Infrastructure pillar · Module 3 of 6

Cloud computing

Here’s the simple version: cloud computing is renting computers instead of buying them. But there’s more to it than that. Let’s unpack what “the cloud” actually means and why everyone’s using it.

← Back to Infrastructure Fundamentals Training

Controls stack visual kit

Reusable icons and a telemetry-to-audit diagram aligned to our fundamentals and operational guides.

Governance evidence

Use for control statements that cite ISO/IEC 42001 clause 6.3 change management, EU AI Act Articles 62–75, and SOC 2 trust service criteria.

Secure supply chain

Pair with SBOM, provenance, and intake guidance that references SPDX or CycloneDX formats, SLSA Level 3 attestations, and NIST SSDF tasks PS.3/PO.4.

Telemetry & evaluations

Highlight logging of prompts, responses, refusal rates, and safety filters alongside adversarial evaluation suites from NIST AI RMF playbooks or UK AISI guidance.

Assurance & resilience

Use for incident response and assurance artefacts that must meet OMB M-24-10 24-hour notifications, CIRCIA’s 72-hour clocks, and serious-incident duties under the EU AI Act.

Signals Controls Evidence Audit
  • Signals: prompt traces, supplier advisories, and safety filter activations streamed into monitoring.
  • Controls: guardrails, change review, SBOM validation, and access enforcement tied to AI lifecycle gates.
  • Evidence: runbooks that capture artefacts for ISO/IEC 42001 management reviews and SOC 2 narratives.
  • Audit: regulator-facing packets that satisfy EU AI Act post-market monitoring, OMB M-24-10, and CIRCIA timelines.

3.1 The three flavours of cloud

Think of it like housing options:

  • IaaS (Infrastructure as a Service). You rent the virtual equivalent of an empty building. You get servers, storage, and networks, but you install and manage everything that runs on them. Like renting an unfurnished flat. Examples: AWS EC2, Azure Virtual Machines, Google Compute Engine.
  • PaaS (Platform as a Service). You get a ready-to-use platform for running applications. Just upload your code; they handle the infrastructure underneath. Like a serviced apartment—furnished and maintained. Examples: Heroku, Google App Engine, Azure App Service.
  • SaaS (Software as a Service). Complete applications you use through a browser. Someone else built it, runs it, and maintains it. You just use it. Like staying in a hotel. Examples: Gmail, Salesforce, Slack, Microsoft 365.

3.2 The big three cloud providers

Amazon Web Services (AWS)

The pioneer and market leader. Huge range of services, biggest ecosystem, can feel overwhelming. If you’re not sure where to start, AWS is rarely a wrong choice—but the learning curve is real.

Microsoft Azure

Strong if you’re already using Microsoft products. Great enterprise features and hybrid cloud options. Windows workloads often fit naturally here.

Google Cloud Platform

Smaller market share but excellent for data analytics and machine learning. Often praised for cleaner design and developer experience. Kubernetes was born here.

The honest pros and cons

Why cloud is great

  • Start small, scale up as needed (no big upfront investment)
  • Someone else worries about hardware failures at 3am
  • Global reach—deploy to any region in minutes
  • Access to services you couldn’t build yourself (AI, databases, etc.)

The catches

  • Costs can spiral if you’re not careful (seriously, watch your bill)
  • Vendor lock-in is real—moving later is painful
  • You’re trusting someone else with your data
  • Complexity just shifts, it doesn’t disappear

💡 The key insight

Cloud isn’t magic, and it’s not automatically cheaper. It’s a trade-off: you give up some control in exchange for flexibility and not managing hardware. The winners are organisations that understand this trade-off and use cloud strategically, not just because “everyone else is doing it.”

Free resources to learn more

← Previous: Data centres and hardware Next: Networking basics →