Cloud Service Models
IaaS, PaaS, SaaS, FaaS; shared responsibility model
Cloud service models define the boundary of managed responsibility between the cloud provider and the customer. IaaS (Infrastructure as a Service) gives raw compute, storage, and networking; PaaS abstracts the OS and runtime; SaaS delivers a fully managed application; and FaaS (Function as a Service) abstracts even the server, billing only for execution milliseconds. The shared responsibility model determines who patches, who encrypts, and who manages identity at each layer.
Key Points
- IaaS examples: AWS EC2, Azure VMs, GCP Compute Engine — customer manages OS, middleware, runtime, data.
- PaaS examples: AWS Elastic Beanstalk, Azure App Service, GCP App Engine — provider manages OS and runtime patches.
- SaaS examples: Salesforce, Google Workspace, Microsoft 365 — customer manages only data and user access.
- FaaS examples: AWS Lambda, Azure Functions, GCP Cloud Functions — billing per 100 ms of execution, ephemeral compute.
- Shared responsibility: physical security is always the provider's; customer always owns data classification and end-user IAM.
- Moving up the stack (IaaS → SaaS) reduces operational burden but increases vendor lock-in risk.
- FaaS cold-start latency (typically 100–500 ms for JVM runtimes) is a key NFR trade-off versus always-warm containers.
- Compliance evidence (SOC 2, ISO 27001) is split: provider covers infrastructure controls, customer covers application controls.
| Responsibility | IaaS | PaaS | SaaS | FaaS |
|---|---|---|---|---|
| Physical hardware | Provider | Provider | Provider | Provider |
| Network & storage | Provider | Provider | Provider | Provider |
| Virtualization | Provider | Provider | Provider | Provider |
| Operating system | Customer | Provider | Provider | Provider |
| Runtime / middleware | Customer | Provider | Provider | Provider |
| Application code | Customer | Customer | Provider | Customer |
| Function runtime | Customer | Customer | Provider | Provider |
| Data & encryption | Customer | Customer | Customer | Customer |
| Identity & access | Customer | Customer | Customer | Customer |
Real-World Example
Netflix runs its streaming backend on AWS IaaS (EC2, EBS) while its internal tooling uses SaaS (Jira, Confluence) — choosing the model per workload control requirement.