UCSF IT Security Cloud Computing Guidance - Cloud Service Basics

Esther Silver's picture

Policy Type

Best Practice

What is the "cloud"?

The "cloud" is a continually evolving term which broadly references cloud services or cloud computing. Cloud services can mean collections of applications, information, infrastructure components, and/ or services which are provided as pools of resources.

The ability for these broadly accessible services to be rapidly provisioned, deprovisioned, expanded and contracted based on demand creates a demand driven service model which can be seen as a "pay for what you use" type of IT service.

The technologies behind cloud services can blur the lines of certain traditional computing definitions with combined products from vendors and the level of control, risk, capability, and dependence on additional solutions all vary depending on the mix of products which make up a distributed system and/ or application. 

There are also commercial and consumer cloud services providing many different capabilities. Most people use free or almost free cloud services for things like email, calendaring, music services, social media, online storage, and photo storage. These consumer focused technologies may seem as if they would meet business needs and some of them can be used under certain circumstances but in general they are not approved for use at UCSF.
The "click through" agreements for services available on the Internet are not approved by UCOP or UCSF legal and procurement departments and only authorized individuals can enter into agreements for UC. Additionally, these agreements contain language and clauses that are problematic for business and patient care data. 


Cloud Computing Service Models

NIST has created a conceptual model which depicts these interdependencies and shows how the various models and consumption of cloud services interact. The model facilitates discussions and considerations irrespective of vendor and/ or product specific terms for areas such as contracting, compliance, legal, security, privacy, architecture, design, roles and responsibilities, data classification, operations, consulting, and business requirements to name a few. 


This section will introduce service and deployment models. For more detailed guidance please see the UCSF IT Security Wiki here (login required) 


There are generally three service models for cloud computing; Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

Software as a Service (SaaS)

SaaS is generally considered an application provided to the consumer running on a cloud infrastructure. The application will be made accessible via different client platforms and devices and or application programming interfaces (API). The consumer of the application will not have management responsibility or control of the underlying network, physical infrastructure, servers, databases, programming platform, storage, operating systems, or most security elements. There may be some options and capabilities exposed for use or management of the application however these are generally focused on the consumer's portion of the application and the respective data.

Examples of Software as a Service at UCSF includes:

  • SalesForce - available here
  • Box - available here
  • ServiceNow - available here
  • Qualtrics - available here
  • CrashPlan - available here
Platform as a Service (PaaS)
PaaS is a service model where the consumer of the service can deploy consumer-created or consumer-acquired applications leveraging services, libraries, and languages supported by the service provider. The consumer will not have access to the underlying network, physical infrastructure, services, storage, operating system or some security elements. Within this model the consumer will likely have control of the configuration settings for the application environment. 
Examples of Platform as a Service at UCSF includes:
  • UCSF Drupal (Acquia hosted) - available here
  • Amazon Web Services - please contact UCSF Procurement
  • Microsoft Azure - please contact UCSF Procurement
Infrastructure as a Service (IaaS)
IaaS models are closer to what a traditional IT infrastructure looks like and offers more control for the consumer where the consumer can provision and configure processing, operating systems, platform components, databases, storage, networks and other foundational computing components. With these components the consumer is free to run whatever software that will run within the distributed systems available from the IaaS provider. The consumer will likely not have direct access to the physical infrastructure and will likely only have limited access to networking and storage elements. 
Examples of Infrastructure as a Service at UCSF includes:
  • Amazon Web Services
  • Microsoft Azure
  • UCSF Datacenter VMware Hosting

Cloud Computing Deployment Models

In addition to the various Cloud Computing Service Models these services can be deployed with varying points of access and integration within an organization's computing infrastructure and network. Leveraging the National Institute of Standards and Technology (NIST) definitions there are four deployment models for cloud computing; private cloud, community cloud, public cloud, and hybrid cloud. 

Private Cloud

A cloud infrastructure or service which is provisioned for use by a single organization which may be comprised of multiple consumers. This is generally owned and operated by the organization, a contracted third party or a combination and this infrastructure may reside on or off premises.

Community Cloud

The community cloud model is a cloud infrastructure which is provisioned for use by a specific community of consumers who are from different organizations and have a shared concern or business need. This community cloud may be owned, managed and operated by one or many of the organizations participating in the community. The cloud infrastructure may also be provided by a third party or a combination of community members and third party companies and may exist on or off premises.

Public Cloud 

Public cloud infrastructures are provisioned for use by the general public and are generally open to use. The infrastructure will exist on the premises of the cloud provider and may be owned, managed and operated by a combination of the businesses, academic institutions, government organizations, or third parties who consume the cloud service. 

Hybrid Cloud

This cloud infrastructure model is a composition of two or more of the previous models whereby there are unique components bound together by technologies enabling data and resource portability within the distributed system.