Cloud Computing: What It Is and Why It Matters

Cloud computing represents the dominant infrastructure model for digital service delivery across the United States — encompassing government systems, enterprise applications, financial platforms, and consumer software. This reference covers the structural definition of cloud computing, its major service and deployment classifications, the regulatory frameworks governing its use, and the boundaries that distinguish cloud from adjacent infrastructure models. The site covers 40 in-depth topics, from cloud service models and deployment architectures to security controls, cost management strategies, and migration planning — serving industry professionals, technology researchers, and procurement decision-makers operating within the US national cloud services landscape.

Core moving parts

The National Institute of Standards and Technology (NIST) defines cloud computing through five essential characteristics in NIST SP 800-145: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. These five characteristics form the structural boundary between cloud infrastructure and conventional hosted or managed IT — any deployment lacking one or more is not technically cloud computing under the NIST framework, which the federal government, FedRAMP, and the majority of US enterprise procurement standards treat as authoritative.

The mechanical structure of cloud computing rests on three layers:

1. Physical infrastructure — Data centers, servers, networking hardware, and storage arrays owned and operated by the cloud provider, distributed across geographic regions and availability zones. Amazon Web Services, for example, operates over 30 geographic regions publicly disclosed in its infrastructure documentation.
2. Virtualization and abstraction layer — Hypervisors, containerization platforms, and software-defined networking that partition physical resources into isolated, tenant-specific virtual environments. This layer enables resource pooling across thousands of simultaneous customers.
3. Service delivery and management plane — APIs, web consoles, and automation frameworks through which customers provision, configure, and scale resources. The management plane is also a primary attack surface; cloud identity and access management controls govern who can operate it.

Cloud services are formally classified into three delivery models. Infrastructure as a Service (IaaS) delivers raw compute, storage, and networking. Platform as a Service (PaaS) adds runtime environments, middleware, and development tooling. Software as a Service (SaaS) delivers fully managed applications over the internet. The boundaries between these models determine the division of security and operational responsibility — a distinction formalized in the shared responsibility model that governs every major provider's contractual terms. A full structural breakdown of each model appears in the cloud service models reference.

Deployment architecture is a separate classification axis. Public cloud environments share infrastructure across unrelated tenants on a provider's network. Private cloud restricts resources to a single organization. Hybrid cloud connects on-premises or private infrastructure to public cloud environments through dedicated or encrypted links. Multi-cloud distributes workloads across two or more independent public cloud providers. Each configuration carries distinct compliance, latency, and cost implications covered in the cloud deployment models reference.

Where the public gets confused

Three classification errors produce the majority of procurement mismatches and compliance failures in cloud adoption.

Cloud storage versus cloud computing. Cloud storage is one service category within cloud computing, not a synonym for it. Object storage, block storage, and file storage services each operate under distinct performance characteristics, pricing models, and durability guarantees — none of which apply uniformly to compute or platform services on the same provider network.

Managed hosting versus cloud. A server hosted in a third-party data center does not constitute cloud computing unless it exhibits NIST's five essential characteristics. Managed hosting typically lacks on-demand self-service and rapid elasticity — two criteria that are definitionally required. This distinction matters because compliance frameworks, insurance policies, and government contracts frequently reference "cloud" environments specifically.

Elasticity versus scalability. Elasticity describes the automatic, real-time adjustment of resources in response to demand — a property native to cloud infrastructure. Scalability describes the capacity to grow — a property shared by on-premises systems. Cloud scalability and elasticity are related but structurally distinct capabilities. Conflating them leads to underprovisioning during demand spikes or overprovisioning at static capacity.

Common questions from industry professionals and procurement staff are addressed in the Cloud Computing: Frequently Asked Questions reference.

Boundaries and exclusions

Cloud computing does not encompass the following categories, despite frequent overlap in marketing materials:

• Edge computing — Processing that occurs at or near the data source, outside centralized cloud data centers. Edge computing and cloud integration is a distinct architectural pattern, not a cloud subtype.
• Colocation — Physical rack space leased in a third-party data center, where the customer owns and manages all hardware. Colocation lacks virtualization, resource pooling, and on-demand self-service.
• Content delivery networks (CDNs) — Distributed caching infrastructure designed to reduce latency for static content. CDNs are frequently integrated with cloud platforms but operate on different provisioning and billing models.
• Serverless computing — Serverless computing is a subset of cloud computing, not an alternative to it. It abstracts infrastructure management entirely, but it executes on the same physical cloud infrastructure as IaaS workloads.

The cloud computing glossary provides formal definitions for over 80 terms that appear in procurement, compliance, and architecture contexts.

The regulatory footprint

Federal cloud adoption in the United States is governed primarily by the Federal Risk and Authorization Management Program (FedRAMP), administered by the General Services Administration. FedRAMP establishes a standardized security authorization process for cloud products and services used by federal agencies, organized into three impact levels — Low, Moderate, and High — derived from NIST SP 800-37 and NIST SP 800-53. As of the FedRAMP Marketplace, over 300 cloud offerings hold authorized status for federal use.

The Cybersecurity and Infrastructure Security Agency (CISA) publishes cloud security guidance applicable to critical infrastructure operators, including binding directives for civilian federal agencies under the authority of the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. § 3551 et seq.

Sector-specific regulation extends the baseline. Healthcare organizations subject to HIPAA must ensure that cloud service agreements include a Business Associate Agreement (BAA) before storing or processing protected health information. Financial institutions regulated by the Office of the Comptroller of the Currency (OCC) operate under OCC Bulletin 2023-17, which addresses third-party risk management applicable to cloud providers. Payment card environments must satisfy PCI DSS v4.0 controls regardless of whether processing occurs on-premises or in public cloud infrastructure.

Cloud compliance and regulations maps these frameworks against service model and deployment type classifications. Cloud security covers the technical controls that satisfy them.

This site is part of the Authority Network America (authoritynetworkamerica.com) reference infrastructure, which provides sector-specific public reference resources across technology, regulatory, and professional service verticals.