Episode 15 — Cloud Service Models — IaaS, PaaS, SaaS Compared
Cloud service models define the boundary between what the cloud provider offers and what the customer is expected to manage. These models are foundational to cloud computing and appear in nearly every domain of the Cloud Plus exam. Understanding service model distinctions helps identify what level of access, control, and responsibility is associated with a given cloud deployment. Exam scenarios may focus on shared responsibility, user behavior, or technical configuration, and the correct answer often depends on selecting the right service model.
Service model identification is one of the most frequently tested topics on the Cloud Plus exam. Multiple-choice and performance-based questions may ask you to determine who is responsible for patching, securing, or deploying elements of the system based on the service model used. Scenarios will rarely name the model outright. Instead, they describe technical environments that imply a service model through the level of abstraction and the kind of control the user has. Mastery of this topic is critical to understanding how cloud systems are structured and managed.
Infrastructure as a Service, or IaaS, is the service model that provides the most flexibility and control to the customer. In this model, the provider supplies core infrastructure components including virtual machines, storage volumes, and networking services. The customer is responsible for installing and managing the operating system, configuring middleware, and deploying applications. This arrangement allows for deep customization but also places a heavy burden on the customer for security, updates, and system management.
With IaaS, the cloud provider ensures that the infrastructure is available and operational, but the customer is responsible for everything running on top of it. This includes patching the operating system, managing access permissions, deploying applications, and configuring monitoring tools. Cloud Plus questions may present a situation where a security breach occurred due to an unpatched server and ask whether this responsibility falls on the provider or customer. In an IaaS context, the customer bears that responsibility.
IaaS environments require customers to have deep knowledge of the systems they deploy. Operating system behavior, middleware tuning, and application performance are all managed at the customer level. This model is common for teams that need full control or want to build custom software stacks. However, because the defaults are minimal, customers must harden the environment themselves. Cloud Plus may include performance-based items requiring you to assign configuration responsibilities correctly based on this model.
Platform as a Service, or PaaS, abstracts much of the infrastructure and runtime management. In this model, the provider delivers a full development platform including runtime engines, databases, and middleware. The customer focuses only on their application code and associated data. This model reduces administrative overhead and accelerates software development. Developers can push code without managing the operating system, backups, or runtime patching.
PaaS removes the need to configure the underlying operating system or support tools. The cloud provider handles operating system updates, middleware patching, and scaling infrastructure. The customer simply uploads code, connects to platform services, and manages application-specific configurations. This model is common in DevOps pipelines, continuous integration workflows, and environments where time-to-deploy is a priority. Cloud Plus exam scenarios may describe such workflows and expect the candidate to identify the correct model as PaaS.
Despite its abstraction, PaaS customers still retain key responsibilities. These include securing application logic, managing user access, and ensuring that the data layer is properly protected. Cloud Plus questions often focus on who is responsible for implementing security measures at the application level. Even though the platform is managed by the provider, application vulnerabilities remain under the customer’s control. Candidates must distinguish where the boundary lies between provider and user security obligations.
Software as a Service, or SaaS, provides a fully managed application that users access over the internet. In this model, the provider handles everything: infrastructure, operating systems, application logic, and data storage. The customer interacts with the application through a web interface or client software. This is the most abstracted model, requiring the least technical overhead from the user. It is also the most restrictive in terms of customization and access.
SaaS products include commonly used tools such as email services, customer relationship management platforms, and document collaboration suites. Customers cannot see or change the backend systems. Configuration options are limited to user-facing settings and account preferences. Cloud Plus exam questions often describe a business user accessing a hosted application with no access to its deployment environment and ask candidates to select SaaS as the correct model.
In the SaaS model, customer responsibilities include managing who can access the service, configuring user permissions, and ensuring that data usage aligns with internal policy or regulatory requirements. Questions on the exam may reference user access violations or inappropriate data sharing within a SaaS tool and require candidates to identify the customer’s obligations. Although the infrastructure is out of reach, access control and data governance remain key responsibilities at the user layer.
Each model introduces a different version of the shared responsibility structure. IaaS offers the most control and requires the customer to manage the most components. PaaS shares responsibility by abstracting the platform but leaving the application in the customer’s hands. SaaS removes nearly all backend control but expects the customer to enforce policies and control user access. Cloud Plus exam questions may ask who is responsible for securing, maintaining, or updating a particular system component within each model.
On the Cloud Plus exam, candidates are expected to identify service models based on written descriptions without the help of diagrams. This means understanding the terminology used to describe provisioning levels, abstraction layers, and management boundaries is essential. Words like provision, deploy, host, and abstract all provide cues about where responsibility lies. If the scenario references full stack management or direct access to virtual machines, it likely points toward IaaS. If it describes code deployment without system configuration, PaaS may be implied. If the user accesses software through a browser or API without managing infrastructure or runtime, SaaS is the appropriate model.
Security expectations vary significantly across service models. In IaaS, the customer must apply all hardening measures including firewalls, encryption, patch management, and secure authentication. This includes both internal network configuration and public exposure of services. In PaaS, the platform secures most infrastructure elements, but the customer is still responsible for ensuring the security of the application code and any user data it processes. In SaaS, the provider delivers most of the security by default, but user behavior, access control, and data exposure through configuration remain under the customer’s control. The exam may test how much influence the customer has in each model.
Scalability differs depending on which service model is used. In an IaaS model, the customer scales the infrastructure by modifying virtual machines, adjusting storage volumes, or provisioning new network segments. This gives more control but also more administrative responsibility. PaaS environments often offer auto-scaling capabilities built into the platform, automatically adjusting resource consumption as application demand changes. SaaS tools generally scale invisibly to the user, with providers allocating resources dynamically behind the scenes. Exam scenarios may require identifying which model supports manual or automated scaling based on customer control.
Billing mechanisms are also tied to service model selection. IaaS often uses usage-based pricing based on virtual resource consumption. Customers are billed for virtual CPUs, memory allocation, data transfer, and storage use over time. PaaS typically follows a consumption-based model where services are priced according to runtime usage, transactions, or execution time. SaaS is usually billed per user or per license on a subscription basis, with fixed pricing tiers based on feature access. The exam may present cost scenarios requiring an understanding of how each model structures its billing.
A common misconception on the exam is that any hosted software automatically qualifies as SaaS. While SaaS does include hosted tools, not all hosted services are fully managed software solutions. Some services may resemble SaaS in delivery but retain customer responsibility for certain backend elements. Similarly, certain PaaS services may offer prebuilt components that feel like SaaS but still require code deployment or data configuration. The correct answer on the exam always depends on who manages which component, not how the service appears to the user.
Cloud Plus uses vendor-neutral terminology when referring to service models. Candidates should not assume that questions are referencing a specific product from Amazon Web Services, Microsoft Azure, or Google Cloud. Instead, questions will describe behaviors, responsibilities, or interactions using general terms. For example, if a scenario describes provisioning a virtual machine and installing an operating system, it is referencing IaaS. If the scenario describes uploading code to a development environment, it is likely PaaS. If it describes logging into a web app and managing user permissions, it is SaaS.
Understanding the strengths and weaknesses of each model helps candidates evaluate use cases. IaaS provides flexibility and full control but requires skilled administrators to manage infrastructure and security. It is best suited for organizations that need customization, unique configurations, or full access to the system stack. PaaS improves agility by reducing infrastructure overhead, but it limits customization of the platform itself. It is ideal for development teams focused on speed. SaaS is the easiest to use, with almost no management burden, but it offers minimal control or customization, making it suitable for standard business operations.
When assessing exam scenarios, the candidate must match responsibilities to the appropriate model. For example, if the scenario describes the customer handling operating system updates and network configuration, it is an IaaS environment. If the customer is writing and deploying code without configuring infrastructure, the model is PaaS. If the customer is simply assigning user permissions and using the software, it is SaaS. These distinctions are consistent throughout the Cloud Plus exam and require clear mental mapping of responsibility layers.
Questions may be phrased to test subtle differences between models. A scenario might describe the customer choosing scaling policies for a runtime environment but not touching the operating system. This would indicate a PaaS model. Another scenario might involve controlling firewall rules and patching Linux servers, pointing to IaaS. A description of a company using a cloud-based customer relationship management system that employees log into suggests SaaS. Recognizing these language patterns is key to correct service model identification.
Scenarios may also involve breaches or outages where the root cause must be assigned correctly. For example, if an unpatched server is exploited in an IaaS environment, responsibility lies with the customer. If a platform service fails in a PaaS environment, the provider is accountable. If a user shares sensitive documents via incorrect permissions in a SaaS tool, the responsibility lies with the customer. These distinctions are often embedded in performance-based items where layered analysis is required.
Another exam topic involves selecting a service model based on organizational need. A startup building a custom application might benefit from IaaS if they want total control. A development team with limited infrastructure staff may choose PaaS for simplicity. A business needing to onboard hundreds of users to an email platform would select SaaS. Candidates must not only recognize existing models but also recommend the right one based on described requirements.
Understanding service model scope also aids in evaluating compliance requirements. In IaaS, customers must implement data protection, secure configurations, and audit controls. In PaaS, these responsibilities are shared, with customers focusing on application data security and providers maintaining infrastructure security. In SaaS, customers handle identity management and data governance, while the provider maintains the rest. The Cloud Plus exam tests whether you can correctly apply responsibility boundaries to governance concerns.
Service models influence nearly every architectural, operational, and security decision in a cloud environment. Whether configuring access control, selecting backup options, or defining patch schedules, knowing who owns each part of the stack is essential. Cloud Plus candidates must be fluent in these distinctions and able to apply them across different types of questions. Mastery of IaaS, PaaS, and SaaS boundaries directly supports success across multiple domains of the exam.
