ASP.NET Security Consultant

I'm an author, speaker, and generally a the-way-we've-always-done-it-sucks security guy who specializes in web technologies and ASP.NET.

I'm a bit of a health nut too, having lost 50 pounds in 2019 and 2020. Check out my blog for weight loss tips!

Demystifying the cloud and XaaS

Published on: 2017-03-02

More and more companies are moving to the cloud for their software, but there is still some uncertainty as to what the cloud is, or what some of the buzzwords like IaaS or SaaS mean. This post is intended to clarify some terms to help you understand where these technologies can (and can't) add value.

What is the Cloud?

Quite simply, the "cloud" is another person's computer. Sounds disappointing when you remove all the hype, doesn't it? But a lot of the hype is legitimate, not for what the cloud is but instead for what the cloud can do to help your technology infrastructure team be more productive. Here are some of the benefits of using someone else's computer rather than your own:

  • Hardware issues are someone else's problem. This is not trivial - hardware failures do happen, and with the cloud the provider can simply move your software to new hardware if there's a failure, reducing or eliminating downtime.
  • It is easy to scale up or scale down when needed. Before the cloud, whenever starting a new technology initiative, we had to predict the amount of hardware we needed before we started. Now we can purchase only what we need at the time and scale up as we need it. Better yet, now we can scale up or down on demand per hour and only pay for what we use. Only need large servers Thursday evenings? You can do that with the cloud.
  • Related to the last point, innovation becomes much easier with the cloud. You can purchase space on a cloud server for a new experiment, then cheaply expand the service if the experiment worked or kill it if it failed.

Now that we've seen some of the benefits of using the cloud, what do some of the buzzwords, specifically the XaaS terms, mean, and what are their advantages and disadvantages relative to each other or to running everything in-house?

What is Infrastructure-as-a-Service (IaaS)?

Infrastructure-as-a-Service, or IaaS, is what most approximates the vision of using "someone else's computer". In short, with IaaS, you can create a new server to host your systems without purchasing any hardware. Most IaaS systems take care of some server maintenance (such as ensuring the operating system has the latest patches), but in general you're responsible for most server maintenance and configuration.


  • Most flexibility in types of solutions you can build
  • No need to manage hardware
  • Easily scales up (or down) as needed
  • Most likely to be able to host legacy applications with minimal changes


  • Requires the most support, setup, and maintenance of the cloud solutions
  • Is the solution that is most likely to fail (or be hacked) due to a configuration problem
  • Is usually the slowest from idea to usability

What is Software-as-a-Service (SaaS)?

Software-as-a-Service, or SaaS, refers to software that is sold by a third party. If you log into the app using your browser, but aren't responsible for the server or source code, then you probably have SaaS. Many CRM solutions, such as Salesforce and Microsoft Dynamics CRM, can be thought of as SaaS providers. With SaaS, the software provider is responsible for the hardware, as well as maintenance and security patching of both the server and the software.


  • Requires the least amount of maintenance of all the XaaS solutions
  • Usually can be functional within minutes or hours of starting the service


  • You might be able to move your data, but you have little flexibility over how the software itself behaves
  • SaaS offers the least flexibility of the three XaaS solutions I'm describing here

Splitting the difference: Platform-as-a-Service (PaaS)

Platform-as-a-service, or PaaS, refers to hosting situations where the cloud provider offers access to a third-party web server or database, which allows technology teams to write their own solutions as with an IaaS environment but can reduce the amount of maintenance needed.

It is worth noting that some SaaS providers, such as both Salesforce and Microsoft Dynamics CRM, allow for customizations that blur the lines between SaaS and PaaS. Generally, though, people will refer to systems that have functionality without customization as SaaS systems.


  • You get most of the flexibility of IaaS without the headache of managing a server
  • You can get a system up and running without needing to configure hardware as well


  • Seems to be disproportionately more expensive than IaaS, meaning (for now) if you have a solid infrastructure team in your IT department you may save more money going with IaaS
  • Not all applications and systems will move over to PaaS easily

When should you choose one over another?

If you are looking to leverage software in the cloud, SaaS should be your first choice. Both PaaS and IaaS require heavy involvement from your technology teams, and therefore are going to be more expensive than SaaS solutions. This is true even if you need to change some business processes. Standardizing your business process may be easier in the short run and cheaper in the long run than building custom software. I can think of three exceptions to this:

  1. The uniqueness in your business process is either core to your product offering or gives you a competitive advantage in some form or another.
  2. The uniqueness in your business process is due to the fact that your business is unique. I see this fairly often with small businesses serving a niche market.
  3. You've decided to integrate several smaller best-in-breed software solutions rather than purchase one large ERP (enterprise resource planning) system.

If you do need a custom solution, I generally prefer IaaS over PaaS. Why? At the time of this writing (February 2017), PaaS platforms are disproportionately expensive and lower-featured than IaaS platforms, though I expect that to change over the coming months and years. Until that happens, for custom solutions, I recommend putting any important or mission-critical systems on IaaS and save PaaS for short-lived solutions and prototypes.