Reading Time: 7 minutes

One of the most frequent questions I get asked, is can I explain the different between Infrastructure as a Service, Platform as a Service and Software as a Service compared to familiar concepts such as on-premises and local hosting. In the post I am going to describe an analogy that will resonate with both technical and non-technical audiences, the differences between each different concept and the pros and cons of each. In further posts, I will put these concepts into context.

Rather than getting straight into the nitty-gritty technical detail, I have found that the following analogy is the most successful at explaining the differences: Pizza as a Service.


This is the (now) old-fashioned way of provisioning computer systems within an organisation. This consists of having your data centre/server room in premises owned/leased by the organisation. There is significant capital expenditure (CAPEX) involved with building a data centre this we. Firstly, it may require the construction of dedicated premises, a dedicated power supply with backup generator, air conditioning, the server hardware itself and other equipment. On top of this, there will be significant operation expenditure (OPEX) to keep your data centre running smoothly. You will have to pay specialist IT personnel to look after it, overhead costs like maintaining the air-conditioning system and utility costs. In theory, this solution does give you the most flexibility/control over your IT resources. You are also responsible for the physical security which adds to the CAPEX and OPEX.

To ease the transition process, Microsoft have published the Total Cost of Ownership calculator of which can be accessed here so you can assess yourself what the true savings would be.

An On-Premises environment gives you the greatest control over your IT infrastructure estate but less flexibility to expand. For example, if there is a sudden requirement to provision more virtual machines, it most likely will be a slower process: request budget for new servers, get quotations from vendors, purchase servers, wait for delivery. This may take some weeks from planning to fruition. Some organisations may have a requirement to have redundancy in place and have multiple data centres that are linked in case of fail-over. Whilst this satisfies the requirement, it is also very expensive to operate. From a personnel point of view, regardless of whether your infrastructure estate is operated by FTEs (Full time employees) or vendors (Contractors), there will be a resource limitation in terms of how you can use your staff as they are responsible for more.


What is IaaS? – It is a service which virtually replicates infrastructure that would normally be hosted in an on-premises data centre such as servers, virtual machines, networking hardware and storage.

In an IaaS environment such as Azure Virtual Machines, Microsoft provide the hypervisors, physical disks and other key infrastructure required to enable them to offer this service. However, it is the responsibility of the customer to manage the Windows Updates, virtual disks, which CPU/RAM size and the virtual network the virtual machine uses. Unlike with the on-premises counterpart, it is easy to scale services with demand. For instance, if there is a line of business application that has heavy usage during normal business hours (Mon-Fri 08:00-18:00) but very little to none in the evenings and at the weekend. Instead of running the virtual machines at the required business hours SKU at all times, through technologies such as Azure Function Apps, it is possible to scale the virtual machines on a timer basis saving the organisation operational expenditure. This is billed based on usage and is usually paid monthly. As with any data centre regardless of who operates it, there is always risk of an outage whether it is man-made or natural. With IaaS, it is possible to pay for redundancy that would allow your services to failover between two or more locations should an outage occur. If this extra service is not paid for then you would have to wait until service has been restored at the data centre your IaaS resources are deployed in which may interrupt business operations. Whilst you are able to implement this kind of redundancy in your own on-premises data centres, service providers such as Microsoft are able to operate economies of scale which ultimately gives you the customer more flexibility with disaster recovery scenarios.


What is PaaS? – It is a service that allows you as the customer to deliver the same services such as a database or website hosting without the hassle of having to maintain the backend infrastructure.

In a PaaS environment, such as Azure SQL Database, Microsoft hosts the server infrastructure, security, backups, and networking configurations required to deliver this service. You are responsible for the data itself hosted in the database and providing the right levels of access to your users. It is easy to scale on demand. It is also much easier to transport should for example an organisation chooses a new vendor to manage their database estate. However, if there is an outage in the service provider’s data centre that your application/database is running on then they will cease to operate until the outage is resolved. The workaround for this is to pay for extra redundancy. If there was a natural disaster at a service provider’s data centre. then you are able to configure your PaaS service to fail-over to a different data centre owned by the service provider in another geographical location.

Another example is the App Service, this allows to organisations to host websites that can auto-scale based on demand. This kind of service has taken off in popularity over the past few years as businesses struggled to cope with demand during busy times like Black Friday. This is billed based on usage and is usually paid monthly.


What is SaaS? It is a service that gives you access to applications developed/hosted by the provider without having to maintain any of the backend systems supporting the application. Unlike traditional applications you may have bought outright every time a new version came out such as Adobe Illustrator, these are typically billed on a subscription basis.  Instead of paying hundreds of pounds every couple of years for a product that is unlikely to change at all until the next version is released, you pay a nominal monthly or annual fee and receive a constantly evolving product.

The Microsoft 365 family is a great example of this. Historically, a typical organisation would have their e-mail hosted on servers in their data centre using a technology called Microsoft Exchange. Whilst it offers a lot of control, Exchange requires specialist knowledge to implement and maintain. This costs hundreds of pounds every few years to upgrade on top of maintaining the servers it is hosted on. Couple this with the fact that each perpetual Microsoft Office license is also several hundred pounds it would make sense for an organisation to adopt Microsoft 365. Per user, for a nominal monthly/annual fee, it is possible to get the same applications you would get in a perpetual license plus Exchange that is fully hosted by Microsoft and support that’s included in your subscription. This results in reduced capital expenditure and reduced stress for the administrators that would look after Exchange.

Whilst SaaS is great at what it does, there is also a risk of outages. Unlike the two aforementioned deployment models, it is not possible for you the customer to have any control when services are restored as that is the responsibility of the service provider. Whilst services like Exchange Online will have lots of redundancy in place in case there is an outage, there is always the risk that service will not be restored quickly and could result in lost productivity.

Is the cloud secure?

In short, yes (but with caveats depending on which deployment model you have chosen). In fact, in each cloud deployment scenario (IaaS, PaaS, SaaS), there is always shared responsibility between the customer and the service provider. With an on-premises deployment scenario, unless outsourced, you are both the service provider and the customer.

In order to drive adoption and satisfy the needs of their customers, Microsoft have had their cloud platforms for both Azure and M365 independently audited to ensure that meet specific regulatory guidelines for collecting and handling data. This list is constantly evolving but there are many regulatory standards that the services adhere to such as HIPAA (Health Insurance Portability and Accountability Act – USA), FCA (Financial Conduct Authority – UK), G-Cloud (UK Government Cloud), ISO 27001 and GDPR (General Data Protection Regulation – European Union).

For environments which are heavily regulated and have strict requirements such as the UK’s Ministry of Defence; both the digital and physical security of their systems are paramount. Whilst cloud platform providers such as Microsoft Azure and Amazon Web Services are constantly evolving their services to support more and more regulatory environments, there are some use cases where an on-premises data centre is the most suitable.

That being said, both Microsoft and Amazon have data centres in the U.S. specifically for U.S. government use which are geographically separated and independent from the public cloud which you and I would use.

Which solution is right for my organisation?

In short, it depends. For any new projects that I work on, unless there is a specific requirement, I always go with a PaaS solution for these three reasons

  • It keeps a lid on cost, you scale to what you need now rather than what you think the demand might be in the future. If the demand changes in future, it’s really easy to change the scaling.
  • There are less points of failure as redundancy is built into the cost of the service
  • Security – It is much easier to secure an Azure SQL Database versus provisioning an IaaS virtual machine with SQL Server installed as security is managed by the service provider. You are also able to authenticate using modern authentication which may encompass multi-factor authentication.

If there is a specific regulatory/business requirement which prevents you from moving to the cloud, then it’s probably best to stay with on-premises.

If you need to migrate existing legacy workloads such as an on-premises SQL Server or Active Directory domain controller then IaaS is the way to go. That is if a migration to PaaS is not feasible.

For SaaS, I always recommend going with these solutions rather than the traditional perpetual equivalent for a couple of reasons

  • It is a lot more flexible with licensing, if you need a service for a couple of months it makes sense to pay the monthly fees rather than shelling out £££ for a perpetual licence
  • You always get the latest versions
  • No infrastructure to worry about in the back end