Cloud Service Models
Cloud providers offer their services in three main models. Each model gives you a different level of control — and with that control comes a different level of security responsibility. Understanding these models tells you exactly what you need to protect yourself.
The Pizza Analogy
Think of making pizza. You can make it entirely from scratch at home (full control, full effort), order a take-and-bake kit (shared effort), or order a delivered pizza (almost no effort, less control). Cloud service models work the same way.
The Three Service Models
IaaS – Infrastructure as a Service
The cloud provider gives you raw computing resources: virtual machines, storage, and networking. You control the operating system, applications, and data on top of that. AWS EC2, Google Compute Engine, and Microsoft Azure Virtual Machines are IaaS examples.
Security responsibility: The provider secures the physical hardware and network. You secure everything above that — the OS, patches, firewall rules, and applications.
IaaS Stack (who secures what): ------------------------------ [ Your App ] ← You secure [ Your OS ] ← You secure [ Virtual Machine ] ← You configure, provider runs [ Physical Server ] ← Provider secures [ Data Center ] ← Provider secures
PaaS – Platform as a Service
The cloud provider manages the infrastructure and the operating system. You bring only your application code and data. Google App Engine, Heroku, and Azure App Service are PaaS examples.
Security responsibility: The provider secures infrastructure, OS, and runtime. You secure your application code, data, and user access controls.
PaaS Stack: ------------------------------ [ Your App Code ] ← You secure [ Your Data ] ← You secure [ Runtime / OS ] ← Provider secures [ Physical Server ] ← Provider secures
SaaS – Software as a Service
The cloud provider delivers a fully working application over the internet. You just log in and use it. Gmail, Salesforce, Dropbox, and Microsoft 365 are SaaS examples.
Security responsibility: The provider secures almost everything. You secure your account credentials, access permissions, and data you choose to put in the application.
SaaS Stack: ------------------------------ [ Your Data + Users ] ← You secure [ Full Application ] ← Provider secures [ All Infrastructure ]← Provider secures
Why Service Models Matter for Security
Each model shifts where your security effort goes. A company running IaaS must patch its own servers. A company using SaaS only needs to manage its users and passwords. Choosing the wrong model for your security capabilities creates gaps. A small team without a dedicated IT department often benefits from SaaS or PaaS because the provider handles the heavy security lifting.
Side-by-Side Comparison
| Aspect | IaaS | PaaS | SaaS |
|---|---|---|---|
| You manage | OS, apps, data | Apps, data | Data, users |
| Provider manages | Hardware, network | Hardware, OS, runtime | Everything else |
| Your security effort | High | Medium | Low |
| Your control | High | Medium | Low |
Key Terms to Know
- Virtual Machine (VM): A software-based computer running inside a physical server.
- Runtime: The software environment that runs your application code (e.g., Node.js, Python).
- Tenant Isolation: How a cloud provider keeps your data separate from other customers on the same hardware.
What You Learned
The three cloud service models — IaaS, PaaS, and SaaS — each distribute security responsibilities differently between you and the provider. The more infrastructure the provider manages, the less you control, and the less you need to secure directly. Knowing your model tells you exactly where your security gaps could appear.
