Cloud architecture models — SY0-701
Master cloud architecture models (IaaS, PaaS, SaaS, public/private/hybrid/community) for CompTIA Security+ SY0-701 — grounded in NIST SP 800-145 definitions.
WHAT IT IS
Cloud computing is "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." (NIST SP 800-145, via NIST Glossary)
Within that model, NIST SP 800-145 defines two orthogonal axes: service models (what capability is delivered) and deployment models (who controls and uses the infrastructure).
Mental model
Think of service models as a stack — each layer hands more control to the provider and leaves less with the consumer. Deployment models are a separate question entirely: they describe who the infrastructure is provisioned for, not what runs on it.
When to use it
Use the table below to identify which model a scenario describes. The exam often presents a scenario and asks you to name the model, or names the model and asks what the consumer is responsible for.
Service models (NIST SP 800-145)
| Model | What the consumer gets | What the consumer controls | What the provider controls |
|---|---|---|---|
| IaaS — Infrastructure as a Service | Processing, storage, networks, and other fundamental computing resources | Deployed operating systems, applications, and (sometimes) host firewalls | Underlying cloud infrastructure |
| PaaS — Platform as a Service | Ability to deploy consumer-created or acquired applications using provider-supported languages, libraries, services, and tools | Deployed applications and possibly application-hosting environment configuration | Underlying network, servers, operating systems, and storage |
| SaaS — Software as a Service | Use of provider's applications running on a cloud infrastructure, accessible via thin client (e.g., web browser) or program interface | Limited user-specific application configuration settings | Everything else: infrastructure, OS, storage, and individual application capabilities |
Deployment models (NIST SP 800-145)
| Model | Provisioned for | Who may own/manage/operate it | On- or off-premises |
|---|---|---|---|
| Public cloud | Open use by the general public | A business, academic, or government organization, or a combination | Exists on the premises of the cloud provider |
| Private cloud | Exclusive use by a single organization comprising multiple consumers (e.g., business units) | The organization, a third party, or a combination | May exist on or off premises |
| Community cloud | Exclusive use by a specific community of consumers from organizations with shared concerns (e.g., mission, security requirements, policy, compliance) | One or more community organizations, a third party, or a combination | May exist on or off premises |
| Hybrid cloud | Composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, bound together by standardized or proprietary technology enabling data and application portability | Depends on the constituent clouds | Depends on the constituent clouds |
COMMON MISCONCEPTION
A common misconception is that the deployment model determines what the consumer is responsible for securing. It does not. Responsibility allocation follows the service model, not the deployment model. A private cloud running SaaS still leaves the consumer with only limited application configuration control — the same as a public-cloud SaaS deployment — because "private" describes provisioning scope, not the service capability boundary. Candidates who conflate "private cloud" with "full control" will misread responsibility scenarios.
A second trap: "hybrid cloud" does not simply mean using two vendors. NIST SP 800-145 specifies that the constituent infrastructures "remain unique entities" but are "bound together by standardized or proprietary technology that enables data and application portability." A setup that merely uses two separate clouds without that binding technology does not meet the definition.
How it shows up on the exam
Questions targeting this concept measure your ability to classify a described environment into the correct model (application of definitions) and to reason about the resulting security posture. Candidates who have memorized labels but not the NIST-grounded boundaries tend to:
- Confuse IaaS and PaaS by misremembering which party controls the operating system layer (IaaS: consumer controls OS; PaaS: provider controls OS).
- Assume that a "private" deployment model guarantees the consumer controls all security controls — a claim the NIST definition does not support.
- Treat "hybrid cloud" as a catch-all for any multi-cloud environment rather than a specifically defined composition with portability binding.
Watch for scenario stems that describe shared concerns (community), exclusive single-org use (private), general public access (public), or composed infrastructures with data portability (hybrid) — these are the signal phrases that map directly to the NIST definitions above.
Related concepts
- Shared Responsibility Model — defines how security obligations are divided between provider and consumer within a service model.
- Infrastructure as Code — the practice of provisioning cloud infrastructure through machine-readable configuration, relevant to how IaaS environments are managed securely.
- Software-Defined Networking — the network abstraction layer that cloud providers use to deliver the network resources described in IaaS definitions.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: