Cloud Security Architecture: IaaS, PaaS, SaaS — and the Shared Responsibility Model

Cloud computing has fundamentally transformed enterprise IT — and the CISSP exam has adapted to reflect this reality. Domain 3 tests cloud security architecture at the conceptual level: understanding the service models, knowing who is responsible for what security control in each model, and recognising the unique vulnerabilities of cloud-based systems including containers, serverless architectures, microservices, and IoT.

Cloud Service Models: IaaS, PaaS, and SaaS

Cloud computing is delivered in three primary service models, each representing a different division of responsibility between the cloud provider and the customer.

Infrastructure as a Service (IaaS) provides virtualised computing resources over the internet: virtual machines, storage, and networking. The customer has control over the operating system, middleware, and applications. The provider manages the physical infrastructure, hypervisor, and virtualisation layer. Examples include Amazon EC2, Microsoft Azure Virtual Machines, and Google Compute Engine.

Platform as a Service (PaaS) provides a managed platform for application development and deployment. The customer deploys applications and manages application-level configuration. The provider manages the infrastructure, operating system, and runtime environment. Examples include AWS Elastic Beanstalk, Google App Engine, and Azure App Service.

Software as a Service (SaaS) provides fully managed applications delivered over the internet. The customer uses the application and manages data and access controls. The provider manages everything else: infrastructure, platform, application code, and updates. Examples include Salesforce, Microsoft 365, and Google Workspace.

For the exam: as you move from IaaS to PaaS to SaaS, the customer has progressively less control and the provider has progressively more responsibility. SaaS gives the customer the least control over security implementation.

The Shared Responsibility Model

The shared responsibility model defines the division of security responsibilities between the cloud provider and the customer. Understanding this model is critical for the exam and for real-world cloud security practice.