Cloud Computing — Complete Study Notes
Simple, exam-focused notes for SSC, Banking (IBPS/SBI/RBI), Railway (RRB), UPSC & other government exams — with the latest cloud terms and India’s cyber/data laws. Built for fast learning and revision.
1 What is Cloud Computing?
Definition
Cloud computing means renting IT services — servers, storage, databases, software — over the internet on a pay-as-you-use basis, instead of buying and maintaining your own hardware. Major providers: AWS, Microsoft Azure, Google Cloud (GCP).
- You pay only for what you use (like electricity) — no big upfront cost.
- Resources are available on demand and can scale up or down instantly.
- The official model is defined by NIST (US National Institute of Standards & Technology).
Exam Tip Remember the simplest one-liner: “Cloud = computing services delivered over the internet.” This exact definition is the most repeated MCQ.
2 5 Essential Characteristics (NIST)
| Characteristic | Meaning |
|---|---|
| On-demand self-service | Get resources instantly, no human help needed |
| Broad network access | Use from anywhere on any device via internet |
| Resource pooling | Many users share the same physical resources (multi-tenancy) |
| Rapid elasticity | Scale up or down quickly as demand changes |
| Measured service | Usage is metered → pay-as-you-go billing |
Mnemonic S-N-R-E-M → Self-service · Network access · Resource pooling · Elasticity · Metering.
3 Service Models — Who Manages What
| Model | You manage | Provider manages | Easy analogy |
|---|---|---|---|
| IaaS | OS, apps, data | Hardware, network, storage | Empty flat — you furnish it |
| PaaS | Apps, data | OS, middleware, runtime, infra | Furnished flat |
| SaaS | Only your data & settings | Everything else | Hotel room — ready to use |
| Serverless / FaaS | Only your code | Full infra + auto-scaling | Restaurant — you order, they cook |
Remember Moving IaaS → PaaS → SaaS, you control less and the provider manages more. Examples: IaaS = AWS EC2; PaaS = Google App Engine; SaaS = Gmail / Dropbox; FaaS = AWS Lambda.
4 Deployment Models
| Model | Owned by | Best for | Example |
|---|---|---|---|
| Public | Cloud provider | Low cost & scale | Gmail, AWS EC2 |
| Private | One organisation | Sensitive data, full control | Bank’s in-house cloud |
| Hybrid | Mix of public + private | Flexibility | Core data private, websites public |
| Community | Group of organisations | Shared rules/compliance | Government research cloud |
| Multi-Cloud | Multiple providers | Avoid vendor lock-in | Use AWS + Azure together |
Exam Tip Public = cheap & scalable; Private = secure & controlled; Hybrid = best of both.
5 Virtualization, VMs & Containers
Virtualization is the technology that makes cloud computing possible.
- Virtualization: running many virtual machines (VMs) on one physical server.
- Hypervisor: the software that creates and runs VMs (e.g. VMware, Hyper-V).
- Container (Docker): a lightweight package of an app that shares the host OS — faster & smaller than a VM.
- Kubernetes (K8s): tool that manages/orchestrates many containers.
Virtualization vs Cloud Computing
| Aspect | Virtualization | Cloud Computing |
|---|---|---|
| Focus | Creating virtual machines | Delivering services over the internet |
| Control | You manage the infra + VMs | Provider manages the infra layers |
| Scale | Limited by your hardware | On-demand, almost unlimited |
| Examples | VMware, Hyper-V | AWS, Azure, GCP |
Common Trap Virtualization is not the same as cloud. Cloud uses virtualization, but adds self-service, internet delivery, and pay-per-use on top.
6 Key Technologies
| Technology | What it does | Example |
|---|---|---|
| Containers | Lightweight, portable app units | Docker |
| Orchestration | Manages many containers | Kubernetes |
| Microservices | App split into many small services via APIs | Netflix architecture |
| IaC (Infra as Code) | Build infrastructure using code | Terraform |
| Serverless (FaaS) | Run event-driven code, no server to manage | AWS Lambda |
| SDN | Software-controlled networking | Programmable networks |
| CDN | Delivers content faster via edge servers | CloudFront, Cloudflare |
| Edge / Fog Computing | Processing data near its source (not far-off datacentre) | IoT devices, smart cameras |
Exam Tip Edge computing (processing data close to where it is generated) is a rising topic — useful for IoT, self-driving cars and low-latency apps.
7 Top Cloud Providers & Services
| Provider | Owned by | Compute | Object Storage |
|---|---|---|---|
| AWS | Amazon (market leader) | EC2 | S3 |
| Azure | Microsoft | Azure VMs | Blob Storage |
| Google Cloud (GCP) | Compute Engine | Cloud Storage |
Remember AWS = Amazon · Azure = Microsoft · GCP = Google. AWS is the world’s largest cloud provider; AWS S3 is the classic example of object storage.
8 Benefits & Challenges
✓ Benefits
- Lower cost (no big upfront hardware spend)
- Rapid scaling for traffic spikes
- Fast deployment of new services
- Better backup & disaster recovery
- Global access & collaboration
✗ Challenges
- Data security & privacy concerns
- Compliance / data-location rules
- Vendor lock-in (hard to switch)
- Dependence on the internet
- Less direct control over infra
9 Cloud Security
Shared Responsibility Model
The provider secures the cloud (data-centres, hardware, hypervisor). The customer secures what is in the cloud (their data, apps, user identity, encryption). This is the single most-asked cloud-security concept.
Core Security Controls
- IAM (Identity & Access Management): give users the least privilege they need.
- Encryption: protect data at rest and in transit.
- Network controls: VPC, firewalls, security groups, WAF (Web Application Firewall).
- Monitoring & logging: keep logs for audit and forensics.
- VAPT: Vulnerability Assessment & Penetration Testing — regular checks.
Common Cloud Threats & Modern Defences
| Term | Meaning |
|---|---|
| Misconfiguration | Wrong settings (e.g. public S3 bucket) — the #1 cause of cloud data leaks |
| Account Hijacking | Attacker steals login/credentials to access cloud accounts |
| Insecure APIs | Weakly protected interfaces that attackers exploit |
| DDoS | Flooding a service with traffic to make it crash |
| Zero Trust | “Never trust, always verify” — verify every user/device every time |
| CASB | Cloud Access Security Broker — security checkpoint between user & cloud |
| Confidential Computing | Keeps data encrypted even while it is being processed |
10 Business Continuity & Disaster Recovery (DR)
| Term | Meaning (easy) |
|---|---|
| RTO (Recovery Time Objective) | Maximum acceptable downtime (how fast you must recover) |
| RPO (Recovery Point Objective) | Maximum acceptable data loss, measured in time |
| Hot site | Fully ready duplicate — instant failover |
| Warm site | Partly ready — needs some setup time |
| Cold site | Empty space — slow to start |
| Cloud Bursting | Use private infra normally, “burst” into public cloud at peak load |
Don’t Confuse RTO = time to recover · RPO = how much data you can lose. A frequent banking-exam trap.
11 Cloud Migration — The 6 R’s
| R | One-line meaning |
|---|---|
| Rehost | “Lift & shift” — move as-is |
| Refactor | Make small changes to suit cloud |
| Re-architect / Revise | Redesign as cloud-native |
| Rebuild | Rewrite the app from scratch |
| Replace | Switch to a ready SaaS product |
| Retire | Shut down old, unused systems |
Memorise Rehost · Refactor · Revise · Rebuild · Replace · Retire (the 6 R’s).
12 🇮🇳 India’s Cloud & Cyber Framework
High-value for UPSC, banking & current-affairs sections. These appear often and are easy to score.
| Initiative / Law / Body | Key Points (exam-ready) |
|---|---|
| MeghRaj (GI Cloud) | Government of India’s national cloud initiative by MeitY to deliver e-governance services through the cloud and cut IT costs |
| MeitY CSP Empanelment | MeitY empanels (approves) Cloud Service Providers that government departments are allowed to use |
| IT Act, 2000 | India’s primary cyber law (amended 2008); covers cyber crimes & digital signatures; Sec 70B → CERT-In, Sec 70A → NCIIPC |
| CERT-In | Indian Computer Emergency Response Team — national nodal agency for cyber incidents (under MeitY). 2022 Directions: report incidents within 6 hours; keep logs for 180 days in India |
| NCIIPC | National Critical Information Infrastructure Protection Centre — protects critical sectors (power, banking, telecom) |
| National Cyber Security Policy, 2013 | India’s first cyber security policy (by MeitY). A new National Cyber Security Strategy has been drafted but not yet officially released |
| DPDP Act, 2023 | India’s first comprehensive data-protection law. DPDP Rules notified in Nov 2025; sets up the Data Protection Board of India; penalties up to ₹250 crore |
| RBI Data Localization (2018) | RBI directive: all payment system data must be stored only in India |
| I4C | Indian Cyber Crime Coordination Centre (under MHA); runs the national portal cybercrime.gov.in |
Exam Tip Easy points to lock in: CERT-In = 6-hour rule · DPDP Act 2023 → max penalty ₹250 crore · MeghRaj = government cloud · RBI = payment data only in India.
13 Latest Terms & Trends
| Term | Simple meaning |
|---|---|
| Sovereign Cloud | Cloud that keeps data within a country’s borders & laws |
| Edge Computing | Processing data near its source for speed (IoT, sensors) |
| AI / GenAI as a Service | Renting AI models & tools from the cloud (no own GPUs) |
| FinOps | Managing & optimising cloud spending |
| SASE | Secure Access Service Edge — combines networking + security in the cloud |
| Zero Trust | Trust no one by default; verify every access request |
| Confidential Computing | Data stays encrypted even while in use |
14 Important Full Forms
| Abbr. | Full Form | Abbr. | Full Form |
|---|---|---|---|
| IaaS | Infrastructure as a Service | PaaS | Platform as a Service |
| SaaS | Software as a Service | FaaS | Function as a Service |
| AWS | Amazon Web Services | GCP | Google Cloud Platform |
| VM | Virtual Machine | VPC | Virtual Private Cloud |
| CDN | Content Delivery Network | SDN | Software-Defined Networking |
| IAM | Identity & Access Management | WAF | Web Application Firewall |
| SLA | Service Level Agreement | API | Application Programming Interface |
| RTO | Recovery Time Objective | RPO | Recovery Point Objective |
| NIST | National Institute of Standards & Technology | VAPT | Vulnerability Assessment & Penetration Testing |
| CERT-In | Indian Computer Emergency Response Team | DPDP | Digital Personal Data Protection (Act) |
| NCIIPC | National Critical Information Infrastructure Protection Centre | CASB | Cloud Access Security Broker |
15 Comparison Charts
Public Cloud
- Owned by provider
- Cheap & highly scalable
- Shared resources
- e.g. AWS, Gmail
Private Cloud
- Owned by one organisation
- More secure & controlled
- Costlier
- e.g. bank’s own cloud
Virtual Machine
- Has its own full OS
- Heavier, slower to start
- Uses a hypervisor
Container
- Shares host OS
- Lightweight, fast start
- Uses Docker
RTO
- Recovery Time Objective
- Max acceptable downtime
- “How fast to recover”
RPO
- Recovery Point Objective
- Max acceptable data loss
- “How much data can be lost”
🧠 Solved MCQs — Based on Exam Trends
Curated, high-frequency questions with answers + one-line explanations. Click “Show Answer” to self-test.
Set A · Basics & Characteristics
1. Cloud computing is best described as:
- A) Local data storage only
- B) Delivery of computing services over the internet
- C) A weather forecasting system
- D) On-premises hardware leasing only
Show Answer
B. Cloud delivers servers, storage and software over the internet on demand.
2. Which is NOT a key characteristic of cloud computing?
- A) On-demand self-service
- B) Broad network access
- C) Fixed resource capacity that never changes
- D) Resource pooling
Show Answer
C. Cloud is elastic — capacity changes with demand, it is never fixed.
3. “Pay-as-you-go” in cloud means:
- A) Pay for maximum capacity upfront
- B) Pay only for resources you actually use
- C) Flat monthly fee regardless of usage
- D) Pay before any usage
Show Answer
B. Also called metered/measured service — you are billed by actual usage.
4. The cloud computing reference model (5 traits) is defined by:
- A) ISRO
- B) NIST
- C) RBI
- D) WHO
Show Answer
B. NIST (US National Institute of Standards & Technology) gave the standard definition.
5. “Resource pooling” means:
- A) One user per resource always
- B) Resources serve many users via virtualization (multi-tenancy)
- C) No sharing of resources
- D) Only physical servers
Show Answer
B. Many customers share the same physical infrastructure securely.
Set B · Service & Deployment Models
6. Which is NOT a cloud service model?
- A) IaaS
- B) PaaS
- C) SaaS
- D) HaaS (Hardware as a Service)
Show Answer
D. The three main models are IaaS, PaaS and SaaS (plus FaaS/Serverless).
7. In IaaS, the customer is responsible for:
- A) Hardware and network
- B) Operating system, applications and data
- C) Everything including physical hardware
- D) Nothing
Show Answer
B. The provider gives raw infra; the customer manages the OS, apps and data.
8. Gmail / Dropbox are examples of:
- A) IaaS
- B) PaaS
- C) SaaS
- D) FaaS
Show Answer
C. Ready-to-use software over the internet = SaaS (“hotel room” analogy).
9. Google App Engine is an example of:
- A) IaaS
- B) PaaS
- C) SaaS
- D) Object storage
Show Answer
B. It gives developers a ready platform/runtime to build apps = PaaS.
10. A deployment model owned by a single organisation for internal use is:
- A) Public cloud
- B) Private cloud
- C) Hybrid cloud
- D) Community cloud
Show Answer
B. Private cloud = highest control & security, used by one organisation.
11. A model combining public + private clouds is:
- A) Community
- B) Public
- C) Hybrid
- D) Private
Show Answer
C. Hybrid = sensitive workloads on private, public-facing on public cloud.
12. “Vendor lock-in” means:
- A) Easy switching between providers
- B) Being so dependent on one provider that switching is very hard
- C) Using many providers by default
- D) Free migration
Show Answer
B. A multi-cloud strategy is used to reduce vendor lock-in.
Set C · Technology & Security
13. The technology that allows many virtual machines on one server is:
- A) Containerization
- B) Virtualization
- C) Serverless
- D) Blockchain
Show Answer
B. Virtualization (via a hypervisor) underlies all cloud computing.
14. Compared to a full VM, a Docker container is:
- A) Heavier with its own OS
- B) Lightweight, portable, shares the host OS
- C) Only for mainframes
- D) Only for physical servers
Show Answer
B. Containers share the host OS, so they start faster and use fewer resources.
15. Kubernetes is mainly used for:
- A) Writing code
- B) Orchestrating (managing) containers
- C) Sending emails
- D) Encrypting disks
Show Answer
B. Kubernetes automates deployment and scaling of containers.
16. In the shared responsibility model:
- A) Customer secures everything
- B) Provider secures everything
- C) Provider secures the infrastructure; customer secures their data & apps
- D) No one is responsible
Show Answer
C. Provider = security of the cloud; customer = security in the cloud.
17. Which is a cloud security control?
- A) IAM
- B) Data encryption
- C) Firewalls / security groups
- D) All of the above
Show Answer
D. Cloud security uses identity, encryption and network controls together.
18. The leading cause of cloud data leaks is usually:
- A) Misconfiguration (e.g. public storage buckets)
- B) Slow internet
- C) Too much encryption
- D) Using IAM
Show Answer
A. Most cloud breaches come from wrong settings, not provider failure.
19. “Zero Trust” security means:
- A) Trust all internal users automatically
- B) Never trust, always verify every access
- C) No passwords needed
- D) Disable firewalls
Show Answer
B. Every user/device must be verified each time, regardless of location.
Set D · DR, Migration & Governance
20. RTO (Recovery Time Objective) is:
- A) Max acceptable data loss
- B) Max acceptable downtime of a service
- C) Network latency
- D) Number of DR servers
Show Answer
B. RTO = how quickly a service must be back up after failure.
21. RPO (Recovery Point Objective) is:
- A) Max acceptable downtime
- B) Max acceptable data loss measured in time
- C) Speed of internet
- D) Number of users
Show Answer
B. RPO = how much data (in time) you can afford to lose.
22. Which is NOT a type of DR site?
- A) Hot site
- B) Warm site
- C) Cold site
- D) Blue site
Show Answer
D. The three DR site types are hot, warm and cold.
23. “Cloud bursting” means:
- A) Permanently moving everything to cloud
- B) Using on-prem infra normally, then bursting into public cloud at peak load
- C) Deleting cloud data
- D) Never using cloud
Show Answer
B. A hybrid technique to handle sudden demand spikes.
24. In the IaaS → PaaS → SaaS direction:
- A) The customer manages more
- B) The customer manages less
- C) No pattern
- D) The provider manages less
Show Answer
B. Moving toward SaaS, the customer controls less and the provider manages more.
🎯 Expected / High-Probability MCQs
India-context & latest-trend questions likely to appear in upcoming exams.
1. MeghRaj is associated with:
- A) A weather satellite
- B) The Government of India’s national cloud initiative
- C) A digital currency
- D) A railway project
Show Answer
B. MeghRaj (GI Cloud) is MeitY’s initiative to deliver e-governance through the cloud.
2. Under the CERT-In 2022 Directions, cyber incidents must be reported within:
- A) 72 hours
- B) 24 hours
- C) 6 hours
- D) 30 days
Show Answer
C. India mandates reporting within 6 hours — among the strictest globally.
3. CERT-In functions under which ministry?
- A) Ministry of Home Affairs
- B) Ministry of Electronics & IT (MeitY)
- C) Ministry of Defence
- D) Ministry of Finance
Show Answer
B. CERT-In is the national nodal agency for cyber incidents under MeitY (IT Act Sec 70B).
4. The DPDP Act, 2023 deals primarily with:
- A) Cloud pricing
- B) Protection of personal data
- C) Foreign trade
- D) Stock markets
Show Answer
B. The Digital Personal Data Protection Act is India’s first comprehensive data-protection law; its Rules were notified in Nov 2025 and it sets up the Data Protection Board of India.
5. As per RBI’s 2018 directive, payment system data must be stored:
- A) Anywhere in the world
- B) Only in India
- C) Only in the USA
- D) On paper
Show Answer
B. RBI’s data-localization rule requires payment data to be stored only in India.
6. India’s primary cyber law is the:
- A) IT Act, 2000
- B) RTI Act, 2005
- C) Companies Act, 2013
- D) RBI Act, 1934
Show Answer
A. The Information Technology Act, 2000 (amended 2008) is India’s main cyber law.
7. Processing data near where it is generated (e.g. IoT devices) is called:
- A) Edge computing
- B) Batch computing
- C) Cold storage
- D) Vendor lock-in
Show Answer
A. Edge computing reduces latency by processing data close to the source.
8. A cloud that keeps data within a country’s borders and laws is a:
- A) Public cloud
- B) Sovereign cloud
- C) Community cloud
- D) Hybrid cloud
Show Answer
B. A sovereign cloud is designed to meet a nation’s data-residency and legal rules.
9. NCIIPC is responsible for protecting:
- A) Critical Information Infrastructure (power, banking, telecom)
- B) Social media accounts
- C) Mobile apps only
- D) Email spam
Show Answer
A. NCIIPC = National Critical Information Infrastructure Protection Centre.
10. “Confidential computing” protects data:
- A) Only at rest
- B) Only in transit
- C) Even while it is being processed (in use)
- D) Only on paper
Show Answer
C. It keeps data encrypted during processing — the newest layer of data protection.
📄 One-Page Cheat Sheet
| Topic | Quick Recall |
|---|---|
| Cloud | IT services over the internet (AWS / Azure / GCP) |
| 5 Traits (NIST) | Self-service · Network · Pooling · Elasticity · Metering (S-N-R-E-M) |
| Service models | IaaS → PaaS → SaaS → Serverless (you manage less →) |
| Deployment | Public · Private · Hybrid · Community · Multi-cloud |
| Virtualization | Many VMs on one server (via hypervisor) |
| Container vs VM | Container = lightweight, shares OS; VM = full OS |
| Shared responsibility | Provider secures cloud; customer secures data |
| DR | RTO = downtime limit; RPO = data-loss limit |
| 6 R’s | Rehost, Refactor, Revise, Rebuild, Replace, Retire |
| MeghRaj | Government of India’s cloud (MeitY) |
| CERT-In | Cyber incident reporting in 6 hours (under MeitY) |
| DPDP Act 2023 | Data-protection law; penalty up to ₹250 crore |
| RBI 2018 | Payment data stored only in India |
| IT Act 2000 | India’s primary cyber law |
5-Second Memory Hooks
SaaS = Hotel room · IaaS = Empty flat · RTO = Recover fast · RPO = Data lost · CERT-In = 6 hours · DPDP = ₹250 crore.
✦ Cloud Computing — Complete Study Notes · GyanDesk · Made for quick learning & smart revision ✦