencies | Developers, Event-Driven Systems | C3: Secrets Mgmt, C7: Insecure Workload Mgmt, C9: Dependencies | |
| CaaS - Container as a Service | Container orchestration and management | Google Kubernetes Engine, Azure Kubernetes Service, AWS Fargate | Container escape, insecure images, misconfigured orchestration, secrets leakage | DevOps, Cloud Architects | C4: Insecure Config, C3: Secrets Mgmt, C7: Insecure Workload Mgmt | |
| BaaS - Backend as a Service | Ready-made backend services (e.g., auth, database, storage) for apps | Firebase, AWS Amplify, Supabase | Data exposure via misconfigured endpoints, insecure mobile client integration | Web/Mobile App Developers | C4: Insecure Config, C1: Identity & Access Mgmt, C8: Observability | |
| DBaaS - Database as a Service | Fully managed database provisioning, scaling, and backups | Amazon RDS, MongoDB Atlas, Azure SQL Database | Unauthorized access, SQL injection, unpatched engines, insecure backups | Developers, Data Engineers | C6: Broken AuthZ, C4: Insecure Config, C9: Dependencies | |
| DaaS - Desktop as a Service | Cloud-hosted virtual desktops accessible from anywhere | Amazon WorkSpaces, Citrix DaaS, Windows 365 | Session hijacking, data leakage via clipboard/print, weak endpoint security | Remote Workers, IT Teams | C1: Identity & Access Mgmt, C6: Broken AuthZ, C8: Observability | |
| STaaS - Storage as a Service | On-demand scalable cloud storage | Amazon S3, Google Cloud Storage, Azure Blob Storage | Unsecured buckets, accidental exposure, ransomware, poor access control | Businesses, Backup Providers | C4: Insecure Config, C6: Broken AuthZ, C1: Identity & Access Mgmt | |
| AIaaS - AI as a Service | Pre-trained AI/ML models and tools as a service | Azure Cognitive Services, AWS SageMaker, Google Vertex AI | Model poisoning, adversarial input, data privacy violations, bias | Data Scientists, Developers | C9: Dependencies, C5: Supply Chain, C8: Observability | |
| MLaaS - Machine Learning as a Service | Managed machine learning tools and infrastructure | Amazon SageMaker, Google AI Platform, Azure Machine Learning | Data leakage, model theft, insecure training data, misuse | ML Engineers, Researchers | C9: Dependencies, C5: Supply Chain, C3: Secrets Mgmt | |
| SECaaS - Security as a Service | Cloud-delivered cybersecurity services (e.g., firewalls, antivirus, threat monitoring) | Cloudflare, Zscaler, Palo Alto Prisma Access | Overreliance on third parties, misconfigs, false sense of protection | Security Teams, Enterprises | C4: Insecure Config, C10: Governance & Compliance, C8: Observability | |
| NaaS - Network as a Service | On-demand network services like VPNs, bandwidth, and routing | Megaport, Aryaka, AWS Cloud WAN | Traffic interception, DNS poisoning, insecure VPN setups, DDoS | Network Engineers, Enterprises | C6: Broken AuthZ, C4: Insecure Config, C8: Observability | |
| IDaaS - Identity as a Service | Identity and access management delivered via the cloud | Okta, Azure AD, Auth0 | Credential theft, session hijacking, inadequate MFA | IT Security Teams, Enterprises | C1: Identity & Access Mgmt, C6: Broken AuthZ, C10: Governance | |
| UCaaS - Unified Communications as a Service | Integrated communication tools like VoIP, messaging, video meetings | Zoom, RingCentral, Microsoft Teams | Eavesdropping, MITM attacks, unencrypted chat, phishing | Enterprises, Call Centers | C1: Identity & Access Mgmt, C8: Observability, C6: Broken AuthZ |