How the Cloud Shared Responsibility Model Affects You

June 17, 2022

Public cloud services have changed the way many organizations operate. When you have an on-premises data centre, you own the whole stack and are responsible for securing it. However, with the proliferation of Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) models, you can rest easy knowing that the service provider takes full responsibility for securing your organization’s data in the Cloud, right?


Public cloud services providers, including big players like Amazon Web Services (AWS) and Microsoft Azure, typically employ a shared responsibility model for security. As the name of this model suggests, it’s based on your organization and the service provider dividing up the security responsibilities based on their type. In the following sections we’ll look at where the lines of responsibility are typically drawn and examine how the shared responsibility model affects your organization.

Who Does What

The rule of thumb with the shared responsibility model is: The service provider is responsible for security of the Cloud, while your organization is responsible for security in the Cloud.

This means that the cloud provider is responsible for the physical security of the hosts, network, and data centre, while your organization retains responsibility for securing information and data, your devices which interact with the cloud service, and accounts and identities.

For example, AWS operates, manages, and controls the components from the host operating system and virtualization layer right down to the physical security of the facilities in which the service operates. The AWS customer, meanwhile, assumes responsibility and management of the guest operating system (including updates and security patches) and other related application software.

However, responsibilities vary depending on the service type when we venture into the middle ground. A case in point, Microsoft Azure applies a sliding scale based on how the workloads are hosted:

  • SaaS: Microsoft shares security responsibilities with an organization for Identity and Directory Infrastructure, and Microsoft assumes full responsibility for Applications, Network Controls, and Operating Systems.
  • PaaS: Microsoft remains full responsibility for Operating Systems however security for Identity and Directory Infrastructure, Applications, and Network Controls are shared.
  • IaaS: Microsoft places full responsibility on an organization for securing of all four of these areas.

How responsibilities are shared, as in the SaaS and PaaS scenarios, depends on the stipulations of the service provider. For example, for AWS shared security controls, AWS provides the requirements for the infrastructure and the organization must implement their own controls within their use of AWS services. Some examples include:

  • Patch Management: AWS is responsible for patching and fixing flaws within the infrastructure, but the organization is responsible for patching their guest operating systems and applications.
  • Configuration Management: AWS maintains the configuration of its infrastructure devices, but the organization is responsible for configuring their own guest operating systems, databases, and applications.
  • Awareness & Training: AWS trains AWS employees while an organization must train its own employees.

The Implications

It’s important to remember you always own your data and identities, regardless of the cloud deployment type. Your organization is responsible for protecting the security of your data and identities, on-premises resources, and the cloud components under your control.

While certain responsibilities will always remain with the customer regardless of the cloud deployment type, the cloud service provider still takes on many of the “commodity” responsibilities formerly assigned to your team. Subsequently, you can re-allocate your resources to address unmet security responsibilities and improve your organization’s overall security posture.

Figuring out the demarcation points of responsibility with a cloud service provider can be tricky and implementing security measures over the controls for which your organization is responsible can also be daunting. An iON Security Assessment can help you determine where your organization needs to pick up the slack for overlooked responsibilities. We can help deploy and configure industry-leading secure access service edge (SASE) solutions that extend your security capabilities into the Cloud.

Contact us for more information.