The Differences in the “as-a-Service” Cloud Models and How They Work with FedRAMP

By Megan Berkery

There’s no end to the number of acronyms used in our line of work. But “IaaS,” “PaaS,” and “SaaS” are three terms anyone in the cloud computing industry should familiarize themselves with. They don’t describe cloud computing technologies specifically, but rather indicate particular services parsed out among the three main pieces of cloud computing.

Nomenclature isn’t everything. After all, we really want to know how something works and what it can do. Though, it’s undeniable that these three terms describe the fundamental service models of cloud computing, and they play a big role in services and solutions that can be provided to customers in a number of ways. In recent years, we’ve seen these services in the context of government technology, and, in particular, FedRAMP (that’s right, another acronym).

Let’s take a look at what each of these services mean, their significance, and how they work in the world of FedRAMP authorization.

Infrastructure as a Service (IaaS)

When you think of IaaS, think of “virtualized.” This model of cloud computing provides computing resources – specifically, virtualized hardware (i.e., infrastructure). IaaS works best for enterprise customers who want to generate economical and scalable websites by removing the complexities and expenses of managing the underlying infrastructure, which are handled by their managed service provider. This virtualized hardware includes server space, bandwidth, load balancing capabilities, and network connections. All of which, are often derived from an assortment of servers and networks, and distributed across a number of data centers, maintained by the hosting provider.

With the provider managing and maintaining the infrastructure, the system owner is free to build their own IT applications. Leaving them responsible for anything inside the system, above the infrastructure level. These obligations for the client means they must manage things like security, performance, instant response, tuning, and more. If an organization does not have enough staff on hand to architect and maintain their system, they typically choose an option other than IaaS. This is particularly true in regard to achieving FedRAMP authorization. With IaaS, the system owner is responsible for compliance; because being compliant entails a significant amount of resources being put into security measures other than those related in the infrastructure, the client requires a full team dedicated to upholding security and compliance standards.

Platform as a Service (PaaS)

Providing a platform as a service is exactly what it sounds like; this cloud computing category offers a platform upon which developers can create applications. These software applications are developed using tools provided by the cloud platform provider, who also manages the infrastructure, updates services, upgrades technical features, and provides support. Such services can be paid for with subscriptions, allowing clients to pay for only what they need and use. Sharing the underlying platform infrastructure with other users also means they’ll get these services at a lower fee. PaaS operates above the hardware level, meaning it does not have to interact with things like database requirements, security, or load balancing. That’s for the service provider to manage.

With PaaS, the Cloud Service Provider (CSP) is typically responsible for a lot of moving pieces. A significant part of platform management is security. By having full control of the tenant environment, the CSP is responsible for fulfilling security requirements for that platform – this is particularly true for achieving FedRAMP authorization. The provider can either automatically or manually supplement security patches, monitoring services, and firewalls – among other steps – to reach the desired level of compliance for the system owner.

Software as a Service (SaaS)

SaaS is really the highest stratum of cloud computing, as well as the most focused. Offering software as a service allows users to lease online software instead of buying it. SaaS is more than just standard online tools (like email). It centralizes computing capabilities so countless employees can run their software on the internet simply as borrowed products. SaaS is synonymous with cloud computing once it is intertwined with the hardware offered through a PaaS. Clients typically pay for SaaS on a monthly basis, with the flexibility to drop or add system users anytime for no extra charge.

While SaaS is the most inclusive service from the top down, it has the most narrow and focused scope. This is because the CSP has to control everything from the client side all the way down to the data being stored on the drive. With SaaS, for example, the CSP has to aggregate all logs out of the platform and infrastructure for security assessments in order to achieve FedRAMP authorization – this is not the case for IaaS and SaaS solutions. In other words, almost all of the SaaS work is performed solely by the CSP.

The Key Difference is Responsibility

We’ve seen a common theme in describing the “aaS” cloud services – responsibility. Either the cloud service provider is in charge of important aspects of the client’s system, or the client itself needs to manage their own system and achieve security compliance. This truly depends on whether the system owner has the resources on hand to tackle the work that must be done.

If a client already has a staff to handle IaaS and PaaS requirements, they won’t need their CSP to provide corresponding resources. When it comes to SaaS services, on the other hand, system owners rely on solutions offered by their CSP, who is obligated to provide focused software solutions to fit their client’s needs – for example, FedRAMP needs. These software companies who don’t want to go through the FedRAMP authorization process alone can use companies like Contegix to achieve compliance and accreditations, shifting the security responsibilities to the CSP while reaping the benefits of fully-compliant “aaS” solutions.