CSI Matrix

Cloud Models

Cloud Models	Purpose / Use Case	Example Products	Typical Threats	Typical Users	OWASP Cloud-Native Control
IaaS - Infrastructure as a Service	Provides virtualized computing resources (servers, storage, networking)	AWS EC2, Microsoft Azure VMs, Google Compute Engine	Misconfigured VMs, insecure APIs, data breaches, insufficient access controls	Sysadmins, DevOps, IT Teams	C4: Insecure Config, C6: Broken AuthZ, C1: Identity & Access Mgmt
PaaS - Platform as a Service	Platform to develop, run, and manage applications without infrastructure management	Heroku, Google App Engine, Azure App Service	Insecure development environments, vulnerable runtime libraries, unauthorized access	Developers, Software Engineers	C7: Insecure Workload Mgmt, C2: CI/CD Security, C6: Broken AuthZ
SaaS - Software as a Service	Delivers software applications over the internet	Google Workspace, Microsoft 365, Salesforce	Data leakage, weak authentication, lack of data ownership control, phishing	End Users, Business Teams	C1: Identity & Access Mgmt, C6: Broken AuthZ, C9: Dependencies
FaaS - Function as a Service	Event-driven code execution without server management (Serverless computing)	AWS Lambda, Azure Functions, Google Cloud Functions	Insecure code execution, event injection, broken function isolation, insecure dependencies	Developers, Event-Driven Systems	C3: Secrets Mgmt, C7: Insecure Workload Mgmt, C9: Dependencies
CaaS - Container as a Service	Container orchestration and management	Google Kubernetes Engine, Azure Kubernetes Service, AWS Fargate	Container escape, insecure images, misconfigured orchestration, secrets leakage	DevOps, Cloud Architects	C4: Insecure Config, C3: Secrets Mgmt, C7: Insecure Workload Mgmt
BaaS - Backend as a Service	Ready-made backend services (e.g., auth, database, storage) for apps	Firebase, AWS Amplify, Supabase	Data exposure via misconfigured endpoints, insecure mobile client integration	Web/Mobile App Developers	C4: Insecure Config, C1: Identity & Access Mgmt, C8: Observability
DBaaS - Database as a Service	Fully managed database provisioning, scaling, and backups	Amazon RDS, MongoDB Atlas, Azure SQL Database	Unauthorized access, SQL injection, unpatched engines, insecure backups	Developers, Data Engineers	C6: Broken AuthZ, C4: Insecure Config, C9: Dependencies
DaaS - Desktop as a Service	Cloud-hosted virtual desktops accessible from anywhere	Amazon WorkSpaces, Citrix DaaS, Windows 365	Session hijacking, data leakage via clipboard/print, weak endpoint security	Remote Workers, IT Teams	C1: Identity & Access Mgmt, C6: Broken AuthZ, C8: Observability
STaaS - Storage as a Service	On-demand scalable cloud storage	Amazon S3, Google Cloud Storage, Azure Blob Storage	Unsecured buckets, accidental exposure, ransomware, poor access control	Businesses, Backup Providers	C4: Insecure Config, C6: Broken AuthZ, C1: Identity & Access Mgmt
AIaaS - AI as a Service	Pre-trained AI/ML models and tools as a service	Azure Cognitive Services, AWS SageMaker, Google Vertex AI	Model poisoning, adversarial input, data privacy violations, bias	Data Scientists, Developers	C9: Dependencies, C5: Supply Chain, C8: Observability
MLaaS - Machine Learning as a Service	Managed machine learning tools and infrastructure	Amazon SageMaker, Google AI Platform, Azure Machine Learning	Data leakage, model theft, insecure training data, misuse	ML Engineers, Researchers	C9: Dependencies, C5: Supply Chain, C3: Secrets Mgmt
SECaaS - Security as a Service	Cloud-delivered cybersecurity services (e.g., firewalls, antivirus, threat monitoring)	Cloudflare, Zscaler, Palo Alto Prisma Access	Overreliance on third parties, misconfigs, false sense of protection	Security Teams, Enterprises	C4: Insecure Config, C10: Governance & Compliance, C8: Observability
NaaS - Network as a Service	On-demand network services like VPNs, bandwidth, and routing	Megaport, Aryaka, AWS Cloud WAN	Traffic interception, DNS poisoning, insecure VPN setups, DDoS	Network Engineers, Enterprises	C6: Broken AuthZ, C4: Insecure Config, C8: Observability
IDaaS - Identity as a Service	Identity and access management delivered via the cloud	Okta, Azure AD, Auth0	Credential theft, session hijacking, inadequate MFA	IT Security Teams, Enterprises	C1: Identity & Access Mgmt, C6: Broken AuthZ, C10: Governance
UCaaS - Unified Communications as a Service	Integrated communication tools like VoIP, messaging, video meetings	Zoom, RingCentral, Microsoft Teams	Eavesdropping, MITM attacks, unencrypted chat, phishing	Enterprises, Call Centers, End Users	C1: Identity & Access Mgmt, C8: Observability, C6: Broken AuthZ

Select

Cloud Models

Purpose / Use Case

Example Products

Typical Threats

Typical Users

OWASP Cloud-Native Control

IaaS - Infrastructure as a Service

Provides virtualized computing resources (servers, storage, networking)

AWS EC2, Microsoft Azure VMs, Google Compute Engine

Misconfigured VMs, insecure APIs, data breaches, insufficient access controls

Sysadmins, DevOps, IT Teams

C4: Insecure Config, C6: Broken AuthZ, C1: Identity & Access Mgmt

PaaS - Platform as a Service

Platform to develop, run, and manage applications without infrastructure management

Heroku, Google App Engine, Azure App Service

Insecure development environments, vulnerable runtime libraries, unauthorized access

Developers, Software Engineers

C7: Insecure Workload Mgmt, C2: CI/CD Security, C6: Broken AuthZ

SaaS - Software as a Service

Delivers software applications over the internet

Google Workspace, Microsoft 365, Salesforce

Data leakage, weak authentication, lack of data ownership control, phishing

End Users, Business Teams

C1: Identity & Access Mgmt, C6: Broken AuthZ, C9: Dependencies

FaaS - Function as a Service

Event-driven code execution without server management (Serverless computing)

AWS Lambda, Azure Functions, Google Cloud Functions

Insecure code execution, event injection, broken function isolation, insecure dependencies

Developers, Event-Driven Systems

C3: Secrets Mgmt, C7: Insecure Workload Mgmt, C9: Dependencies

CaaS - Container as a Service

Container orchestration and management

Google Kubernetes Engine, Azure Kubernetes Service, AWS Fargate

Container escape, insecure images, misconfigured orchestration, secrets leakage

DevOps, Cloud Architects

C4: Insecure Config, C3: Secrets Mgmt, C7: Insecure Workload Mgmt

BaaS - Backend as a Service

Ready-made backend services (e.g., auth, database, storage) for apps

Firebase, AWS Amplify, Supabase

Data exposure via misconfigured endpoints, insecure mobile client integration

Web/Mobile App Developers

C4: Insecure Config, C1: Identity & Access Mgmt, C8: Observability

DBaaS - Database as a Service

Fully managed database provisioning, scaling, and backups

Amazon RDS, MongoDB Atlas, Azure SQL Database

Unauthorized access, SQL injection, unpatched engines, insecure backups

Developers, Data Engineers

C6: Broken AuthZ, C4: Insecure Config, C9: Dependencies

DaaS - Desktop as a Service

Cloud-hosted virtual desktops accessible from anywhere

Amazon WorkSpaces, Citrix DaaS, Windows 365

Session hijacking, data leakage via clipboard/print, weak endpoint security

Remote Workers, IT Teams

C1: Identity & Access Mgmt, C6: Broken AuthZ, C8: Observability

STaaS - Storage as a Service

On-demand scalable cloud storage

Amazon S3, Google Cloud Storage, Azure Blob Storage

Unsecured buckets, accidental exposure, ransomware, poor access control

Businesses, Backup Providers

C4: Insecure Config, C6: Broken AuthZ, C1: Identity & Access Mgmt

AIaaS - AI as a Service

Pre-trained AI/ML models and tools as a service

Azure Cognitive Services, AWS SageMaker, Google Vertex AI

Model poisoning, adversarial input, data privacy violations, bias

Data Scientists, Developers

C9: Dependencies, C5: Supply Chain, C8: Observability

MLaaS - Machine Learning as a Service

Managed machine learning tools and infrastructure

Amazon SageMaker, Google AI Platform, Azure Machine Learning

Data leakage, model theft, insecure training data, misuse

ML Engineers, Researchers

C9: Dependencies, C5: Supply Chain, C3: Secrets Mgmt

SECaaS - Security as a Service

Cloud-delivered cybersecurity services (e.g., firewalls, antivirus, threat monitoring)

Cloudflare, Zscaler, Palo Alto Prisma Access

Overreliance on third parties, misconfigs, false sense of protection

Security Teams, Enterprises

C4: Insecure Config, C10: Governance & Compliance, C8: Observability

NaaS - Network as a Service

On-demand network services like VPNs, bandwidth, and routing

Megaport, Aryaka, AWS Cloud WAN

Traffic interception, DNS poisoning, insecure VPN setups, DDoS

Network Engineers, Enterprises

C6: Broken AuthZ, C4: Insecure Config, C8: Observability

IDaaS - Identity as a Service

Identity and access management delivered via the cloud

Okta, Azure AD, Auth0

Credential theft, session hijacking, inadequate MFA

IT Security Teams, Enterprises

C1: Identity & Access Mgmt, C6: Broken AuthZ, C10: Governance

UCaaS - Unified Communications as a Service

Integrated communication tools like VoIP, messaging, video meetings

Zoom, RingCentral, Microsoft Teams

Eavesdropping, MITM attacks, unencrypted chat, phishing

Enterprises, Call Centers, End Users

C1: Identity & Access Mgmt, C8: Observability, C6: Broken AuthZ

Risk Assessment

Understanding Your Risk Results

This assessment calculates a risk score based on Impact × Likelihood. The higher the score, the more urgent the risk.
The color scale helps you quickly see what action is needed:

🟢 Green (1–3) – Very low risk. No action needed.
🟡 Yellow (4–6) – Low risk. Review when convenient.
🟠 Orange (8–12) – Medium risk. Plan and manage controls soon.
🔴 Red (15–25) – High risk. Take immediate action to fix or reduce it.

Use these results to prioritize your next security improvements.

ID	OWASP Control	Cloud Models Chosen	Examples	Likelihood	Impact	Risk Value	Vulnerabilities	Mitigation	Implementation Cost	Maintaining Cost	Actions to be taken & Responsibility