The NIST definition of Cloud Computing from 2011 has now become so much an oversimplification that it is more often than not unhelpful, e.g. when trying to base your policies on it. So, forget about 'IAAS' and 'PAAS', end your 'cloud policies' or cloud-specific procedures. Instead, concentrate on managing the key generic issue underlying it: the ever more complex mixes of owned and outsourced algorithms and data..
McKinsey seems to be the first 'big consultancy' that really frees itself from outdated, ineffective, orthodox enterprise architecture notions.