Cloud Reference Model: IaaS, PaaS, SaaS
The NIST Cloud Reference Model defines three service layers, each abstracting a different level of infrastructure complexity. Understanding which layer to use determines cost, flexibility, operational overhead, and time-to-market.
The Three Layers
IaaS — Infrastructure as a Service
The cloud provider manages physical hardware, networking, and virtualization. You manage everything above the hypervisor.
You manage: Operating system, runtime, middleware, application, data Provider manages: Servers, storage, networking, virtualization
Examples:
- AWS EC2: Virtual machines with configurable CPU, RAM, storage
- Azure Virtual Machines: Windows and Linux VMs in Azure regions
- Google Compute Engine: Custom machine types with per-second billing
- Amazon S3: Object storage infrastructure
Best for: Legacy application lift-and-shift, custom OS configurations, maximum control
PaaS — Platform as a Service
The cloud provider manages the infrastructure and runtime environment. You focus solely on application code and data.
You manage: Application code, data, configuration Provider manages: OS, runtime, middleware, servers, storage, networking
Examples:
- Heroku: Git-push deployment for Node.js, Python, Ruby, Java apps
- Google App Engine: Fully managed app hosting with auto-scaling
- AWS Elastic Beanstalk: Upload code, AWS handles deployment and scaling
- Azure App Service: Managed web hosting with CI/CD integration
Best for: Web applications, APIs, microservices — accelerate delivery without managing servers
SaaS — Software as a Service
Fully managed applications delivered over the Internet. Zero infrastructure or software management.
You manage: Data, user access configuration Provider manages: Everything — application, runtime, OS, infrastructure
Examples:
- Salesforce: CRM platform
- Gmail / Google Workspace: Email and productivity
- Microsoft Office 365: Office suite delivered via browser
- Zoom / Slack: Communication platforms
Best for: End-user business applications, minimizing IT overhead
Comparison Table
| Dimension | IaaS | PaaS | SaaS |
|---|---|---|---|
| Control | Highest | Medium | Lowest |
| Flexibility | Highest | Medium | Lowest |
| Management Overhead | Highest | Medium | Lowest |
| Time to Deploy | Slowest | Medium | Fastest |
| Cost Model | Variable (compute hours) | Variable (app units) | Subscription per user |
| Example | AWS EC2 | Heroku | Salesforce |
| Ideal User | DevOps/SysAdmin | Developer | Business End User |
Shared Responsibility Model
Each layer shifts security and operational responsibilities between customer and provider. IaaS requires the most customer responsibility (patching OS, configuring firewalls), while SaaS requires the least.
Service Layer Architecture
Choosing the Right Layer
- Need full OS control or custom kernel modules? → IaaS
- Building a new web app and want to skip server management? → PaaS
- Deploying email, CRM, or office tools company-wide? → SaaS
- Running containerized microservices? → PaaS/CaaS (Kubernetes, ECS, Cloud Run)
Most enterprise architectures use all three layers simultaneously: SaaS for productivity tools, PaaS for internal applications, and IaaS for specialized or legacy workloads.