Close this search box. white logo

Shared Responsibility Model – Explained!

Cloud adoption is booming, with businesses reaping the benefits of scalability, agility, and cost-effectiveness. Yet, an alarming statistic looms large: Gartner predicts that by 2025, 99% of cloud security failures will be the customer’s fault. 

This alarming figure sparks concern and confusion: is the cloud inherently insecure, or are there other factors at play?

But before giving up and just accepting the situation, consider an alternative perspective: the shared responsibility model. This means you don’t see security as something only one person has to take care of. It’s more like a team effort where cloud service companies and their users each have specific things they need to look after when it comes to keeping everything safe.

That said, keep reading as we delve into the shared responsibility model, evoking its intricacies and empowering you to navigate the secure path forward.

So, let’s dive right in!

What is a Shared Responsibility Model?

What is a Shared Responsibility Model

Cloud security is a shared journey, but whose responsibility lies where? This is exactly what the Shared Responsibility Model outlines.

To put it more simply: imagine a building – the owner(cloud provider) lays the foundation, erects the building, and ensures its structural integrity. Yet, each tenant(customer) within the building is responsible for securing their unit, including doors, windows, and valuables. This analogy perfectly captures the essence of the Shared Responsibility Model.

So, technically what exactly is it?

In essence, it’s a division of security responsibilities between cloud providers and their customers. Each party owns specific domains, ensuring a comprehensive security posture. Consider it a pre-defined agreement, outlining who’s accountable for what, minimizing confusion, and pinpointing potential weak spots.

Think of it as a two-part puzzle:

1. Security of the Cloud: This is the foundation, built and maintained by the Cloud Service Provider (CSP). They handle the physical and virtual infrastructure, including data centers, network equipment, and underlying operating systems. Their responsibility encompasses patching, updating, and ensuring the cloud’s availability and reliability. This is akin to building a secure fortress – the CSP lays the groundwork.

2. Security in the Cloud: This is where you, the customer, come in. You’re responsible for securing your own “castle” within the fortress. This includes:

  • Access Controls: Setting up robust authentication and authorization mechanisms to control who can access your data and applications.
  • Data Security: Encrypting data both at rest and in transit, preventing unauthorized access or modification.
  • User Management: Implementing strong password policies, managing user accounts, and enforcing least privilege access principles.
  • Application Security: Securing your applications through vulnerability scanning, patching, and coding best practices.


Let’s take a technical scenario as an example – consider using Amazon S3 for data storage. S3, the CSP, ensures the physical security of their data centers and protects against infrastructure-level threats. 

However, it’s your responsibility, as the S3 user, to properly configure access controls and permissions for your data buckets, encrypt sensitive data, and regularly monitor access.

Different Types of Shared Responsibility Models

The Shared Responsibility Model might seem like a single map, but the cloud landscape is diverse, demanding variations in security approaches. Different cloud service models – Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) – each come with their nuances in shared responsibility. Let’s explore the unique terrain of each:

1. Software as a Service (SaaS): Here, the provider shoulders most, if not all, security responsibilities. Think Gmail or Salesforce – you use the application, but Google and Salesforce secure it. They secure the entire application stack, including infrastructure, network, and even application security itself. You, the customer, primarily focus on managing user access and ensuring data within your account is protected.

2. Platform as a Service (PaaS): This offers more flexibility and control than SaaS. Think Google App Engine or Azure App Service. Here, the CSP manages the underlying infrastructure and platform components: runtime, libraries, and operating systems. You, as the builder, take the reins for securing your application and data.

3. Infrastructure as a Service (IaaS): For this model, the first example would be Amazon EC2 or Microsoft Azure VM. This offers maximum flexibility, but also maximum responsibility: the CSP only secures the bare infrastructure (virtual machines, storage, networks). You handle everything else—operating systems, application security, and data protection, which require deep technical expertise.

Each cloud provider typically outlines their specific shared responsibility model through a “Responsibility Matrix.” This matrix explicitly details which security tasks fall under the provider and which belong to the customer. Familiarizing yourself with this matrix for your chosen cloud service(s) is crucial for navigating your security responsibilities accurately.

 Here’s a comprehensive table for your easy understanding:

Service Model CSP Responsibility Customer Responsibility
SaaS Application security Infrastructure & network security Uptime & system performance User access management Data security & account security
PaaS Infrastructure & platform components (runtime, libraries, OS) Application & data security User access management
IaaS Virtual machines, storage, networks Operating system, runtime, applications, data User access management Data security & account security

The customer’s typical cloud security responsibilities

So far, we’ve navigated the shared responsibility model, understanding its core principles and variations based on service types. Now, it’s time to shift the focus directly to you, the customer. What are your typical security responsibilities in the cloud? Let’s break it down: Here are some key areas you’d be accountable for:

1. Identity and Access Management (IAM):

  • Implement strong authentication and authorization mechanisms to control who can access your data and applications.
  • Enforce multi-factor authentication (MFA) for critical accounts.
  • Manage user privileges based on the least privilege principle.
  • Regularly monitor and review user access logs.


2. Data Security:

  • Encrypt data at rest and in transit using industry-standard algorithms.
  • Implement data loss prevention (DLP) solutions to prevent unauthorized data exfiltration.
  • Classify and label sensitive data according to its criticality.
  • Regularly back up your data and store backups securely.


3. Security Configuration Management:

  • Securely configure all cloud resources according to best practices and vendor recommendations.
  • Patch and update operating systems and applications promptly to address vulnerabilities.
  • Enable logging and monitoring for all your cloud resources.


4. Application Security:

  • Secure your applications by following secure coding practices.
  • Regularly scan your applications for vulnerabilities and patch them promptly.
  • Implement web application firewalls (WAFs) to protect against common web attacks.


5. Incident Response:

  • Develop and test an incident response plan to address security breaches effectively.
  • Regularly train your staff on cybersecurity best practices.
  • Stay informed about emerging cyber threats and vulnerabilities.

The provider’s typical cloud security responsibilities

As we covered responsibilities for a customer, but don’t forget, securing the cloud is also equally important! Let’s explore the typical security responsibilities you can expect from your chosen cloud provider:

1. Physical and Virtual Infrastructure Security:

  • Providers are responsible for the physical security of their data centers, employing measures like access control, intrusion detection, and environmental monitoring.
  • They secure the underlying virtual infrastructure, including hypervisors, virtual machines, and storage systems, through patching, vulnerability management, and secure configurations.

2. Network Security:

  • Providers manage the security of their internal networks, protecting against unauthorized access and malicious activity through firewalls, intrusion detection/prevention systems (IDS/IPS), and secure routing protocols.
  • They secure customer data in transit within their network using encryption protocols like TLS and IPsec.

3. Platform Security (PaaS/IaaS):

  • For PaaS offerings, providers secure the underlying platform components like runtime environments, libraries, and operating systems. They apply security patches, manage vulnerabilities, and ensure secure configurations.
  • In IaaS environments, providers secure the bare infrastructure (virtual machines, storage, networks) but leave application and data security to the customer.

4. Security Services and Tools:

Many providers offer a range of security services and tools you can leverage to enhance your security posture. These can include cloud-based security information and event management (SIEM), vulnerability scanning, and malware detection tools.

5. Compliance and Certifications:

Reputable providers comply with industry security standards and frameworks like SOC 2, ISO 27001, and HIPAA. These certifications ensure that they follow best practices for data security and privacy.

Divided responsibilities 

Now that we’ve explored your and your provider’s responsibilities, let’s delve into the grey areas: responsibilities that overlap depending on the cloud service model (SaaS, PaaS, IaaS) and specific services employed. Understanding these shared areas is crucial for avoiding confusion and ensuring seamless security collaboration.

When it comes to SaaS and PaaS services, both parties share the responsibility of securing identity and directory infrastructure. Similarly, in PaaS offerings, the joint effort extends to securing application security and network controls. Remember, specific details vary among providers, so always refer to their documented model for your chosen service.

Here are some common areas of overlap:

1. Operating Systems:

The responsibility for choosing and securing the operating system (OS) falls on the user, regardless of whether they use the provider’s offering or bring their own. This means understanding your security needs and selecting an OS that meets those requirements. Choosing the provider’s OS? Great! Remember, the security onus remains on you. Bringing your own? Own the responsibility for patching, vulnerability management, and secure configurations.

2. Native vs. Third-Party Tools:

While providers ensure the security of their native services, user-deployed third-party tools present a shared responsibility scenario. The provider secures the underlying infrastructure and virtualization layer, but the user takes charge of securing the application and its data. 

3. Server-Based vs. Serverless Computing:

The responsibility division depends on the chosen model. In server-based setups, users manage OS selection, workload deployment, and security configuration. However, serverless or event-based computing shifts some responsibility to the provider. While still accountable for deployed code, users rely on the provider’s security options and configurations within the serverless environment.

4. Network Controls:

Whether using the provider’s firewall or your own, the configuration responsibility rests with the user. This includes setting firewall rules and ensuring they align with your security standards. Don’t be a passive passenger on the network security highway – take the wheel and configure it for your destination.

Challenges of the Shared Responsibility Model

While the shared responsibility model offers a framework for collaborative cloud security, it’s not without its challenges. Here are some key issues to consider:

Complexity and Confusion:

The nuances of the model can be overwhelming, especially for organizations with limited cloud expertise. Understanding the precise division of responsibilities between you and your provider can be complex and time-consuming. Different cloud providers use varying terminology and present their shared responsibility model in diverse ways, adding to the confusion.

Lack of Visibility and Control:

Customers don’t always have full visibility into how providers secure their underlying infrastructure and platform components, making it difficult to assess overall security posture. Also, limited control over certain security aspects within the provider’s domain can hinder the implementation of specific security policies or tools desired by the customer.

Incident Management and Attribution: 

In the event of a security incident, pinpointing the root cause and identifying who is responsible can be a complex and contentious process. Both parties might point fingers, delaying remediation efforts and creating unnecessary friction.

Access Control

Striking the right balance between robust access controls and enabling business agility can be tricky. Delegating access within your organization while ensuring clear lines of responsibility and preventing over-privileging remains a complex task. In multi-tenant environments, ensuring clear visibility and control over who has access to what data can be challenging, especially when managing shared credentials or third-party tools.

Misaligned Resources and Incentives:

Customers and providers may have different risk tolerances and security priorities, leading to misaligned resource allocation and security investments. Providers might incentivize specific services or tools that may not always align with the customer’s specific security needs and context.

Best Practices for Implementing Shared Responsibility Model

Best Practices for Implementing Shared Responsibility Model

The shared responsibility model in the cloud offers immense opportunity but also harbors potential pitfalls. By following these five best practices, you can navigate the model effectively and achieve a secure cloud environment:

1. Know Your Service Level Agreement (SLA)

Different cloud providers carve up responsibilities differently, so meticulously review your SLA to understand your exact obligations. Don’t shy away from seeking clarification or negotiating terms. If you’re multi-cloud, do this for each provider.

2. Integrate Security Everywhere

Security shouldn’t be an afterthought; it should be woven throughout your development lifecycle. DevSecOps practices—integrating security testing and controls into your development pipeline—help catch vulnerabilities early and streamline processes. Make security everyone’s responsibility, not just security teams.

3. Prioritize Data Security

Data is your crown jewel, and across all service models (IaaS, PaaS, etc.), it’s always your responsibility. Start by classifying your data based on sensitivity. Build a robust data security strategy from the inside out, enforcing strong perimeter controls and policies. Remember, encryption is your friend!

4. Open Communication with Your Cloud Provider

Communication is key. Be vigilant about updates from your provider, as service enhancements or changes can impact your security responsibilities. Don’t hesitate to ask questions or seek clarification if anything is ambiguous. Engage your security community – knowledge is power.

5. Consider Trusted Security Partners

The vastness of the cloud can be daunting. Consider solutions like CloudDefense.AI which is dedicated to simplifying your shared responsibility journey. Explore solutions like:


While the cloud opens doors to agility and innovation, navigating the nuances of shared responsibility can feel like a challenging task. Major CSPs urge their customers to take ownership of their security responsibilities, but the complexities can persist. The good news is that you don’t have to go it alone. CloudDefense.AI acts as your trusted security partner, seamlessly integrating with your CSP to provide unparalleled visibility and control over your entire cloud environment. Our comprehensive platform empowers you to pinpoint vulnerabilities, prioritize security risks, and leverage AI-driven auto-remediation – all through a single holistic platform. Don’t just take our word for it. Schedule a FREE demo with CloudDefense.AI today and see how we can help you secure the cloud, confidently.

Table of Contents
favicon icon
Are You at Risk?
Find Out with a FREE Cybersecurity Assessment!
Anshu Bansal
Anshu Bansal
Anshu Bansal, a Silicon Valley entrepreneur and venture capitalist, currently co-founds CloudDefense.AI, a cybersecurity solution with a mission to secure your business by rapidly identifying and removing critical risks in Applications and Infrastructure as Code. With a background in Amazon, Microsoft, and VMWare, they contributed to various software and security roles.
Protect your Applications & Cloud Infrastructure from attackers by leveraging CloudDefense.AI ACS patented technology.

579 University Ave, Palo Alto, CA 94301