Cloud Computing Concepts
The NIST definition and its five characteristics
Is a service "the cloud"? CCSP refuses to argue about marketing and grades the answer against one document: NIST Special Publication 800-145[1]. It defines cloud computing as a model for enabling on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort. That single sentence carries the whole exam: a service counts as cloud only when it exhibits all five essential characteristics, and NIST then sorts cloud into three service models and four deployment models (both covered in the reference-architecture subtopic). Treat the five characteristics as a checklist, not a vibe: drop any one and the offering is hosting or managed IT, not cloud.
The five essential characteristics
Each characteristic is testable on its own, and questions love to describe a setup that is missing exactly one.
- On-demand self-service. The consumer provisions compute, storage, and other capabilities automatically, without requiring human interaction with the provider. The tell is the absence of a ticket or a phone call: you click or call an API and capacity appears.
- Broad network access. Capabilities are available over the network and accessed through standard mechanisms that work across heterogeneous clients (laptops, phones, thin clients). This is what makes the service reachable from anywhere, and also what enlarges the attack surface.
- Resource pooling. The provider's resources are pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned on demand. The consumer generally has no control or knowledge of the exact location of the resources. Pooling is the root of multi-tenancy, and therefore the root of every tenant-isolation concern later in the exam.
- Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward with demand. To the consumer the available capacity often appears unlimited and can be appropriated in any quantity at any time.
- Measured service. Resource usage is monitored, controlled, and reported, providing transparency for both provider and consumer. Metering is what turns capital expense into metered operating expense, and the usage logs it produces become audit and anomaly-detection data.
A useful exam habit: when a stem says "a customer must email the provider to add capacity," self-service fails; when it says "a fixed monthly fee regardless of use," measured service fails; when it says "dedicated hardware reserved for one customer," resource pooling fails. In each case the correct answer is that the service is not cloud by the NIST definition.
Cloud roles and how responsibility splits
The five characteristics describe the technology; the cloud roles describe the people, and they exist so a question can ask "whose job is this?" and have one right answer. NIST SP 500-292[2] and ISO/IEC 17788 name the actors a CCSP must place precisely.
The roles
- Cloud service customer (consumer). The organization or person that uses the cloud service. In NIST's vocabulary this is the cloud consumer; ISO calls it the cloud service customer. Treat the terms as the same role.
- Cloud service provider (CSP). The entity that makes the service available: it builds, operates, and secures the underlying infrastructure and platform.
- Cloud service partner. A party that supports the provider or customer, for example a developer building on the platform, a system integrator, or an independent cloud auditor who assesses controls.
- Cloud service broker. An intermediary that negotiates relationships and adds value (aggregation, integration, or customization) between consumers and providers, often without the consumer dealing with the provider directly.
- Cloud auditor / regulator. The auditor independently examines services and controls against a standard; a regulator imposes legal or sector rules the parties must meet. Both are oversight roles, not operators.
A recurring trap is to blur broker and partner. The broker is specifically the value-adding intermediary in the commercial relationship; the partner is the broader category of any supporting party, auditor included.
Roles drive the shared responsibility model
Naming the role is step one; the payoff is the shared responsibility model[3], the principle that security duties are divided between provider and customer according to the service model. The rule to internalize: the provider always secures what is below the line, the customer always secures what is above it, and the line moves up the stack as you go IaaS to PaaS to SaaS. In IaaS the customer owns the OS, runtime, and data; in PaaS the provider also takes the OS and runtime, leaving the customer the application and data; in SaaS the provider runs almost everything and the customer is left mainly with data, identities, and access configuration. Two duties never transfer no matter the model: classifying and protecting your own data, and managing your own identities and access. An exam item that says "in SaaS the provider is responsible for everything" is wrong for exactly that reason.
Building-block technologies
The five characteristics are outcomes; this section is the machinery that produces them. CCSP groups the building blocks as virtualization, storage, networking, databases, and orchestration, and the exam expects you to connect each block to the characteristic it enables and the risk it introduces.
Virtualization
Virtualization is the foundation. A hypervisor abstracts one physical host into many isolated virtual machines (VMs), each believing it owns the hardware, which is exactly what makes resource pooling and elasticity possible. A Type 1 (bare-metal) hypervisor runs directly on the hardware and is what clouds use for tenant workloads; a Type 2 (hosted) hypervisor runs on top of a host OS and is a desktop or lab tool. Containers are the lighter sibling: they share the host's kernel and isolate at the OS level instead of emulating hardware, so they start in milliseconds and pack densely, at the cost of weaker isolation than a VM. The security headline for this whole block is the hypervisor as a high-value target: compromise it and you reach every tenant on the host, and a flaw that lets a tenant break out of its VM or container is a VM escape, the multi-tenancy nightmare.
Storage and networking
Cloud storage is software-defined: capacity is provisioned by API and presented as block volumes, object stores, or file shares, decoupled from any specific disk. Software-defined networking (SDN) does the same for connectivity, separating the control plane (which decides where traffic goes) from the data plane (which forwards it), so networks become programmable. Both are what let self-service and elasticity actually happen, because a human no longer racks a disk or patches a cable. The risk they add is that a single misconfigured API call (a storage bucket left public, a security-group rule opened to the internet) now exposes data at scale.
Databases and orchestration
Managed database services push patching, backup, and replication to the provider, trading some control for less operational burden, and they come in relational and non-relational (NoSQL) forms. Orchestration is the conductor: it automates provisioning, scaling, and teardown across all the other blocks, and in modern practice it is expressed as Infrastructure as Code (IaC), where the whole environment is defined in version-controlled templates. Orchestration is what makes "rapid, automatic" elasticity real. Its risk is concentration of power: whoever controls the orchestration or IaC pipeline can build or destroy the entire estate, so that pipeline becomes a prime target and a prime place for least-privilege and change control.
Exam-pattern recognition
CCSP questions on this subtopic reward precise memory of NIST's vocabulary. A few recurring patterns cover most of them.
"Is this cloud?" stems
The stem describes a deployment and asks whether it qualifies as cloud computing, or which characteristic is missing. Map the scenario to the five: no API or portal to self-provision means on-demand self-service is absent; a flat monthly fee unrelated to usage means measured service is absent; hardware dedicated to one tenant means resource pooling is absent. The correct answer names the missing characteristic, or concludes "not cloud." The classic distractor offers a real-sounding sixth characteristic ("high availability," "automation") that is not one of NIST's five; reject it, because availability is a shared consideration, not an essential characteristic.
"Whose responsibility?" stems
The stem gives a service model and an incident (a leaked record, an unpatched OS) and asks who is accountable. Walk the shared responsibility line for that model: in IaaS the customer patches the OS, so an unpatched guest OS is the customer's fault; in SaaS the provider runs the platform, so a platform vulnerability is the provider's, but a misconfigured sharing setting or a weak user identity is still the customer's, because data and identity never transfer. The trap answer assigns data protection to the provider in SaaS; it is always the customer's.
Role-identification stems
The stem describes an actor and asks which cloud role it is. "Independently assesses the provider's controls" is the cloud auditor; "negotiates and bundles services between you and several providers" is the cloud broker; "uses the service to run its business" is the cloud customer/consumer. The distractor swaps broker for partner or auditor; keep broker pinned to the value-adding commercial intermediary.
Multi-tenancy and building-block stems
When a stem raises a noisy neighbor, data co-residency, or one tenant reaching another, trace it to resource pooling and its multi-tenant model, and the right control is tenant isolation. When it describes one tenant breaking out of its VM to the host or other tenants, that is a VM escape rooted in the hypervisor, the highest-value target in the virtualization block.
NIST SP 800-145 five essential characteristics
| Characteristic | What it means | Building block that delivers it | Security angle it raises |
|---|---|---|---|
| On-demand self-service | Consumer provisions compute and storage automatically, with no human intervention from the provider | Orchestration, self-service portals and APIs | Misconfiguration risk shifts to the customer who self-provisions |
| Broad network access | Capabilities are available over the network and reached through standard clients (phones, laptops, thin clients) | Software-defined networking, standard protocols | Larger exposed attack surface; transport must be encrypted |
| Resource pooling | Provider resources serve multiple tenants from one pool, with physical location abstracted from the consumer | Virtualization (multi-tenant hypervisor) | Multi-tenancy demands strong tenant isolation and data segregation |
| Rapid elasticity | Capacity scales out and in quickly, appearing effectively unlimited to the consumer | Virtualization plus auto-scaling orchestration | Ephemeral, fast-changing assets are hard to inventory and patch |
| Measured service | Resource use is metered, monitored, and reported, so billing matches consumption | Metering and monitoring of the management plane | Billing and usage logs become a source of audit and anomaly data |
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- NIST SP 800-145 is the definition CCSP grades against
The exam settles "what is cloud" with NIST SP 800-145: on-demand network access to a shared pool of configurable resources, rapidly provisioned and released with minimal management. It fixes exactly five essential characteristics, three service models (IaaS, PaaS, SaaS), and four deployment models (public, private, community, hybrid). When a stem asks whether something qualifies as cloud, check it against this definition rather than any vendor description.
- A service is cloud only if it shows all five essential characteristics
The five are on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. They are required together: drop any one and the offering is hosting or managed IT, not cloud, under the NIST test. Questions commonly describe a setup missing exactly one and ask which characteristic is absent.
Trap Treating high availability, automation, or security as a sixth NIST characteristic; availability is a shared consideration, not one of the five essential characteristics.
- On-demand self-service means no human ticket to provision
On-demand self-service lets the consumer provision compute and storage automatically, without human interaction with the provider. The tell that it is absent is a required phone call, email, or support ticket to add capacity. If a stem says the customer must contact the provider to scale, this characteristic fails and the service is not cloud.
- Resource pooling is the source of multi-tenancy and isolation risk
Resource pooling means the provider serves many consumers from one pool using a multi-tenant model, with physical location abstracted from the consumer. Because tenants share underlying hardware, pooling is the root of every tenant-isolation, data co-residency, and noisy-neighbor concern in the rest of the exam. Dedicated single-tenant hardware fails this characteristic.
Trap Assuming a single-tenant dedicated host still counts as cloud; without pooling it fails the NIST test even if it is virtualized.
4 questions test this
- An organization is migrating a multi-tenant SaaS application to the cloud. The security architect is concerned about the resource pooling…
- An organization is deploying a multi-tenant cloud application and is concerned about performance degradation caused by one tenant's…
- A startup company is evaluating cloud deployment models for their new customer-facing application. They have limited capital, require rapid…
- A security team is evaluating the 'noisy neighbor' problem in a public cloud environment. Which combination of cloud characteristics…
- Rapid elasticity scales out and in, appearing unlimited
Rapid elasticity provisions and releases capacity quickly, often automatically, scaling outward and inward with demand so capacity appears effectively unlimited to the consumer. It is the characteristic that turns fixed capacity planning into scale-with-demand, and it is delivered by virtualization plus auto-scaling orchestration. A fixed pool that cannot shrink back down does not exhibit it.
- Measured service meters usage, enabling pay-per-use
Measured service monitors, controls, and reports resource usage, so billing matches consumption and both parties get transparency. It is what converts capital expense into metered operating expense, and its usage logs double as audit and anomaly-detection data. A flat fee unrelated to usage means measured service is absent.
Trap Reading a flat, usage-independent monthly fee as cloud pricing; without metering tied to consumption, measured service fails.
- Broad network access enlarges the attack surface
Broad network access means capabilities are reachable over the network through standard mechanisms across heterogeneous clients like laptops, phones, and thin clients. The same reach-from-anywhere property that defines it also widens exposure, which is why transport encryption and strong access control are baseline. It is about network reachability, not about bandwidth.
- Cloud roles assign accountability for each control
CCSP names the cloud service customer (consumer) who uses the service, the cloud service provider who builds and operates it, the cloud service partner who supports either side, the cloud broker who acts as a value-adding commercial intermediary, and the cloud auditor who independently assesses controls. Naming the role is how a question pins who is responsible for a given duty.
Trap Confusing the cloud broker with a partner; the broker is specifically the value-adding intermediary in the commercial relationship, while partner is the broader supporting category that also includes auditors.
- The cloud auditor independently assesses, it does not operate
The cloud auditor is an oversight role that independently examines a provider's services and controls against a standard, producing an opinion rather than running anything. Distinguish it from the provider (operates the service) and the broker (intermediates the deal). A stem describing someone who evaluates controls but does not deliver the service is naming the auditor.
5 questions test this
- A federal agency is adopting cloud services and needs to verify compliance with regulations and security policies. According to the NIST…
- In the NIST Cloud Computing Reference Architecture, which actor is responsible for conducting independent assessments of cloud services,…
- An organization requires independent verification that their cloud service provider's security controls are implemented correctly and…
- A federal agency is migrating to a cloud service and wants to ensure a third party can verify that security controls are implemented…
- According to NIST SP 500-292 Cloud Computing Reference Architecture, which actor is responsible for conducting independent assessment of…
Security duties split between provider and customer by service model: the provider always secures the layers below the line and the customer the layers above, and the line climbs the stack as you move IaaS to PaaS to SaaS. In IaaS the customer owns the OS, runtime, and data; in PaaS the provider also takes OS and runtime; in SaaS the provider runs almost everything. Match the model to the line to settle who is accountable for an incident.
Trap Assuming the provider handles everything in SaaS; the customer still owns data, identities, and access configuration in every model.
- Data and identity are always the customer's responsibility
Two duties never transfer to the provider regardless of service model: classifying and protecting your own data, and managing your own identities and access. So a leaked record from a misconfigured sharing setting or a weak user credential is the customer's fault even in SaaS, where the provider runs the platform. Exam items that hand data protection to the provider in SaaS are wrong for this reason.
8 questions test this
- An organization is implementing a hybrid cloud deployment using multiple cloud service providers coordinated through a cloud service…
- A security architect is evaluating how data protection responsibilities change across service models. Regardless of whether IaaS, PaaS, or…
- An organization using a SaaS-based customer relationship management (CRM) system wants to understand their security responsibilities under…
- A company has adopted a SaaS application for their customer relationship management system. Under the shared responsibility model, which…
- According to the shared responsibility model, which security responsibility remains with the cloud service customer REGARDLESS of the…
- When using a SaaS application for business operations, which security responsibility does the cloud service customer retain according to…
- When using a SaaS application for customer relationship management, which security responsibility does the cloud service customer retain…
- In the NIST cloud reference architecture, security is described as spanning all layers from physical to application security. When a cloud…
- Virtualization via the hypervisor is the foundation of pooling
A hypervisor abstracts one physical host into many isolated virtual machines, which is what makes resource pooling and elasticity possible. Type 1 (bare-metal) hypervisors run directly on hardware and host cloud tenant workloads; Type 2 (hosted) hypervisors run on a host OS and are desktop or lab tools. The hypervisor is a high-value target because compromising it reaches every tenant on that host.
Trap Picking a Type 2 hosted hypervisor as the basis of a multi-tenant cloud platform; clouds run Type 1 bare-metal hypervisors for tenant workloads.
18 questions test this
- A cloud architect is evaluating hypervisor options for an enterprise data center. From a security perspective, what is the PRIMARY reason…
- A security analyst is assessing virtualization threats for a cloud environment. Which attack would have the MOST significant impact if…
- A security professional is concerned about the risk of a VM escape attack in their cloud environment. Which of the following BEST describes…
- An attacker successfully exploits a vulnerability in a guest operating system and gains access to the hypervisor layer, subsequently…
- A cloud security architect is evaluating hypervisor options for a new multi-tenant cloud infrastructure. The primary concern is minimizing…
- A cloud security professional is assessing the risk of VM escape attacks in a multi-tenant virtualized environment. Which statement BEST…
- A cloud security architect is evaluating hypervisor options for a multi-tenant cloud environment. Which statement BEST describes the…
- An organization needs to run untrusted workloads in a containerized environment while maintaining strong security isolation. Which approach…
- A cloud service provider experiences a security incident where an attacker gains access from within a guest virtual machine and compromises…
- An organization runs containerized applications in a hostile multi-tenant cloud environment where security isolation between tenants is…
- An organization is running multiple tenant workloads in a virtualized environment and wants to protect against VM escape attacks. Which…
- An organization running containerized workloads in a multi-tenant cloud environment requires enhanced isolation to prevent potential…
- A cloud security professional is assessing the risk of VM escape attacks in the organization's virtualized environment. Which statement…
- An organization runs workloads requiring strong isolation in a Windows environment. The security team is comparing process-isolated…
- When evaluating cloud service providers, a security architect reviews the virtualization technology used. Which statement BEST describes…
- An organization is evaluating hypervisor technologies for their cloud infrastructure. The security team is concerned about minimizing the…
- According to NIST SP 800-125A, hypervisors have critical baseline functions that must be secured. A cloud security professional is…
- An attacker has successfully exploited a vulnerability in a cloud-hosted virtual machine and broken out of the guest OS to interact with…
- Containers share the kernel, so isolation is weaker than a VM
Containers isolate at the operating-system level and share the host kernel rather than emulating hardware, so they start in milliseconds and pack densely but provide weaker isolation than a full virtual machine. Choose them for lightweight, fast-scaling workloads while accepting that the shared kernel is the boundary an attacker would attack. A VM gives stronger isolation at the cost of weight.
Trap Assuming a container provides the same isolation strength as a VM; containers share the host kernel, so a kernel-level escape crosses the boundary.
5 questions test this
- A security team is implementing container security controls in a Linux environment. Which kernel feature provides process isolation by…
- A security architect is assessing risks associated with container-based deployments compared to traditional virtual machine architectures.…
- A security team is assessing isolation mechanisms for a multi-tenant cloud environment hosting workloads with different trust levels. Which…
- An organization needs to run untrusted workloads in a containerized environment while maintaining strong security isolation. Which approach…
- An organization runs containerized applications in a hostile multi-tenant cloud environment where security isolation between tenants is…
- A VM escape breaks tenant isolation from the hypervisor up
A VM escape is when a workload breaks out of its virtual machine or container to reach the host or other tenants, the worst-case failure of multi-tenancy. It traces to the hypervisor (or shared kernel), the highest-value target in the virtualization block, because reaching it exposes every co-resident tenant. Mitigation centers on hardening and patching the hypervisor and on strong tenant isolation.
8 questions test this
- A security analyst is assessing virtualization threats for a cloud environment. Which attack would have the MOST significant impact if…
- A security professional is concerned about the risk of a VM escape attack in their cloud environment. Which of the following BEST describes…
- An attacker successfully exploits a vulnerability in a guest operating system and gains access to the hypervisor layer, subsequently…
- A cloud security professional is assessing the risk of VM escape attacks in a multi-tenant virtualized environment. Which statement BEST…
- A cloud service provider experiences a security incident where an attacker gains access from within a guest virtual machine and compromises…
- An organization is running multiple tenant workloads in a virtualized environment and wants to protect against VM escape attacks. Which…
- A cloud security professional is assessing the risk of VM escape attacks in the organization's virtualized environment. Which statement…
- An attacker has successfully exploited a vulnerability in a cloud-hosted virtual machine and broken out of the guest OS to interact with…
- Software-defined storage and networking are provisioned by API
In cloud, storage and networking are software-defined: capacity and connectivity are provisioned programmatically through APIs rather than by racking disks or cabling, which is what self-service and elasticity actually require. SDN separates the control plane that decides routing from the data plane that forwards traffic. The risk is that a single misconfigured API call, like a public storage bucket or an open security-group rule, exposes data at scale.
- Orchestration and IaC make elasticity real but concentrate power
Orchestration automates provisioning, scaling, and teardown across the other building blocks, and modern practice expresses it as Infrastructure as Code: the whole environment defined in version-controlled templates. This is what makes rapid, automatic elasticity possible. Its risk is concentration: whoever controls the orchestration or IaC pipeline can build or destroy the entire estate, so that pipeline demands least privilege and change control.
Trap Treating the IaC or orchestration pipeline as low-risk plumbing; control of it is control of the whole environment, making it a prime target for privilege abuse.
- Managed databases trade control for less operational burden
Managed database services push patching, backup, and replication to the provider, so the customer trades some low-level control for reduced operational work, and they come in relational and non-relational (NoSQL) forms. The provider taking patching does not remove the customer's duty to secure access and classify the data inside. Choose managed services when operational simplicity outweighs the need for full host control.