Cloud computing has fundamentally changed how organisations consume technology. Instead of purchasing, installing, and maintaining physical servers, businesses now provision computing resources on demand from providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. For executives, understanding the three core service models is not a technical exercise — it is a strategic imperative that determines where your security responsibilities begin and end.
Every cloud decision your organisation makes — from migrating email to deploying customer-facing applications — falls into one of three service models. Choosing the wrong model, or misunderstanding what each model requires from your security team, is one of the most common sources of cloud security failures.
The Three Service Models Explained
The cloud industry organises services into three layers, each offering a different balance of control, flexibility, and managed responsibility:
- Infrastructure as a Service (IaaS) — The provider supplies raw computing resources: virtual machines, storage, and networking. Your team manages the operating system, middleware, runtime, applications, and data. Examples include AWS EC2, Azure Virtual Machines, and Google Compute Engine. IaaS gives you maximum control but also maximum responsibility for security configuration.
- Platform as a Service (PaaS) — The provider manages the infrastructure and the platform layer, including operating systems, middleware, and runtime environments. Your team manages the applications and data. Examples include Azure App Service, AWS Elastic Beanstalk, and Google App Engine. PaaS reduces operational burden but still requires you to secure application code and data.
- Software as a Service (SaaS) — The provider delivers a complete application. Your team manages user access, data, and configuration settings. Examples include Microsoft 365, Salesforce, and Google Workspace. SaaS offers the least operational complexity but still demands attention to access controls, data governance, and integration security.
Diagram
Cloud Service Models — IaaS vs PaaS vs SaaS
Three stacked columns comparing what the provider manages versus what the customer manages across IaaS, PaaS, and SaaS — from networking at the bottom to applications and data at the top.
Why the Service Model Matters for Security
The service model you choose directly determines your security obligations. With IaaS, your team must patch operating systems, configure firewalls, and harden virtual machines — tasks the provider handles in PaaS and SaaS. With SaaS, your primary concerns shift to identity management, data classification, and configuration governance.
Many breaches occur because organisations assume the cloud provider handles security entirely. This is never the case. Even in a SaaS model, you remain responsible for who can access the service, what data enters the platform, and how that data is shared or exported.
Action steps for your organisation:
- Inventory all cloud services currently in use and classify each as IaaS, PaaS, or SaaS
- For each service, document which security responsibilities belong to your team versus the provider
- Ensure your security policies explicitly address each service model rather than treating cloud as a single category
- Review vendor contracts to confirm that the provider’s responsibilities align with your assumptions
Quick Knowledge Check
- In which service model does the customer retain the most security responsibility?
IaaS — the customer manages the OS, middleware, runtime, applications, and data while the provider manages only the underlying infrastructure. - Does using a SaaS application eliminate all security responsibilities for the customer?
No. The customer remains responsible for identity and access management, data governance, configuration settings, and integration security even in SaaS.