The cloud has always been a misunderstood child of the ever-growing technology industry. Chances are that if you Google “What is the cloud?”, you’ll find that the first 10 results all define the cloud differently. The term cloud has constantly been used in the past as a buzzword to describe a large number of different services which has led many to confusion when trying to wrap their heads around what the cloud actually is.

Contrary to popular belief, the term ‘cloud’ itself is not just a buzzword, nor is it just someone else’s computer; as I have heard it defined in the past. In short, the cloud is a service, or group of services, that is typically provided by a third party (e.g. Google, Amazon Web Services (AWS), or Microsoft), and is; widely available to all of its intended users regardless of physical location, scalable (meaning that is can grow or shrink in resources when needed (also sometimes referred to as being elastic)), and generally follows a client-server model. For a more detailed answer, we will look at the National Institute of Standards and Technology’s (NIST) Special Publication 800-145 titled The NIST Definition of Cloud Computing which we believe does an excellent job at defining what the cloud actually is.

NIST breaks down the definition of cloud services in to three sections; Service Models, Deployment Models, and Essential Characteristics. In this blog post, we will summarize the important points of each section to clear up any misconceptions previously held about the cloud. It is important to note that the term ‘cloud’ and ‘cloud computing’ are used interchangeably throughout this blog series.

Cloud Service Models

There are a large number of different cloud service models (too many to list here) but ultimately, all of them fall under the following three main cloud service models: SaaS (Software as a Service), PaaS (Platform as a Service), or IaaS (Infrastructure as a Service). These services are visualized in Figure 1.

Visualization of SaaS, PaaS, and IaaS
Figure 1. Visualization of SaaS, PaaS, and IaaS

SaaS, sometimes also referred to as a cloud application or as hosted software, is a service model that hosts applications accessible over the network (such as through a web browser). This allows for applications to be accessible to its users without the need to install or configure a special client interface on their end (client side). To elaborate, the user uses applications provided by the Cloud Service Provider (CSP) itself and is not responsible for managing the underlying cloud infrastructure (e.g. networking, server maintenance, storage, etc.). Some popular examples of SaaS are the Google Suite (e.g. Google Docs, Google Slides, etc.), Office 365, and Dropbox.

PaaS, also sometimes referred to as a cloud platform service, is a service model that provides users with platforms for building and developing custom applications. As is with a SaaS cloud service model, the CSP is still responsible for the underlying cloud infrastructure, but the difference here is that the user is now responsible for creating and developing their custom application instead of using an application already provided by the CSP. The most common uses for a PaaS cloud service model is to develop and host web applications online such as through AWS Elastic Beanstalk or Apache Stratos (now retired).  

IaaS, also sometimes referred to as a Hardware as a Service (HaaS) service model or as a cloud infrastructure service, is a cloud service model that provides users with the ability to create and manage virtualized computing resources over the network. To elaborate, users using the IaaS cloud service model can create and manage virtual machines and virtual networks (networking components may be limited depending on the CSP), but the CSP still retains control over most of the underlying cloud infrastructure (e.g. the physical components of servers, certain aspects of the networking, and virtualization software used) as can be seen in Figure 2. In other words, users are presented with a virtual data center that they get to control without having to purchase and manage the physical components that come with it. The most popular examples of CSPs that provide a platform for IaaS service models are Amazon Web Services (AWS), Digital Ocean, and Microsoft Azure.

Figure 2. Cloud Responsibility

To better illustrate what users are responsible for in the aforementioned cloud service models, we have included Figure 2 to visualize that responsibility. Figure 2 compares the three previously mentioned cloud service models to an On-Premise service model (i.e. when services are hosted by the user). As is expected, users who adopt an IaaS service model will hold the most responsibility for the underlying infrastructure (e.g. storage configurations, operating system maintenance, networking, etc.) whereas users who adopt a SaaS service model will hold no responsibilities. This is something to keep in mind as forensic examiners and incident responders as it will allow us to know how much potential data may exist on the client side vs. on the cloud. For example, users with an IaaS service model may be able to enable logs that could later be used for analysis whereas users with SaaS service models may not have access to similar logs and would need to rely on client-side artifacts for analysis (e.g. browser artifacts, ssh logs, etc.). We will go in dept on logs and log analysis in a future blog post.  

Deployment Models

Deployment models refers to the method in which a user decides to deploy their cloud environment. At the time that this blog post was written, there are four main cloud deployment models; private cloud, community cloud, public cloud, and hybrid cloud.

Private cloud refers to cloud infrastructure that is provisioned for exclusive use by a single organization/business. This means that the entire cloud infrastructure is used by a single organization/business but does not necessarily mean that the organization/business provides the physical infrastructure to host the cloud environment. As is mentioned in NIST SP 800-145, private clouds may be owned, managed, and/or operated by the organization using the private cloud, a third party, or a combination of the two and may exist either on or off the organization’s premise.

Unlike a private cloud, which, as previously mentioned, is provisioned for a single organization/business, a community cloud is provisioned for exclusive use by a specific community of users. Often, these users share a common goal/interest such as academic institutions creating a community cloud for research projects or a group of healthcare providers that require a certain level of security in the cloud. Just like a private cloud, a community cloud may be owned, managed, and/or operated by the users, a third party, or a combination of the two, and may be hosted either on or off premise.

Public cloud refers to cloud infrastructure that is available for use by the general public. To elaborate, anyone can request and/or purchase resources from the public cloud without having to be part of a specific group/organization. This cloud deployment model can be owned, managed, and/or operated by a business, government organization, or academic institution (or a combination of all three) and is typically hosted on the CSPs premise. This deployment model is also what is most commonly seen by the general public (e.g. AWS, Microsoft Azure, etc.).

Lastly, hybrid clouds are a combination of any of the three previously mentioned cloud deployment models. NIST SP 800-145 states that in a hybrid cloud model, each cloud model used remains a unique entity, but are bound together by standardized or proprietary technology that allows for data/applications to interact with each model used. For example, a private cloud that interacts with a public cloud to offload data processing would be considered a hybrid cloud.

Essential Characteristics

NIST SP 800-145 talks about five essential characteristics that must exist for a service to be considered a cloud service. These five characteristics are: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.

The first characteristic mentioned in the document is on-demand self-service. On-demand self-service is defined by NIST as the ability for a user to create and use virtual computing resources without the need to interact with a human. To elaborate, let us look at an IaaS cloud instance. Based on this characteristic, a user on AWS should be able to create and power up a virtual machine without having to contact a human at AWS for that action to occur.

The second characteristic mentioned is broad network access. This is defined as the ability to access a cloud resource from anywhere in the world so long as network mechanisms (e.g. SSH, HTTP(s), RDP, etc.) are set in place. This means that physical access to cloud infrastructure is not required to access cloud services as they should be accessible remotely.

The next characteristic mentioned is resource pooling. Resource pooling refers to the concept of pooling the CSPs computing resources together to serve multiple users in a multi-tenant model. To elaborate, users will generally share computing resources such as storage, memory, and network bandwidth with other users. One important thing to mention is that even though users will share these resources with other users, each user’s data is isolated and remains invisible to the other users. From the user’s perspective, they will never know the specific location of their data (e.g. which server in xyz data center their data resides), but they can specify which data center, state, or country they wish their data to be in (highly dependent on the CSP). This is primarily done to allow CSPs the ability to clone user data to provide redundancy in case of failure on the CSPs end, and to be able to dynamically assign and reassign computing resources that may have been previously occupied by another user.

This brings us to the fourth characteristic mentioned within NIST SP 800-145 which is rapid elasticity. Rapid elasticity refers to the concept of being able to rapidly scale up or down virtual resources to meet the user’s demand in a manner that makes computing resources seem unlimited. This means that if the consumer has a need for 1,000 virtual machines, they can scale their environment to use 1,000 virtual machines without having to contact a human to request for more physical infrastructure to be built to host those virtual machines and without any time delays (e.g. can be done at any point without a heads up to the CSP). This characteristic is similar to on-demand self-service in the sense that it should not require any human interaction.

The last characteristic mentioned is measured service. Measured service refers to the ability to monitor, control, and report on resource usage in the cloud. NIST SP 800-145 further elaborates on this concept by stating that “cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, and active user accounts).”

Ending Remarks

There is a ton more that could be said about the cloud, but we believe that this is just enough information to get a good idea about what the cloud actually is. We know that this blog post was as dry as California, but hang in there, they won’t all be this dry. We hope you learned a lot and that you can now confidently answer the question, “What is the cloud?”.


  1. Mell, P., & Grance, T. (2011). The NIST Definition of Cloud Computing. NIST. Retrieved from a.
  2. Dhillon, B. (2015). Different Types of Cloud Computing Service Models. [Image] Bluepi. Retrieved from a.
  3. Chou, D. (2018). Cloud Service Models (IaaS, PaaS, SaaS) Diagram. [Diagram] Blog. Retrieved from a.