Cloud Service Models (IaaS, PaaS, SaaS)

Overview

Understanding cloud service models is fundamental to implementing ISO 27017 effectively. Each service model—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—has distinct characteristics, security implications, and responsibility distributions that directly impact how security controls are applied.

Learning Objectives

By the end of this lesson, you will be able to:

Define and differentiate between IaaS, PaaS, and SaaS service models
Understand the security responsibilities for each service model
Identify appropriate use cases for each model
Recognize the security implications of each model
Apply ISO 27017 controls appropriately based on service model
Make informed decisions about service model selection

The Cloud Service Model Hierarchy

Visual Representation

Traditional IT    IaaS           PaaS           SaaS
┌────────────┐   ┌────────────┐  ┌────────────┐  ┌────────────┐
│Applications│   │Applications│  │Applications│  │Applications│ ◄── Provider
├────────────┤   ├────────────┤  ├────────────┤  ├────────────┤
│   Data     │   │   Data     │  │   Data     │  │   Data     │ ◄── Provider
├────────────┤   ├────────────┤  ├────────────┤  ├────────────┤
│  Runtime   │   │  Runtime   │  │  Runtime   │  │  Runtime   │ ◄── Provider
├────────────┤   ├────────────┤  ├────────────┤  ├────────────┤
│Middleware  │   │Middleware  │  │Middleware  │  │Middleware  │ ◄── Provider
├────────────┤   ├────────────┤  ├────────────┤  ├────────────┤
│    O/S     │   │    O/S     │  │    O/S     │  │    O/S     │ ◄── Provider
├────────────┤   ├────────────┤  ├────────────┤  ├────────────┤
│Virtualiz'n │   │Virtualiz'n │  │Virtualiz'n │  │Virtualiz'n │ ◄── Provider
├────────────┤   ├────────────┤  ├────────────┤  ├────────────┤
│  Servers   │   │  Servers   │  │  Servers   │  │  Servers   │ ◄── Provider
├────────────┤   ├────────────┤  ├────────────┤  ├────────────┤
│  Storage   │   │  Storage   │  │  Storage   │  │  Storage   │ ◄── Provider
├────────────┤   ├────────────┤  ├────────────┤  ├────────────┤
│ Networking │   │ Networking │  │ Networking │  │ Networking │ ◄── Provider
└────────────┘   └────────────┘  └────────────┘  └────────────┘
 You Manage       You Manage     You Manage     You Manage
     All           Top Layers    Top 2 Layers   Data/Config

Infrastructure as a Service (IaaS)

Definition

IaaS provides fundamental computing resources over the internet. Customers rent virtualized hardware resources including servers, storage, and networking components, and have control over operating systems, storage, and deployed applications.

Key Characteristics

Characteristic	Description
Service Level	Infrastructure layer (compute, storage, network)
Customer Control	High - OS, middleware, runtime, applications, data
Provider Control	Infrastructure, virtualization, physical security
Flexibility	Maximum flexibility for customization
Management Burden	High - customer manages most of the stack

Common IaaS Services

Compute Services:

Virtual machines (VMs)
Bare metal servers
Container hosting
Auto-scaling groups

Storage Services:

Block storage (virtual hard drives)
Object storage (file storage)
Archive storage
Backup services

Network Services:

Virtual networks
Load balancers
DNS services
VPN gateways
Firewalls and security groups

IaaS Providers Examples

Provider	Service Name	Key Features
Amazon Web Services	EC2, S3, VPC	Extensive service catalog, global reach
Microsoft Azure	Virtual Machines, Storage	Enterprise integration, hybrid cloud
Google Cloud Platform	Compute Engine, Cloud Storage	High-performance computing, AI/ML
IBM Cloud	Virtual Servers	Enterprise-grade, compliance focus
Oracle Cloud Infrastructure	Compute, Storage	Database optimization, enterprise apps

Security Responsibilities in IaaS

Cloud Service Provider Responsibilities:

Physical security of data centers
Network infrastructure security
Hypervisor security and isolation
Hardware maintenance and replacement
Power and cooling systems
Physical access controls
Infrastructure monitoring

Cloud Service Customer Responsibilities:

Operating system security and patching
Application security
Data encryption (at rest and in transit)
Identity and access management
Network security configuration (firewalls, security groups)
Backup and disaster recovery
Compliance and governance
Vulnerability management
Security monitoring and logging

IaaS Security Controls (ISO 27017)

Critical Controls for IaaS Customers:

A.9.4.4 - Use of privileged utility programs
- Restrict access to virtualization management tools
- Implement privileged access management
A.12.3.1 - Information backup
- Configure automated backup solutions
- Test restoration procedures regularly
A.13.1.1 - Network controls
- Configure virtual firewalls and security groups
- Implement network segmentation
A.14.2.1 - Secure development policy
- Secure configuration of virtual machines
- Use hardened OS images
A.18.1.3 - Protection of records
- Ensure data residency compliance
- Implement audit logging

IaaS Use Cases

Ideal Scenarios:

Development and testing environments
High-performance computing workloads
Big data analytics
Disaster recovery sites
Custom application hosting
Organizations requiring full control over infrastructure

Example: Enterprise Application Migration

Scenario: Large retailer migrating e-commerce platform to cloud

IaaS Choice Factors:
✓ Custom application stack requiring specific OS versions
✓ Need for fine-grained security controls
✓ Compliance requirements for data handling
✓ Existing investment in application licenses
✓ In-house expertise in system administration

Implementation:
- Deploy virtual machines with custom OS configurations
- Configure network security groups for multi-tier architecture
- Implement encryption for data at rest using customer-managed keys
- Set up automated backup and disaster recovery
- Integrate with existing identity management systems

Platform as a Service (PaaS)

Definition

PaaS provides a complete development and deployment environment in the cloud. Customers can develop, run, and manage applications without dealing with the underlying infrastructure complexity. The provider manages the operating system, middleware, and runtime environment.

Key Characteristics

Characteristic	Description
Service Level	Platform layer (runtime, middleware, OS)
Customer Control	Medium - applications and data
Provider Control	Infrastructure, OS, middleware, runtime
Flexibility	Moderate - within platform constraints
Management Burden	Medium - focus on applications

Common PaaS Services

Application Platforms:

Web application hosting
API management platforms
Mobile backend services
Serverless computing (Functions as a Service)

Database Services:

Managed relational databases (MySQL, PostgreSQL, SQL Server)
NoSQL databases (MongoDB, Cassandra, DynamoDB)
In-memory databases (Redis, Memcached)
Data warehousing services

Development Tools:

Continuous integration/deployment (CI/CD)
Version control systems
Development frameworks
Testing environments

Integration Services:

Message queues
Event streaming
API gateways
Enterprise service buses

PaaS Providers Examples

Provider	Service Name	Key Features
Heroku	Heroku Platform	Developer-friendly, easy deployment
Google Cloud	App Engine, Cloud Functions	Auto-scaling, integrated services
Microsoft Azure	App Service, Azure Functions	.NET integration, enterprise features
AWS	Elastic Beanstalk, Lambda	Wide service integration
Salesforce	Lightning Platform	Business application focus

Security Responsibilities in PaaS

Cloud Service Provider Responsibilities:

All IaaS-level responsibilities
Operating system security and patching
Middleware security
Runtime environment security
Platform service security
API security
Database engine security (for DBaaS)
Service availability and resilience

Cloud Service Customer Responsibilities:

Application code security
Application-level access controls
Data encryption configuration
Secure API design and implementation
Application-level logging and monitoring
Secure configuration of platform services
Data classification and handling
Application-level backup strategies

PaaS Security Controls (ISO 27017)

Critical Controls for PaaS Customers:

A.14.1.1 - Information security requirements analysis
- Understand platform security features
- Verify compliance capabilities
A.14.2.1 - Secure development policy
- Implement secure coding practices
- Use platform security features appropriately
A.9.1.2 - Access to networks and network services
- Configure application-level access controls
- Implement authentication and authorization
A.10.1.1 - Policy on use of cryptographic controls
- Enable encryption features provided by platform
- Manage encryption keys appropriately
A.12.4.1 - Event logging
- Configure application and platform logging
- Integrate with security monitoring systems

PaaS Use Cases

Ideal Scenarios:

Rapid application development
API development and management
Microservices architectures
Event-driven applications
Applications with variable workloads
Teams wanting to focus on code, not infrastructure

Example: Startup SaaS Application

Scenario: Startup building a project management SaaS application

PaaS Choice Factors:
✓ Small team focused on feature development
✓ Need for rapid iteration and deployment
✓ Variable user load requiring auto-scaling
✓ Limited infrastructure expertise
✓ Cost-effective for early stage

Implementation:
- Use managed application platform for web tier
- Leverage managed PostgreSQL database
- Implement serverless functions for background jobs
- Use platform authentication services
- Configure automated scaling policies
- Integrate platform logging with security monitoring

Software as a Service (SaaS)

Definition

SaaS provides complete, ready-to-use application software over the internet. Customers access applications through a web browser or API without managing any underlying infrastructure, platform, or application code. The provider manages everything except user data and configuration.

Key Characteristics

Characteristic	Description
Service Level	Application layer (complete software)
Customer Control	Low - configuration and data only
Provider Control	Everything except customer data/config
Flexibility	Limited - configuration options only
Management Burden	Minimal - use and configure

Common SaaS Categories

Productivity and Collaboration:

Email and calendaring (Microsoft 365, Google Workspace)
Document collaboration
Video conferencing
Project management

Business Applications:

Customer Relationship Management (CRM)
Enterprise Resource Planning (ERP)
Human Resources Management Systems (HRMS)
Financial management

Specialized Applications:

Marketing automation
Customer support systems
Learning management systems
Security and compliance tools

SaaS Providers Examples

Provider	Service	Category
Salesforce	Sales Cloud, Service Cloud	CRM
Microsoft	Microsoft 365, Dynamics 365	Productivity, Business Apps
Google	Google Workspace	Productivity, Collaboration
Workday	Workday HCM, Financials	HR, Finance
ServiceNow	IT Service Management	ITSM, Workflow
Zoom	Zoom Meetings	Video Conferencing
Slack	Slack	Team Collaboration
DocuSign	eSignature	Document Management

Security Responsibilities in SaaS

Cloud Service Provider Responsibilities:

All IaaS and PaaS-level responsibilities
Application security
Application availability and performance
Multi-tenant isolation
Data storage security
Application-level access controls
Compliance certifications
Security updates and patches
Data backup and recovery
Incident response

Cloud Service Customer Responsibilities:

User access management
User authentication configuration
Data classification
Appropriate use of the application
User training and awareness
Configuration security
Data input validation
Third-party integration security
Monitoring user activities
Compliance with terms of service

SaaS Security Controls (ISO 27017)

Critical Controls for SaaS Customers:

A.9.2.1 - User registration and deregistration
- Implement proper user lifecycle management
- Regular access reviews
A.9.2.2 - User access provisioning
- Follow least privilege principle
- Use role-based access control
A.9.4.1 - Information access restriction
- Configure data access controls properly
- Implement data classification
A.18.1.4 - Privacy and protection of PII
- Understand data processing agreements
- Configure privacy settings appropriately
A.15.1.1 - Information security policy for supplier relationships
- Review SaaS provider security certifications
- Evaluate service level agreements

SaaS Use Cases

Ideal Scenarios:

Standard business processes (email, CRM, HR)
Rapid deployment requirements
Limited IT resources
Predictable, recurring workloads
Need for global accessibility
Focus on business functions, not technology

Example: Enterprise Email Migration

Scenario: 5,000-employee company migrating from on-premises email to SaaS

SaaS Choice Factors:
✓ Standard email functionality sufficient
✓ High availability requirements (99.9% SLA)
✓ Global workforce needing access anywhere
✓ Desire to reduce IT infrastructure costs
✓ Need for modern collaboration features

Implementation:
- Configure single sign-on with corporate identity provider
- Set up data loss prevention (DLP) policies
- Configure email retention policies for compliance
- Implement multi-factor authentication
- Train users on security features
- Establish monitoring for suspicious activities

Comparing Service Models

Comprehensive Comparison Matrix

Factor	IaaS	PaaS	SaaS
Control	Maximum	Medium	Minimum
Flexibility	Highest	Medium	Lowest
Complexity	Most complex	Moderate	Simplest
Customization	Extensive	Limited	Configuration only
Time to Deploy	Days to weeks	Hours to days	Minutes to hours
IT Skills Required	High	Medium	Low
Management Overhead	Highest	Medium	Lowest
Cost Model	Pay for resources	Pay for usage	Pay per user/feature
Scalability	Manual/auto	Auto-scaling	Built-in
Updates	Customer managed	Provider managed	Automatic

Security Control Distribution

Security Layer	IaaS	PaaS	SaaS
Physical Security	Provider	Provider	Provider
Network Security	Shared	Provider	Provider
Host Security	Customer	Provider	Provider
Application Security	Customer	Customer	Provider
Data Security	Customer	Customer	Shared
Identity & Access	Customer	Shared	Shared
Compliance	Shared	Shared	Shared

Hybrid and Multi-Cloud Scenarios

Combining Service Models

Modern organizations often use multiple service models simultaneously:

Example Architecture:

┌─────────────────────────────────────────────────┐
│              Organization's Cloud Strategy       │
├─────────────────────────────────────────────────┤
│ SaaS: Microsoft 365 (Email, Office)             │
│       Salesforce (CRM)                           │
│       Workday (HR)                               │
├─────────────────────────────────────────────────┤
│ PaaS: Azure App Service (Web applications)      │
│       AWS Lambda (Serverless functions)          │
│       Google Cloud SQL (Managed database)        │
├─────────────────────────────────────────────────┤
│ IaaS: AWS EC2 (Legacy applications)             │
│       Azure VMs (Development environments)       │
│       GCP Compute (Analytics workloads)          │
└─────────────────────────────────────────────────┘

Security Considerations for Multi-Model Environments

Challenges:

Consistent security policy enforcement
Centralized identity and access management
Unified monitoring and logging
Complex compliance requirements
Data flow between services

Best Practices:

Implement cloud access security broker (CASB)
Use federated identity management
Centralize security monitoring (SIEM)
Establish data classification standards
Create comprehensive cloud governance framework

Decision Framework: Choosing the Right Service Model

Decision Tree

Start: What is your primary objective?

├─ Need custom infrastructure control?
│  └─ YES → IaaS
│      Examples: Custom apps, specific OS, compliance requirements
│
├─ Need development platform without infrastructure management?
│  └─ YES → PaaS
│      Examples: Web apps, APIs, microservices
│
└─ Need ready-to-use business application?
   └─ YES → SaaS
       Examples: Email, CRM, HR, collaboration tools

Evaluation Criteria Checklist

Technical Requirements:

Level of customization needed
Specific technology stack requirements
Integration with existing systems
Performance and scalability needs
Data residency requirements

Organizational Factors:

In-house technical expertise
IT staff availability
Budget constraints
Time to deployment
Risk tolerance

Security and Compliance:

Regulatory requirements
Data sensitivity level
Required security controls
Compliance certifications needed
Audit and reporting requirements

Operational Considerations:

Maintenance capabilities
Update and patch management preferences
Disaster recovery requirements
Availability requirements (SLA)
Vendor lock-in concerns

ISO 27017 Implementation by Service Model

IaaS Implementation Priority

High Priority Controls:

Virtual machine security configuration
Network security groups and firewalls
Encryption key management
Backup and recovery procedures
Privileged access management
Vulnerability scanning and patching

PaaS Implementation Priority

High Priority Controls:

Secure application development practices
API security and authentication
Platform-specific security configurations
Application-level monitoring
Data protection in managed services
Secure CI/CD pipelines

SaaS Implementation Priority

High Priority Controls:

User access management
Single sign-on (SSO) configuration
Data loss prevention (DLP)
User activity monitoring
Third-party app permissions
Data export and portability

Common Pitfalls and How to Avoid Them

IaaS Pitfalls

Pitfall	Impact	Prevention
Misconfigured security groups	Data exposure	Use infrastructure as code, regular audits
Unpatched systems	Vulnerabilities	Automated patch management
Poor key management	Unauthorized access	Use cloud key management services
No backup strategy	Data loss	Automated backups, tested recovery

PaaS Pitfalls

Pitfall	Impact	Prevention
Insecure application code	Application compromise	Security code reviews, SAST/DAST
Over-privileged service accounts	Lateral movement risk	Least privilege principle
Inadequate logging	Missed security events	Comprehensive logging configuration
Vendor lock-in	Migration challenges	Use abstraction layers, standards

SaaS Pitfalls

Pitfall	Impact	Prevention
Shadow IT adoption	Ungoverned data	CASB, user awareness training
Weak authentication	Account compromise	Enforce MFA, strong passwords
Excessive user permissions	Data exposure	Regular access reviews
Unchecked third-party apps	Data leakage	App approval process

Real-World Case Studies

Case Study 1: Financial Services - Multi-Model Approach

Organization: Regional bank with 200 employees

Implementation:

SaaS: Microsoft 365 for productivity, Salesforce for CRM
PaaS: Azure SQL Database for customer data, App Service for web apps
IaaS: Azure VMs for legacy core banking system

Security Approach:

Unified identity management via Azure AD
Data classification across all services
Centralized monitoring with Azure Sentinel
Segregation of duties based on service model
Regular third-party audits

Results:

30% reduction in infrastructure costs
Improved regulatory compliance posture
Enhanced security visibility
Faster application deployment

Case Study 2: Healthcare Provider - PaaS Focus

Organization: Multi-location healthcare provider

Challenge: HIPAA compliance while modernizing applications

Solution: PaaS-centric architecture

AWS Elastic Beanstalk for patient portal
Amazon RDS for patient data (encrypted)
AWS Lambda for automated workflows
Amazon S3 for medical image storage

ISO 27017 Controls Implemented:

Encryption at rest and in transit
Detailed access logging
Regular security assessments
Business associate agreements
Disaster recovery with geographic redundancy

Outcome:

HIPAA compliance maintained
99.95% application uptime
Reduced security incidents by 45%
Improved patient experience

Case Study 3: E-commerce - IaaS Flexibility

Organization: Growing online retailer

Requirements:

PCI DSS compliance for payment processing
Custom application stack
High-performance requirements
Seasonal scalability

Implementation: IaaS on Google Cloud Platform

Compute Engine for application servers
Cloud SQL for product catalog
Cloud Load Balancing
Cloud Armor for DDoS protection

Security Measures:

Network segmentation (DMZ, application, data tiers)
Custom firewall rules
Regular vulnerability assessments
Encrypted data storage
Comprehensive audit logging

Benefits:

PCI DSS Level 1 certification achieved
Ability to scale 10x during peak season
Full control over security configurations
Cost-effective resource utilization

Key Takeaways

Three distinct service models - IaaS, PaaS, and SaaS each serve different needs with varying levels of control and responsibility
Shared responsibility model - Security responsibilities shift based on service model, with customers always responsible for data
IaaS provides maximum control - Best for custom requirements but requires the most management overhead
PaaS balances control and convenience - Ideal for development-focused teams wanting to avoid infrastructure management
SaaS minimizes complexity - Best for standard business functions with minimal customization needs
Multi-model strategies are common - Organizations typically use a combination of service models
Security controls must match the model - ISO 27017 implementation varies significantly by service model
Decision framework is essential - Systematic evaluation of technical, organizational, and security factors guides model selection

Preparation for Next Lesson

In the next lesson, we'll explore the Shared Responsibility Model in detail, including:

Detailed breakdown of responsibilities by service model
How to document and communicate responsibilities
Common misunderstandings and gaps
Contractual and compliance implications
Best practices for managing shared security

Self-Assessment Questions

What are the three primary cloud service models defined in ISO 27017?
In IaaS, who is responsible for operating system security?
What layer of the stack do PaaS customers primarily manage?
Name three examples of SaaS applications commonly used in enterprises.
Which service model provides the highest level of customization?
What is the primary security responsibility for SaaS customers?
How does the shared responsibility model differ between IaaS and SaaS?
What factors should influence the choice of service model?
What are the main security challenges in a multi-model cloud environment?
Which service model requires the most in-house technical expertise?

Practical Exercise

Scenario: You are advising a healthcare organization on their cloud strategy. They have:

A custom electronic health records (EHR) system
Need for email and collaboration tools
Want to develop a patient portal
Strict HIPAA compliance requirements

Task:

Recommend appropriate service models for each need
Justify your recommendations
Identify key security controls for each
Outline the organization's security responsibilities

This lesson has provided comprehensive coverage of cloud service models. Understanding these models is crucial for applying ISO 27017 controls appropriately in different cloud environments.