Cloud service models define the boundary of managed responsibility between the cloud provider and the customer. IaaS (Infrastructure as a Service) gives raw compute, storage, and networking; PaaS abstracts the OS and runtime; SaaS delivers a fully managed application; and FaaS (Function as a Service) abstracts even the server, billing only for execution milliseconds. The shared responsibility model determines who patches, who encrypts, and who manages identity at each layer.

Key Points

  • IaaS examples: AWS EC2, Azure VMs, GCP Compute Engine — customer manages OS, middleware, runtime, data.
  • PaaS examples: AWS Elastic Beanstalk, Azure App Service, GCP App Engine — provider manages OS and runtime patches.
  • SaaS examples: Salesforce, Google Workspace, Microsoft 365 — customer manages only data and user access.
  • FaaS examples: AWS Lambda, Azure Functions, GCP Cloud Functions — billing per 100 ms of execution, ephemeral compute.
  • Shared responsibility: physical security is always the provider's; customer always owns data classification and end-user IAM.
  • Moving up the stack (IaaS → SaaS) reduces operational burden but increases vendor lock-in risk.
  • FaaS cold-start latency (typically 100–500 ms for JVM runtimes) is a key NFR trade-off versus always-warm containers.
  • Compliance evidence (SOC 2, ISO 27001) is split: provider covers infrastructure controls, customer covers application controls.
ResponsibilityIaaSPaaSSaaSFaaS
Physical hardwareProviderProviderProviderProvider
Network & storageProviderProviderProviderProvider
VirtualizationProviderProviderProviderProvider
Operating systemCustomerProviderProviderProvider
Runtime / middlewareCustomerProviderProviderProvider
Application codeCustomerCustomerProviderCustomer
Function runtimeCustomerCustomerProviderProvider
Data & encryptionCustomerCustomerCustomerCustomer
Identity & accessCustomerCustomerCustomerCustomer

Real-World Example

Netflix runs its streaming backend on AWS IaaS (EC2, EBS) while its internal tooling uses SaaS (Jira, Confluence) — choosing the model per workload control requirement.