Cloud Computing Concepts: IaaS, PaaS, SaaS, and Deployment Models

Cloud computing restructures how organizations provision, manage, and pay for computing resources by shifting infrastructure from owned physical assets to on-demand services delivered over a network. This page covers the three primary service models — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) — alongside the four standard deployment models that define who controls and shares those resources. Understanding the distinctions between these models is foundational to architecture decisions, procurement strategy, and compliance planning across both enterprise and public-sector environments. For broader orientation to how cloud computing fits within the discipline, see the Computer Science Authority index.

Definition and scope

The authoritative definition of cloud computing in US technical and regulatory contexts comes from NIST Special Publication 800-145, which defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." NIST SP 800-145 is the reference document cited by federal agencies, state governments, and international standards bodies when classifying cloud services.

NIST's model organizes cloud computing across 5 essential characteristics, 3 service models, and 4 deployment models. The 5 essential characteristics are: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. These characteristics distinguish cloud services from traditional managed hosting or co-location arrangements, where provisioning timelines are measured in days or weeks rather than minutes.

The scope of cloud adoption in US federal agencies is governed by the Federal Risk and Authorization Management Program (FedRAMP), which requires cloud service providers offering services to federal agencies to meet a standardized security authorization baseline derived from NIST SP 800-53.

How it works

The three service models

The 3 service models define the boundary between what the provider manages and what the customer controls — often described as the "responsibility stack."

Infrastructure as a Service (IaaS) delivers virtualized computing resources — virtual machines, block storage, virtual networks, and load balancers — over a network. The provider manages the physical hardware, hypervisor layer, and network fabric. The customer controls the operating system, middleware, runtime, and application. IaaS is the most granular model; it offers the highest configuration flexibility and places the broadest operational burden on the customer.

Platform as a Service (PaaS) abstracts the operating system and runtime environment, providing a managed execution environment into which developers deploy application code. The provider manages the OS, runtime, middleware, and scaling infrastructure. The customer controls the application logic and data. PaaS accelerates development cycles by eliminating OS patching, runtime version management, and capacity planning for the execution layer.

Software as a Service (SaaS) delivers a fully managed application over the network. The provider controls the entire stack — hardware, OS, middleware, runtime, and application code. The customer configures the application through its user interface and manages its own data within the application's boundaries. SaaS carries the smallest operational footprint for the customer and the least configuration surface.

Deployment models

NIST SP 800-145 identifies 4 deployment models:

Public cloud — Infrastructure is provisioned for open use by the general public or a large industry group and owned by a cloud provider. Resources are shared across multiple tenants through multi-tenancy isolation.
Private cloud — Infrastructure is provisioned for exclusive use by a single organization, operated either on-premises or by a third party. Isolation is organizational rather than tenant-based.
Community cloud — Infrastructure is shared by a specific community of organizations with common concerns (e.g., compliance requirements, mission domain). A consortium or a single member organization may operate it.
Hybrid cloud — Two or more distinct deployment models (public, private, or community) are bound together by standardized or proprietary technology that enables data and application portability.

Common scenarios

Cloud computing applies across a predictable set of operational contexts, each mapping to particular service and deployment model combinations.

Regulated data workloads — Healthcare organizations subject to HIPAA and financial firms subject to requirements from the Federal Financial Institutions Examination Council (FFIEC) typically deploy sensitive workloads in private or community cloud configurations, using IaaS or PaaS to retain direct control over encryption key management and audit logging. FedRAMP-authorized SaaS products are accepted by federal agencies for specific application categories where the provider has demonstrated compliance at the High, Moderate, or Low impact baseline.

Application development pipelines — Software engineering teams use PaaS environments to standardize build, test, and deployment workflows. This configuration eliminates the 12–20 hours per month engineering teams historically spent on runtime patching in self-managed environments, by offloading that responsibility to the platform provider. NIST's Secure Software Development Framework (SSDF), SP 800-218, addresses how development environments — including PaaS pipelines — should be secured.

Enterprise productivity and collaboration — SaaS dominates this segment. Email, document management, and video conferencing are delivered as SaaS products requiring minimal configuration beyond identity federation and access policy. Cloud computing's role in distributed systems architectures becomes particularly evident here, as SaaS providers replicate data across geographically distributed availability zones to meet uptime commitments.

Burst and elastic compute — Organizations with variable compute demand — research institutions running simulation workloads, retailers handling seasonal transaction spikes — use public IaaS to provision additional capacity on-demand and release it when the load subsides, paying only for measured consumption. This maps directly to NIST's "rapid elasticity" and "measured service" essential characteristics.

Decision boundaries

Selecting among service and deployment models involves 4 primary decision axes:

Control vs. operational burden — IaaS maximizes control over the software stack but requires the customer to manage OS security, patching, and runtime configuration. SaaS minimizes operational burden but constrains configuration to the provider's application surface. PaaS occupies the intermediate position: the customer controls application logic while the provider manages the execution environment.
Compliance posture — Workloads subject to FedRAMP, HIPAA, or CJIS (Criminal Justice Information Services) requirements face constraints on deployment model selection. CJIS Security Policy, maintained by the FBI, imposes specific controls on cloud deployments handling criminal justice data that affect whether public cloud configurations are permissible without additional contractual and technical safeguards.
Portability and lock-in risk — PaaS and SaaS introduce provider-specific abstractions that can impede workload migration. IaaS workloads built on standard operating system images and open storage formats carry higher portability. Organizations referencing the Cloud Controls Matrix published by the Cloud Security Alliance (CSA) use it to assess portability and exit risk as part of vendor evaluation.
Latency and data residency — Applications with strict latency requirements or data residency obligations (e.g., state laws restricting where resident data may be stored) may require private cloud or on-premises IaaS rather than multi-region public cloud configurations. This intersects directly with privacy and data protection frameworks operating at the state and federal level.

The IaaS-PaaS-SaaS distinction also intersects with cybersecurity fundamentals in the shared responsibility model: the lower the service abstraction (IaaS being lowest), the more security controls the customer must implement independently. Misunderstanding the shared responsibility boundary is a documented source of misconfiguration incidents in public cloud environments.