• Public: CSP-owned shared infrastructure (AWS, Azure); lowest cost, least control
• Private: Single-organization exclusive use (on-prem or hosted); compliance/legacy needs
• Community: Shared by specific sectors (gov, finance); joint concerns, joint cost
• Hybrid: Interconnected public + private; burst capacity, keep sensitive data on-prem
• SaaS/PaaS/IaaS: SaaS (apps—email), PaaS (platform—databases), IaaS (infra—VMs/networks); responsibility shifts left as you go down
Tenancy & Architecture
• Single-Tenant: Dedicated hardware/instance (isolated, expensive)
• Multi-Tenant: Logical isolation on shared hardware (efficient, "noisy neighbor" risk)
• Centralized: Consolidated data centers (cloud model); Decentralized: Edge computing, distributed processing (low latency for IoT)
• Deperimeterization: Network boundary dissolves (cloud, remote work, BYOD); traditional perimeter firewalls inadequate
• Zero Trust: "Never trust, always verify"; assume breach; continuous identity/device verification, least privilege, micro-segmentation; no trust based on network location alone
• Shared Responsibility: CSP secures of cloud (hardware, hypervisor); Customer secures in cloud (OS, data, IAM, config)
• Geo-Replication/GRS: Copies data across geographic regions (Geo-Redundant Storage); survives regional disasters
• HA/Auto-Failover: Automatic detection and recovery; SLAs guarantee 99.99%+ uptime
• VPC: Isolated logical network within public cloud; custom subnets, route tables, security groups
• VM vs Container: VM (hardware virt, full OS, GBs, minutes to boot); Container (OS-level virt, shares kernel, MBs, seconds to start, ephemeral)
• Scaling: Scalability (capacity to grow), Elasticity (auto-scale down when demand drops), Autoscaling (policy-driven resource adjustment)
• IaC (Infrastructure as Code): Automated provisioning via scripts (Terraform, CloudFormation); version control, immutable infra
• SDN (Software-Defined Networking): Centralized programmable control; separates control plane from data plane
• Data Sovereignty: Legal jurisdiction of data based on physical location; dictates residency requirements (GDPR)
• Embedded System: Dedicated computer for specific function (firmware-driven, not general-purpose)
• RTOS (Real-Time OS): Deterministic response times; hard real-time (deadlines mandatory) for critical control
• ICS Components:
– PLC (Programmable Logic Controller): Ruggedized industrial computer controlling machinery/processes
– SCADA: Supervisory system monitoring geographically dispersed assets (power grids, pipelines)
– HMI (Human-Machine Interface): Graphical dashboard for operator interaction with PLCs
– Data Historian: Time-series database aggregating sensor data for trend analysis
• IoT: Internet-connected sensors/devices collecting/exchanging data; often constrained
• Unpatchable: Firmware locked, vendor EOL, or no OTA update mechanism
• Lack of Standards: Proprietary protocols, no universal security baselines
• Rushed to Market: Speed-to-market prioritized over security testing
• Resource Constraints: Limited CPU, memory, power—cannot run encryption or EDR agents