CyberPathBlogCloud Security Basics: IaaS, PaaS, SaaS, and Shared Responsibility

Security Concepts

Cloud Security Basics: Understanding IaaS, PaaS, SaaS, and Who's Responsible for What

Cloud security can be confusing because the responsibility is shared between you and your provider. Understanding the shared responsibility model for IaaS, PaaS, and SaaS is critical for the Security+ exam.

CyberPath Team·2026-06-29·8 min

The Shared Responsibility Model

The shared responsibility model is the most important cloud security concept. Security responsibilities are divided between the cloud provider and the customer — but exactly what each party is responsible for depends on the service model.

Always the provider's responsibility: physical security of data centers, hardware maintenance, network infrastructure, and hypervisor security.

Always the customer's responsibility: data classification and accountability, user and identity management, client-side security (protecting credentials and devices), and compliance with applicable regulations.

The dividing line shifts based on service model. As you move from IaaS to PaaS to SaaS, the provider takes on more responsibility and the customer has less control. This is known as the 'security responsibility pendulum.'

IaaS: You Manage Everything Above the Hypervisor

Infrastructure as a Service provides virtualized computing resources (VMs, storage, networking). The provider manages: physical hardware, hypervisor, and network infrastructure.

You manage: operating system (patching, hardening), middleware and runtime, applications, data, network configuration (firewall rules, subnets), identity and access management, and encryption.

Best for: organizations that need full control over their environment. Most customer responsibility of the three models. Examples: AWS EC2, Microsoft Azure VMs, Google Compute Engine.

Biggest risk: misconfiguration. Leaving an S3 bucket publicly readable or a security group too permissive are common IaaS mistakes.

PaaS: Focus on Code, Not Infrastructure

Platform as a Service provides a platform for developing, running, and managing applications. The provider manages: physical hardware, hypervisor, OS, middleware, and runtime.

You manage: application code, data, and user access configuration. PaaS abstracts away infrastructure management, letting developers focus on writing code.

Best for: development teams that want to deploy quickly without managing servers. Examples: AWS Elastic Beanstalk, Heroku, Google App Engine. Security tip: secure your code and dependencies — the provider handles the underlying platform.

SaaS: Just Use the Application

Software as a Service provides a fully managed application accessible via browser or API. The provider manages everything except your data and users.

You manage: data (what you put in), user access and permissions, and client devices. The provider handles everything else: infrastructure, platform, application, security.

Best for: end users who need functionality without administration overhead. Examples: Google Workspace, Office 365, Salesforce. Biggest risk: data governance and vendor lock-in — you trust the provider with your data, so verify their security certifications (SOC 2, ISO 27001).