Skip to main content
University of California San Francisco Give to UCSF

UCSF IT Technology

Main navigation

  • Status
    • Security Announcements
  • Services
    • Projects
  • How To
  • News & Events
  • About Us
  • Log In
Open Close Search
Open menu
Give to UCSF

Breadcrumb

  1. Home
  2. Standards and Guidelines
  3. UCSF IT Security Cloud Computing Guidance - Cloud Service Basics

This content is viewable by Everyone

Guideline

UCSF IT Security Cloud Computing Guidance - Cloud Service Basics

Save

Log in via MyAccess to save.

  • Impacted Services IT Security Outreach and Training

Overview | What is the "cloud"?

The "cloud" is a continually evolving concept that broadly references cloud services, or cloud computing. Cloud services can mean collections of any or all of the following: applications, information, infrastructure components and services provided as pools of resources.

The ability for these broadly accessible services to be rapidly provisioned, deprovisioned, expanded and contracted based on demand creates a demand-driven service model, which can be seen as a "Pay for what you use" type of IT service.

The technologies behind cloud services can blur the lines of certain traditional computing definitions with (1) combined products from vendors and (2) the varying levels of control, risk, capability and dependence on additional solutions, which differ according to the mix of products that make up a distributed system or application. 

There are also commercial and consumer cloud services, providing many different capabilities. Most people use free or almost-free cloud services for things like email, calendaring, music services, social media, online storage and photo storage. These consumer-focused technologies may seem as if they would meet business needs as well, and some of them can be used under certain circumstances, but in general they are not approved for use at UCSF.

"Click-through" agreements for services available on the internet are not approved by UCOP or UCSF legal and procurement departments: Only authorized individuals can enter into agreements for UC. Additionally, these agreements contain language and clauses that are problematic for business and patient care data. 

Cloud computing service models

The National Institute of Standards and Technology (NIST) has created a conceptual model that depicts these interdependencies and shows how the various models and consumption of cloud services interact. The model facilitates discussions and considerations irrespective of vendor- or product-specific terms for areas such as contracting, compliance, law, security, privacy, architecture, design, roles and responsibilities, data classification, operations, consulting, business requirements, and more. 

This section will introduce service and deployment models. For more detailed guidance, see the UCSF IT Security Wiki (login required).

There are generally three service models for cloud computing: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

Software as a Service (SaaS)

SaaS is generally considered an application provided to the consumer that is running on a cloud infrastructure. The application will be made accessible via different client platforms, devices and application programming interfaces (APIs). The consumer of the application will not have management responsibility or control of the underlying network, physical infrastructure, servers, databases, programming platform, storage, operating systems or most security elements. There may be some options and capabilities exposed for use or management of the application; however, these are generally focused on the consumer's portion of the application and the respective data.

Examples of Software as a Service (SaaS) at UCSF include:

  • SalesForce
  • Box
  • ServiceNow
  • Qualtrics
  • CrashPlan

Platform as a Service (PaaS)

PaaS is a service model where the consumer of the service can deploy consumer-created or consumer-acquired applications leveraging services, libraries and languages supported by the service provider. The consumer will not have access to the underlying network, physical infrastructure, services, storage, operating system or some security elements. Within this model, the consumer will likely have control of the configuration settings for the application environment. 
 
Examples of Platform as a Service (PaaS) at UCSF include:
  • UCSF Drupal (Acquia hosted)
  • Amazon Web Services - contact UCSF Procurement
  • Microsoft Azure - contact UCSF Procurement

Infrastructure as a Service (IaaS)

IaaS models are closer to what a traditional IT infrastructure looks like and offer more control for the consumer, who can provision and configure processing, operating systems, platform components, databases, storage, networks and other foundational computing components. With these components, the consumer is free to run whatever software that will run within the distributed systems available from the IaaS provider. The consumer will likely (1) not have direct access to the physical infrastructure and (2) have only limited access to networking and storage elements. 

Examples of Infrastructure as a Service (IaaS) at UCSF include:
  • Amazon Web Services
  • Microsoft Azure
  • UCSF Datacenter VMware Hosting

Cloud Computing Deployment Models

In addition to the various cloud computing service models, these models can be deployed with varying points of access and integration within an organization's computing infrastructure and network. Leveraging the NIST definitions, there are four deployment models for cloud computing: private cloud, community cloud, public cloud and hybrid cloud. 

Private cloud

This is a cloud infrastructure or service provisioned for use by a single organization, which may  comprise multiple consumers. This cloud is generally owned and operated by the organization, a contracted third party or a combination, and this infrastructure may reside on or off premises.

Community cloud

The community cloud model is a cloud infrastructure provisioned for use by a specific community of consumers who are from different organizations and have a shared concern or business need. This cloud may be owned, managed and operated by one or a number of the organizations participating in the community. The cloud infrastructure may be provided by a third party or a combination of community members and third-party companies, and it may exist on or off premises.

Public cloud 

Public cloud infrastructures are provisioned for use by the general public and are generally open to use. The infrastructure exists on the premises of the cloud provider and may be owned, managed and operated by a combination of the businesses, academic institutions, government organizations or third parties who consume the cloud service. 

Hybrid cloud

This cloud infrastructure model is a composite of two or more of the previous models, whereby  unique components are bound together by technologies that enable data and resource portability within the distributed system. 

  • Owning Team: IT Security
Section Menu
IT Security Outreach and Training
  • Information Security Is Everyone's Responsibility
  • IT Security Awareness - Stay Sharp to Stay Safe
  • IT Security and Awareness Champion Program: Overview
  • View IT Security Awareness Videos
  • Request IT Security Awareness Posters
  • IT Security Orientations and Education
  • IT Security Educational Meetings and Webinars
  • Advanced IT Security Training on the UCSF Learning Management System
Home

Footer Col 1

  • Status
  • Services
  • How To
  • News & Events

Footer Col 2

  • About
  • IT Directory
  • Standards & Guidelines

Footer Col 3

  • Get Help
  • Recognize IT Staff
  • Submit a Support Inquiry

    For emergencies and high priority issues please call the IT Service Desk (415) 514-4100

    • Facebook
    • Twitter
    • YouTube
    • Instagram

    © 2025 The Regents of the University of California