Cloud Technology Services: Definitions, Models, and Use Cases
Cloud technology services constitute the delivery of computing resources — including processing power, storage, databases, networking, software, and analytics — over the internet, billed on consumption or subscription terms rather than capital expenditure in physical hardware. This page covers the formal definitions governing cloud models, the structural mechanics distinguishing service and deployment categories, the regulatory and standards frameworks applied across US sectors, and the tradeoffs that shape enterprise and government adoption decisions.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
The authoritative US government definition of cloud computing originates with NIST SP 800-145, The NIST Definition of Cloud Computing, which establishes five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. This definition is adopted across federal procurement frameworks, including those administered by the General Services Administration (GSA) under the Federal Risk and Authorization Management Program (FedRAMP).
Cloud technology services span infrastructure provisioning, platform environments, software delivery, and emerging function-level compute — all abstracted from the end consumer's physical hardware management. The scope extends across commercial enterprise, federal and state government agencies, healthcare organizations operating under HIPAA, and financial institutions regulated by frameworks such as those administered by the Office of the Comptroller of the Currency (OCC).
The US market for cloud infrastructure services reached approximately $232 billion in 2023, with Amazon Web Services, Microsoft Azure, and Google Cloud together holding over 65% of that market (Synergy Research Group, Q4 2023), establishing cloud as the dominant infrastructure paradigm rather than an emerging option. Understanding the full landscape of cloud technology services requires mapping both the service models and the deployment architectures that define how resources are provisioned and governed.
Core mechanics or structure
Cloud service delivery operates through three foundational service models as defined in NIST SP 800-145:
Infrastructure as a Service (IaaS) delivers virtualized computing resources — virtual machines, block storage, virtual networking — over the internet. The consumer manages operating systems, middleware, and applications; the provider manages physical hardware and hypervisor layers. AWS EC2, Azure Virtual Machines, and Google Compute Engine exemplify this tier.
Platform as a Service (PaaS) abstracts infrastructure management further, providing a runtime environment, database engines, development tools, and deployment pipelines. Consumers manage their applications and data; the provider manages OS, runtime, middleware, and underlying infrastructure. Azure App Service and Google App Engine represent this layer. The software-as-a-service overview on this network covers the uppermost service layer in full detail.
Software as a Service (SaaS) delivers fully managed applications over the internet. The provider controls the entire stack; the consumer accesses functionality through a browser or API endpoint. Salesforce, Microsoft 365, and Google Workspace are canonical SaaS examples.
Two additional models appear in specialized contexts: Function as a Service (FaaS), also called serverless computing, which executes discrete code units in response to events without persistent server management; and Desktop as a Service (DaaS), which virtualizes end-user computing environments.
The underlying mechanics rely on hypervisor-based virtualization (VMware ESXi, Microsoft Hyper-V, KVM) or container orchestration (Kubernetes, as governed by the Cloud Native Computing Foundation, CNCF), abstracting physical compute into resource pools that are partitioned, allocated, and metered in real time.
Causal relationships or drivers
Three structural forces drove the shift toward cloud delivery at scale. First, capital expenditure compression: maintaining on-premises data center infrastructure requires depreciation cycles of 3 to 5 years per hardware generation, whereas cloud providers amortize hardware costs across thousands of tenants, reducing per-unit compute costs. The US Office of Management and Budget's Federal Cloud Computing Strategy ("Cloud Smart," 2019) cited cost reduction as one of three primary federal adoption drivers alongside security improvement and operational agility.
Second, regulatory mandates in federal procurement: the Federal Risk and Authorization Management Program (FedRAMP) created a standardized authorization process for cloud products used by US agencies, which incentivized agency migration by reducing individual agency risk assessment burdens. As of 2023, over 300 cloud service offerings held FedRAMP authorization (FedRAMP Marketplace).
Third, workforce and geographic distribution requirements accelerated adoption, particularly as remote operations exposed the latency and access limitations of VPN-dependent on-premises architectures. Remote technology services delivery patterns now assume cloud-native access rather than treating it as an exception.
The relationship between elasticity and cost efficiency also drives adoption in sectors with variable workloads — retail, media streaming, healthcare analytics — where provisioning for peak capacity in fixed infrastructure would result in idle resources during off-peak periods exceeding 40% of total provisioned capacity (a structural pattern documented in the AWS Well-Architected Framework).
Classification boundaries
Cloud services are classified along two independent axes: service model (IaaS, PaaS, SaaS, FaaS) and deployment model. NIST SP 800-145 defines four deployment models:
- Public cloud: Infrastructure owned and operated by a third-party provider, shared across multiple tenants. Microsoft Azure, AWS, and Google Cloud operate public clouds.
- Private cloud: Infrastructure provisioned exclusively for one organization, either on-premises or hosted by a third party. Regulatory drivers in financial services and defense often mandate this model.
- Community cloud: Infrastructure shared by organizations with common compliance, security, or mission requirements. The GovCloud regions operated by AWS and Azure function as community clouds for US government workloads.
- Hybrid cloud: A composition of two or more distinct cloud infrastructures (private, community, or public) bound by standardized or proprietary technology enabling data and application portability.
These boundaries matter for compliance classification: the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to execute Business Associate Agreements (BAAs) with cloud service providers handling Protected Health Information (PHI), regardless of deployment model. The distinction between IaaS and SaaS affects which party bears responsibility for data encryption — a point addressed within technology services compliance and regulations.
Tradeoffs and tensions
Sovereignty and data residency: US organizations subject to export control regulations (ITAR, EAR administered by the Department of State and Commerce respectively) face constraints on where data can be stored and who can access it. Public cloud providers offer region-specific deployments, but multi-tenant infrastructure creates legal ambiguity under the CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2523), which allows US law enforcement to compel data access regardless of storage location.
Cost predictability vs. elasticity: Consumption-based pricing, while efficient for variable workloads, produces budget unpredictability in organizations accustomed to fixed capital expenditure cycles. Cloud cost management — increasingly categorized under FinOps, as defined by the FinOps Foundation — has become a distinct operational discipline. Reserved instance commitments (typically 1- or 3-year terms) reduce per-unit costs by 30–60% compared to on-demand pricing but reintroduce the inflexibility that cloud adoption was intended to eliminate.
Vendor lock-in: Proprietary managed services — AWS Lambda, Google BigQuery, Azure Cosmos DB — provide operational efficiency but create architectural dependencies. Migration costs between major providers include data egress fees, re-engineering of service integrations, and retraining of operations staff. The technology services vendor management framework addresses lock-in mitigation strategies in procurement contexts.
Security responsibility ambiguity: The Shared Responsibility Model, documented individually by AWS, Azure, and Google, delineates provider vs. customer security obligations — but misconfiguration of customer-managed controls accounts for the majority of cloud data breaches. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides a cross-referenced control framework mapped to ISO 27001, SOC 2, and NIST standards to address this ambiguity. Related implications are covered under cybersecurity as a technology service.
Common misconceptions
Misconception: Cloud is inherently more secure than on-premises infrastructure.
Correction: Security posture depends on configuration and governance, not delivery model. The CSA's Top Threats to Cloud Computing reports consistently identify misconfiguration and inadequate identity and access management as leading causes of cloud incidents — not provider infrastructure failures. NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, explicitly states that organizations retain responsibility for data classification and access control regardless of provider security certifications.
Misconception: FedRAMP authorization means a cloud product meets all federal agency security requirements.
Correction: FedRAMP authorization establishes a baseline of security controls aligned to FISMA (Federal Information Security Modernization Act, 44 U.S.C. § 3551 et seq.), but individual agencies may impose additional controls based on their specific system categorization (Low, Moderate, High) under the agency's own Authority to Operate (ATO) process.
Misconception: Multi-cloud strategy inherently reduces vendor lock-in.
Correction: Operating workloads across AWS and Azure simultaneously increases operational complexity and may not reduce lock-in if each workload is built on provider-specific managed services. Portability requires architectural discipline — containerization (Kubernetes), open APIs, and infrastructure-as-code tooling — not merely multi-provider presence.
Misconception: SaaS providers assume all compliance obligations.
Correction: Under HIPAA, for example, covered entities and business associates remain liable for breaches caused by failure to vet SaaS provider configurations, even when a BAA is in place. The HHS Office for Civil Rights has issued enforcement actions against covered entities whose SaaS vendor configurations exposed PHI.
Checklist or steps (non-advisory)
The following sequence describes the standard phases of a cloud service evaluation and procurement process as structured across US enterprise and government contexts. Each phase maps to a discrete decision gate.
- Workload classification — Identify data sensitivity levels (PII, PHI, CUI, financial records) and map to applicable regulatory frameworks (HIPAA, FISMA, PCI-DSS, ITAR).
- Service model selection — Determine whether the workload requires IaaS, PaaS, or SaaS delivery based on operational control requirements and internal staffing capacity.
- Deployment model determination — Assess whether public, private, community, or hybrid deployment satisfies data residency, sovereignty, and compliance requirements.
- Provider authorization verification — For federal workloads, confirm FedRAMP authorization status via the FedRAMP Marketplace; for healthcare workloads, confirm BAA availability; for financial workloads, confirm SOC 2 Type II attestation.
- Shared Responsibility Model review — Document provider vs. customer security control boundaries using CSA CCM or provider-published responsibility matrices.
- Pricing model selection — Evaluate on-demand, reserved instance, and savings plan service level against projected utilization patterns. Reference technology services pricing models for cross-model comparison.
- SLA terms analysis — Review uptime commitments, support tiers, incident response obligations, and penalty structures. The technology services contracts and SLAs reference covers standard SLA structures.
- Architecture review — Evaluate portability requirements, containerization strategy, and dependency on proprietary managed services before deployment.
- Ongoing compliance monitoring — Establish continuous configuration monitoring, logging, and audit trail requirements aligned to NIST SP 800-53 controls (NIST SP 800-53, Rev 5).
Reference table or matrix
Cloud Service and Deployment Model Comparison Matrix
| Dimension | IaaS | PaaS | SaaS | FaaS |
|---|---|---|---|---|
| NIST SP 800-145 designation | Yes | Yes | Yes | Outside original scope |
| Consumer manages OS | Yes | No | No | No |
| Consumer manages application | Yes | Yes | No | Yes (function code only) |
| Provider manages hardware | Yes | Yes | Yes | Yes |
| Typical billing unit | vCPU-hour / GB-month | API calls / app instances | Per seat / month | Invocation count / GB-second |
| FedRAMP applicability | Yes | Yes | Yes | Emerging (function-level) |
| Primary lock-in vector | Storage format, network config | Runtime APIs | Data export limitations | Trigger/event architecture |
| Shared responsibility complexity | High (consumer controls most layers) | Medium | Low (provider controls most layers) | Medium-High |
| Typical use case | VM hosting, DR, dev/test | App development, CI/CD pipelines | Email, CRM, collaboration | Event-driven automation, microservices |
Deployment Model Regulatory Fit
| Deployment Model | FedRAMP Path | HIPAA BAA Required | Typical Sector |
|---|---|---|---|
| Public cloud | Standard agency ATO | Yes | Commercial, civilian federal |
| Private cloud | Agency-operated ATO | Depends on hosting arrangement | Defense, financial, regulated industries |
| Community cloud | Shared authorization baseline | Yes | State/local government, healthcare networks |
| Hybrid cloud | Varies by component | Yes for PHI-bearing components | Enterprise, federal civilian |
The full taxonomy of technology service categories — including IT infrastructure, managed services, and data management — is documented through the types of technology services reference, which provides cross-cutting classification applicable to all delivery models. Organizations assessing cloud adoption within broader digital transformation programs should also reference the digital transformation and technology services framework, which contextualizes cloud migration within enterprise-wide modernization strategies. The foundational knowledge graph structure for all technology service categories covered across this network is accessible from the site index.
References
- NIST SP 800-145: The NIST Definition of Cloud Computing — National Institute of Standards and Technology
- NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing — National Institute of Standards and Technology
- NIST SP 800-53, Rev 5: Security and Privacy Controls for Information Systems and Organizations — National Institute of Standards and Technology
- FedRAMP Program Overview and Marketplace — General Services Administration
- FedRAMP Marketplace (Authorized Products) — General Services Administration
- Federal Cloud Computing Strategy ("Cloud Smart"), 2019 — Office of Management and Budget
- HIPAA Security Rule — US Department of Health and Human Services
- HHS Office for Civil Rights — HIPAA Enforcement — US Department of Health and Human Services
- Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 — Cybersecurity and Infrastructure Security Agency
- [Cloud Security Alliance Cloud Controls Matrix (CCM)](https://cloudsecurityalliance.org/