When we discuss cloud computing and the network security framework around it, we frequently refer to NIST.

NIST stands for the National Institute of Standards and Technology. It promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems.

The NIST Definition of the Three Cloud Service Models

Cloud Service models include Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

According to NIST, cloud service models are described as follows:

Software as a Service (SaaS)

In this model, the client uses the provider’s applications that are running on a cloud infrastructure. The client can access the applications from various thin clients (for example, a website - see more regarding thin and think clients here). According to NIST definition, the consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities. The client might be able to specify their specific application configuration settings.

Platform as a Service (PaaS)

In this model, the client creates or acquires software that is then deployed onto the cloud infrastructure. This can be done on a pay-per-use or charge-per-use basis. A cloud infrastructure is the collection of hardware and software that enables the five essential characteristics of cloud computing that we described here.

The cloud infrastructure containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources - typically, servers, storage and network components. The abstraction layer consists of the software deployed across the servers and network components. The client does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The client will have control over the deployed applications and possibly configuration settings for the application-hosting environment.

Infrastructure as a Service (IaaS)

In this model, the client can deploy and run any software they choose, including operating systems and applications. The provider provisions servers, storage and network components. The client does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications. The client will have limited control over select networking components (e.g., host firewalls).

Source: https://csrc.nist.gov/publications/detail/sp/800-145/final