In Understanding the Multiple Versions of the FedRAMP ATOs, we provided a high level overview of the three types of provisional ATOs (P-ATO) available to a government agency. Today, we’d like to dive into the differences between the types of cloud offerings that are available. Those are infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS). Each of the three platforms can offer an agency distinct benefits and yes, some drawbacks. That being said, let’s jump in, define the three platforms, and identify some of the pros and cons for each.
Cloud platforms are the building blocks for an agency to deploy applications upon. At the lowest tier you will find IaaS. Within an IaaS cloud, customers can expect to find the processing power (compute), storage, and network resources already deployed in a secure fashion. Provisioning IaaS cloud resources can be achieved rather quickly and this allows customers to quickly deploy an application. However, a traditional IaaS cloud solution provides security and management of the infrastructure only through the hypervisor. This leaves the responsibility of securing and managing the solution above the hypervisor to the customer. The portion of the infrastructure that is not typically covered includes virtual operating systems, virtual networks, applications, data, and the security controls that sit on top of the entire solution. If a customer has the in-house expertise to provide these capabilities or leverages a managed service provider (MSP) to provide this expertise, an IaaS solution can work quite well. Without this expertise, the overall cost to secure the solution can become quite expensive and in the meantime, a customer could potentially be exposed to any number of security vulnerabilities.
The next tier up is a PaaS solution. This builds upon the best features of an IaaS solution (management of the compute, storage, and network resources) while also providing responsibility to deploy and manage the virtual machines themselves. Customers would no longer have to be responsible for the security of the virtual operating systems or the network layer that resides above the applications and data. Customers need only worry about their applications and data itself. This is a great solution for customers that do not have in-house IT expertise, are tasked with streamlining their IT department, or have the internal resources but would like to reallocate those resources for other projects or innovations. If a customer does have the in-house IT expertise, they may need to work with the cloud service provider (CSP) to make sure there is a clear division of responsibility and each party understands their role in the overall management of the solution. This can often become the best of both worlds, as customers no longer need to worry about the security of the cloud solution, but are still able to retain full control over their applications and data.
A SaaS solution is the perfect choice for a customer who would like to outsource the maintenance of the entire cloud infrastructure and application(s) to a managed service provider. The magic of a SaaS solution is that customers are effectively renting access to hosted applications. The customer will load their data into the application and may have some customization capabilities, but for the most part, they are paying for access to a pre-designed solution that is capable of being rapidly deployed. Customers who simply want to run an application without the in-house IT expertise for the infrastructure or application(s) find a SaaS solution to be perfect for their needs. If a customer wants the ability to control aspects of the infrastructure or control the overall security of the solution may find the SaaS option a bit too restrictive.
When you are evaluating a cloud platform, take into account more than simply the Cloud Solution Provider’s (CSP) name. Really look at the type of cloud platform that the CSP is offering and look at your available resources and/or business and technical needs. With so many CSPs that have achieved a FedRAMP P-ATO, you should be able to pick the right CSP to meet your business and technical needs.