Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Cloud Services Explained

Published 07/05/2022

Cloud Services Explained

NIST defines three service models which describe the different foundational categories of cloud services:

Infrastructure as a Service (IaaS) offers access to a resource pool of fundamental computing infrastructure, such as compute, network, or storage. We sometimes call these the “SPI” tiers.

Platform as a Service (PaaS) abstracts and provides development or application platforms, such as databases, application platforms (e.g. a place to run Python, PHP, or other code), file storage and collaboration, or even proprietary application processing (such as machine learning, big data processing, or direct API access to features of a full SaaS application). The key differentiator is that, with PaaS, you don’t manage the underlying servers, networks, or other infrastructure.

Software as a Service (SaaS) is a full application that’s managed and hosted by the provider. Consumers access it with a web browser, mobile app, or a lightweight client app.


Infrastructure as a Service

Physical facilities and infrastructure hardware form the foundation of IaaS. With cloud computing, we abstract and pool these resources, but at the most basic level we always need physical hardware, networks, and storage to build on. These resources are pooled using abstraction and orchestration. Abstraction, often via virtualization, frees the resources from their physical constraints to enable pooling. Then orchestration (a set of core connectivity and delivery tools) ties these abstracted resources together, creates the pools, and provides the automation to deliver them to customers.

All this is facilitated using Application Programming Interfaces (APIs). In most cases, those APIs are both remotely accessible and wrapped into a web-based user interface. This combination is known as the cloud management plane, since consumers use it to manage and configure cloud resources, such as launching virtual machines (instances) or configuring virtual networks.

Thus, IaaS consists of a facility, some hardware, an abstraction layer, an orchestration layer (core connectivity and delivery) to tie together the abstracted resources, and APIs to remotely manage the resources and deliver them to consumers.


Platform as a Service

Of all the service models, PaaS is the hardest to definitively characterize due to both the wide range of PaaS offerings and the many ways of building PaaS services. PaaS adds an additional layer of integration with application development frameworks, middleware capabilities, and functions such as databases, messaging, and queuing. These services allow developers to build applications on the platform with programming languages and tools that are supported by the stack.

One option, frequently seen in the real world and illustrated in our model, is to build a platform on top of IaaS. A layer of integration and middleware is built on IaaS, then pooled together, orchestrated, and exposed to customers using APIs as PaaS. For example, a Database as a Service could be built by deploying modified database management system software on instances running in IaaS. The customer manages the database via API (and a web console) and accesses it either through the normal database network protocols, or, again, via API.

In PaaS, the cloud user only sees the platform, not the underlying infrastructure. In our example, the database expands (or contracts) as needed based on utilization, without the customer having to manage individual servers, networking, or patches.


Software as a Service

SaaS services are full, multitenant applications, with all the architectural complexities of any large software platform. Many SaaS providers build on top of IaaS and PaaS due to the increased agility, resilience, and (potential) economic benefits.

Most modern cloud applications (SaaS or otherwise) use a combination of IaaS and PaaS, sometimes across different cloud providers. Many also tend to offer public APIs for some (or all) functionality. They often need these to support a variety of clients, especially web browsers and mobile applications.

Thus, all SaaS tends to have an application/logic layer and data storage, with an API on top. Then there are one or more presentation layers, often including web browsers, mobile applications, and public API access.



To learn more about the security of cloud services, read the CSA Security Guidance for Critical Areas of Focus in Cloud Computing.

Share this content on your favorite social network today!