Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

The CFO and Cloud Adoption: 102

Published 01/14/2022

The CFO and Cloud Adoption: 102
Written by Jeffrey Westcott, CPA, Chief Financial Officer, CSA.


In my last post, I discussed the NIST definition of the cloud. Let’s take this to the next level by discussing the different service models offered by cloud service providers (CSPs). Three basic delivery models – SaaS, PaaS and IaaS – are listed below. These are the basic and oft-referenced models, although myriad new offerings tend to obscure this differentiation. Some of these other services include SecaaS (Security), DaaS (Data), and yes, even XaaS (Anything-as-a-Service).

Three Basic Cloud Models

But the three fundamental cloud service models are listed here, including some notes about each one:

  • Software-as-a-Service – Salesforce, Gmail, Zoom, Slack and Microsoft Office 365 are all SaaS examples. The software is installed and maintained in the cloud, and you can access it with virtually any device with web access. No more installing software updates on your local machine. Chances are, you’re using SaaS in some form as you read this.
  • Platform-as-a-Service – PaaS outsources lower-level complexity for the continuous integration and deployment of applications, and falls between SaaS and IaaS. PaaS paves the way for development teams to adopt a strong, secure development process, with minimal configuration in contrast with IaaS offerings. This paradigm usually allows a wide array of resources, tools and third-party add-ons to be initialized and configured quickly and securely. (More on PaaS below.)
  • Infrastructure-as-a-Service – IaaS includes data storage and processing. It can be integrated with PaaS, or you can simply move your existing applications and data to the cloud IaaS. This second option is called lift and shift.

As an organization moves further up the cloud stack (meaning more utilization and incorporation of cloud resources), the interrelation of these services will increase and the definitions of these three models can be become blurred.

PaaS

But of these three, the one that I am least familiar with is Platform-as-a-Service (or PaaS). I wanted to get my hands around what this service encompasses and its merits:

One of the benefits of PaaS is not having to worry about managing the low-level services required in maintaining and configuration of development platforms and servers. Let the Dev Team develop versus manage the production tools and services. Tedious platform updates are left to the CSP vendor, allowing your organization to simplify the admin component and allow them to concentrate on more value-added roles. This can be especially beneficial to smaller organizations.

Another benefit of PaaS is the improved efficiencies, including the continuous integration (CI) pipeline offered by many. CI is usually an integral component of PaaS and built into their service. This allows a more seamless development through testing, staging and production, the tools (and their updates) being managed by the CSP. Again, this can free up resources within your organization.

PaaS affords many tools available for the developers to employ. Yes, these come at a cost, but can be utilized as needed - another good resource that this service offers.

Overall, SaaS, PaaS and IaaS are becoming cheaper, faster and more powerful; while adequate IT staffing and fulfillment within any organization (including both hiring and retention) is becoming increasingly costly and difficult. Part of the analysis on any investments or migrations – whether SaaS, PaaS or IaaS – is how many FTEs would need to be hired to fulfill these same roles. PaaS adoption (in my opinion) offers the most compelling savings and is especially beneficial for smaller organizations that do not have the resources to hire and support an entire systems admin team.

Existing Cloud Inventory – The First Step

Most organizations have some level of cloud exposure, and this needs to be assessed and monitored. A good starting point is to assess what cloud tools are currently utilized in your cloud journey. From the accounting side, we analyze the ongoing spending on these services and conduct periodic audits on all CSP vendors, looking for redundancies, cost savings, irregularities, etc.

In addition to receiving periodic reporting of expenditures (I receive them daily), we convene quarterly to conduct a more formal review with the IT and Accounting teams, and include the respective department heads that own the CSP relationships. This also offers insight into any software that may or may not be sanctioned by your organization. This latter is called Shadow IT, and chances are (unless you are in a highly-secured environment such as healthcare or government) it is running alongside your other applications. Shadow IT will be discussed in future posts.

But for now, the initial step in the process would be to obtain a full inventory of what cloud services your organization has in place and build a strategy upon that. Produce an inventory of all your cloud expenditures. The next step would be to formulate a strategy for your cloud journey, and we will discuss this in future posts. Stay tuned.


Jeffrey Westcott is the Chief Financial Officer and joined the Cloud Security Alliance in 2014. He can be reached at [email protected], or www.linkedin.com/in/jwestcott/.

Share this content on your favorite social network today!