In this chapter, we discuss the threats, challenges, and guidance associated with securing an organization’s core IT infrastructure at the network, host, and application levels. Information security practitioners commonly use this approach; therefore, it is readily familiar to them. We discuss this infrastructure security in the context of SPI service delivery models (SaaS, PaaS, and IaaS). Non-information security professionals are cautioned not to simply equate infrastructure security to infrastructure-as-a-service (IaaS) security. Although infrastructure security is more highly relevant to customers of IaaS, similar consideration should be given to providers’ platform-as-a-service (PaaS) and software-as-a-service (SaaS) environments, since they have ramifications to your customer threat, risk, and compliance management. Another dimension is the cloud business model (public, private, and hybrid clouds), which is orthogonal to the SPI service delivery model; what we highlight is the relevance of discussion points as they apply to public and private clouds. When discussing public clouds the scope of infrastructure security is limited to the layers of infrastructure that move beyond the organization’s control and into the hands of service providers (i.e., when responsibility to a secure infrastructure is transferred to the cloud service provider or CSP, based on the SPI delivery model). Information in this chapter is critical for customers in gaining ...