Once the organization chooses a cloud service mode, relevant metrics are selected, and targeted values finalized, the architect must then determine the appropriate recommendations for deployment and implementation styles. Each service model may have multiple deployment and implementation models. For example, IaaS is a service model. Within that model, infrastructure is deployed in many ways, including private, public, dedicated, or shared. The deployment of public cloud infrastructure services can traverse many different configuration options as well as different consumption and economic models.

Organizational risk tolerance drives cloud deployment model selection. Risk domains cut across operational, economic, technological, and security domains. Operational risk is a consideration for every deployment model. Private deployments are considered lower risk as they are owned and managed by the consumer. Right or wrong, humans tend to trust themselves more than others. That thinking has been proven invalid many times, yet this reflexive attitude remains.

When choosing deployment options, updating and patching the infrastructure is a key part of cybersecurity. Updates are rolled out proactively when service providers are managing the base infrastructure. In-house management may choose not to install patches or security updates for many reasons. Deployment model choices may need to change depending on the desired outcomes.

When internally managing software and systems, upgrades can take more time, but it does give the owner/manager control to decide how and when the upgrades and updates are implemented, along with as much time as needed for preparation and testing. Another operational risk may include the inability to access a cloud service due to lack of internet access. As cloud deployments grow, typically quicker than traditional deployments, they tend to sprawl, with control becoming more challenging as the number of services consumed grows. If not monitored and managed correctly, this leads to end-of-month cloud sticker shock.

In IaaS solutions, the cloud service provider makes all the decisions regarding technology choices for deployed services, including the type of server, the brand of storage, and the CPU manufacturer. These choices are abstracted away from the end user, with limited visibility into technical compatibility. The separation from the technology choices may lead to portability and interoperability risks in some situations. There can be some concern about data security. Most of these concerns are quickly handled through good design and security-minded questioning. Putting information into services that are accessible over the public internet means that criminals have a potential target. Security is a never-ending battle, with threats externally, internally, and sometimes from the least-expected places. Remember TJX and the HVAC entry point.