Cloud Foundations · Grounded in NIST SP 800-145

What Is Cloud Computing? IaaS vs PaaS vs SaaS (2026)

Last verified: June 17, 2026  ·  Format: Breakdown

Cloud computing is on-demand access to computing resources over the internet: servers, storage, databases, and software that you rent and use as needed instead of buying and running the hardware yourself. If you have been wondering what cloud computing means in practical terms, picture flipping a switch. You request a server, it appears in minutes, you pay for what you use, and you release it when you are done. The United States National Institute of Standards and Technology captured this idea in a short, durable definition that the whole industry still leans on today.

This breakdown is plain and practical. We start with that NIST definition, walk through the five essential characteristics, compare the three service models you will hear about constantly, IaaS, PaaS, and SaaS, then cover the four deployment models and a first look at who manages what once your workloads move to the cloud. Provider examples below are drawn from AWS, Microsoft Azure, and Google Cloud documentation and were checked on June 17, 2026.

What Is Cloud Computing (NIST Definition)

The clearest answer comes from NIST Special Publication 800-145, the document that gave the industry a shared vocabulary. It defines the model as on-demand network access to a shared pool of configurable computing resources, such as networks, servers, storage, and applications, that can be rapidly provisioned and released with minimal management effort or service-provider interaction.

That single sentence does a lot of work. It tells you the resources are pooled and shared, that you reach them over a network, that you turn them on and off quickly, and that the heavy lifting of running the underlying hardware is handled for you. NIST then frames the whole model around three layers you will meet throughout this guide: five essential characteristics, three service models, and four deployment models. The full standard is short and worth a read in the NIST SP 800-145 publication.

Why does a standards-body definition of cloud computing matter to you? Because the major providers built their language on top of it. When AWS, Microsoft Azure, and Google Cloud describe their offerings, they use the same vocabulary, which means understanding NIST once helps you read every provider's documentation. For where cloud fits across vendors and topics, start at the Cloud Tools hub.

The 5 Essential Characteristics

When people ask what is cloud computing at a technical level, this is the heart of the answer: NIST lists five traits that, taken together, separate genuine cloud computing from an ordinary rented server. If a service is missing several of these, it is not cloud computing in the strict sense. Here they are in plain language.

1. On-demand self-service

You provision resources yourself, when you need them, without phoning a sales rep or filing a ticket. A few clicks or one API call, and a server, a database, or storage is yours. This is the trait most people feel first.

2. Broad network access

Capabilities are available over the network and reached through standard mechanisms, so you can work from a laptop, a phone, or another server. The cloud is wherever your connection is, not a machine in one room.

3. Resource pooling

The provider pools its compute, storage, and networking to serve many customers, dynamically assigning and reassigning capacity based on demand. You generally do not know, and do not need to know, exactly which physical machine is running your workload. This multi-tenant pooling is what makes the economics work.

4. Rapid elasticity

Capacity scales out and back in quickly, sometimes automatically, to match load. To the user, the available resources can look effectively unlimited. You add capacity for a traffic spike and shed it afterward, rather than buying for the worst case and idling the rest of the year.

5. Measured service

Usage is metered, and you pay for what you consume, whether that is compute hours, storage volume, or requests served. This metering is also what gives you the dashboards and bills that make cloud spending visible and, with effort, controllable.

IaaS, PaaS and SaaS Explained

The three service models describe how much of the stack the provider runs for you. Think of them as a ladder: at the bottom you manage the most, and at each step up the provider takes on more, leaving you free to focus higher up. The IaaS vs PaaS vs SaaS distinction is the single most useful frame for reading any cloud product page.

Infrastructure as a Service (IaaS)

IaaS hands you the basic building blocks, compute, storage, and networking, with the highest degree of control. You manage the operating system and everything you install on top; the provider runs the physical hardware and the virtualization beneath it (virtualization is the software layer, often built on a hypervisor, that splits one physical server into many isolated virtual ones). AWS positions services like Amazon EC2 here, Microsoft Azure gives you virtual machines you manage, and Google Cloud offers Compute Engine. Choose IaaS when you want flexibility close to running your own servers, without owning the data center.

Platform as a Service (PaaS)

PaaS removes the infrastructure and operating-system management so you can concentrate on deploying and running your application. You bring your code; the platform handles the servers, patching, and scaling underneath. Examples include AWS Elastic Beanstalk, Azure App Service and Azure Functions, and Google App Engine. Reach for PaaS when you want to ship software without babysitting the machines it runs on.

Software as a Service (SaaS)

SaaS is the ready-made application, run and managed entirely by the vendor and delivered to you over the network. You just use it. Web-based email, Microsoft 365, and Google Workspace are everyday examples. With SaaS, you manage your data and your users, and essentially nothing else. (A closely related variant, serverless functions or FaaS, such as Google Cloud Run functions, runs your code on events with a similar low-management profile.)

The pattern is consistent: as you move from IaaS to PaaS to SaaS, you trade control for convenience. None is better in the abstract; the right model depends on how much you want to manage and how much differentiation you get from managing it.

The 4 Deployment Models

Where the service models describe what the provider runs, the deployment models describe who the cloud is for and where it lives. NIST names four ways to deploy cloud computing, and most real-world setups are some blend of them.

Public cloud

Infrastructure is owned and operated by a provider and shared across many organizations over the public internet. AWS, Microsoft Azure, and Google Cloud are the headline public clouds. You get the broadest reach and the cleanest pay-as-you-go economics, on shared, multi-tenant capacity.

Private cloud

Infrastructure is provisioned for a single organization, whether hosted on-premises or by a third party. A private cloud trades some of the public cloud's elastic economics for tighter control, which appeals to organizations with strict regulatory, data-residency, or performance requirements.

Hybrid cloud

Two or more distinct clouds, often a private and a public one, remain separate but are bound together so data and applications can move between them. Hybrid is common in practice: keep sensitive workloads private while bursting to public capacity for scale or new projects.

Community cloud

Infrastructure is shared by several organizations with common concerns, such as a shared mission, security posture, or compliance regime. Think of a group of agencies or institutions in the same regulated sector pooling a cloud built to their shared standards.

Who Manages What (a First Look at Shared Responsibility)

Moving to cloud computing does not hand off all responsibility; it splits it. The provider secures and runs the underlying platform, and you remain responsible for how you configure and use it. AWS frames this as security of the cloud versus security in the cloud. Microsoft Azure publishes a responsibility matrix that shifts by service model, and Google Cloud describes a related idea it calls shared fate. The common thread is that the line between provider and customer moves depending on whether you are using IaaS, PaaS, or SaaS.

The rule of thumb tracks the service-model ladder above. With IaaS you keep the most responsibility, patching the operating system, configuring the network, and securing your applications, because you control the most. With SaaS the provider handles almost everything, and your job narrows to managing your data, your users, and their access. PaaS sits in between. In every case, your data and your identities are yours to protect; that part never fully transfers.

This is only a first look. The split deserves its own treatment, because getting it wrong is where real risk creeps in. Read the dedicated guide on the cloud shared responsibility model next, and pair it with cloud regions, zones, and data residency to understand where your data physically lives.

Who Cloud Computing Is For

We have answered what is cloud computing and how it is structured; the last question is who benefits and which model fits. Cloud computing suits almost everyone who builds or runs software, but the right entry point shifts by need.

Honest Trade-offs

No answer to what is cloud computing is complete without the trade-offs. Cloud is a sensible default for most new workloads, and the points below are not reasons to avoid it. They are reasons to adopt it with clear eyes.

Frequently Asked Questions