IaaS
In brief
You’re renting the equivalent of a bare plot of land and its foundations: virtual machines, storage and networking. You’re given the raw materials, and you manage everything you build on them.
▶ Precise definition
Infrastructure as a Service, as defined by NIST (SP 800-145). The service provider supplies the basic virtualised resources: virtual machines, block or object storage, virtual networks and firewalls. The customer retains control over everything else: operating system, middleware, runtime environments, data and applications. Examples: EC2 (AWS), Compute Engine (Google), vSphere and Cloud (VMware), Dedibox and Elements (Scaleway).
Our analysis
IaaS is the most basic layer, and the one where the customer has the greatest degree of control. You choose your system, your versions, your network configuration and your encryption method. On paper, this is the most autonomous tier possible, because nothing running on the machine itself depends on the service provider. The key word here is ‘possible’.
Possible, because technical control does not alter the legal relationship. If the provider operating the infrastructure falls under a foreign jurisdiction, they may be compelled to cut off access or hand over data, regardless of the quality of what the customer has built on top of it. The sovereignty of an IaaS is not determined by the service layer, but by the law to which the operator is subject.
Hence a common misconception among French companies: the belief that owning one’s own application stack is sufficient to ensure sovereignty. It is not enough. If the computing runs on an IaaS subject to the CLOUD Act, an in-house stack does nothing to alter that exposure. The code remains yours; access, however, depends on who controls the machine and under which law.