Cloud & Infrastructure Security

Cloud Shared Responsibility Model

About 3 min read

Last updated: 2026-01-25

What Is the Cloud Shared Responsibility Model

The Cloud Shared Responsibility Model is the concept of dividing cloud environment security between the cloud provider and the customer. The provider is responsible for "security of the cloud" (physical infrastructure, hypervisor, network foundation), while the customer is responsible for "security in the cloud" (data, access control, application configuration).

This model is not unique to a specific provider - AWS, Azure, and GCP all adopt the same fundamental concept. However, the specific boundary of responsibilities varies by service model (IaaS, PaaS, SaaS), and misunderstanding this boundary is a major cause of cloud security incidents.

Responsibility Boundaries by Service Model

The boundary of responsibility varies depending on the cloud service model.

  • IaaS (EC2, Azure VM, etc.): The provider manages physical infrastructure and the hypervisor. The customer is responsible for OS patching, middleware configuration, application security, data encryption, and all network settings. This model has the broadest customer responsibility
  • PaaS (RDS, Azure App Service, etc.): The provider manages the OS and middleware in addition to infrastructure. The customer is responsible for application code, data, access control, and encryption settings. OS patching is handled by the provider, reducing operational burden
  • SaaS (Microsoft 365, Salesforce, etc.): The provider manages nearly everything from infrastructure to the application. The customer is responsible for user management, access settings, data classification, and sharing settings. The customer's responsibility scope is narrowest, but it does not disappear entirely

Commonly Overlooked Customer Responsibilities

There are areas in the shared responsibility model that customers particularly tend to overlook.

  • Cloud Storage Access Settings: Public access settings for S3 buckets and Azure Blob Storage are the customer's responsibility. Failing to verify default settings can unintentionally expose data to the public. Numerous data breach incidents have been caused by this
  • Encryption Enablement: Many cloud services offer encryption features, but they are not always enabled by default. Enabling encryption for data at rest and in transit, and properly managing encryption keys, is the customer's responsibility
  • Log Enablement and Monitoring: Audit logs (CloudTrail, Azure Activity Log) and resource monitoring are not automatically configured in all services. Enabling necessary logs and building a monitoring system is the customer's responsibility
  • Network Configuration: Security group rules, network ACLs, and VPC configurations are entirely the customer's responsibility. Overly permissive rules (allowing all traffic from 0.0.0.0/0) are a common misconfiguration

Embedding the Shared Responsibility Model in Your Organization

Properly operating the shared responsibility model requires organizational efforts beyond just technical measures.

  • Document Responsibility Boundaries: Clearly document the provider's and customer's responsibilities for each service used. Especially for PaaS and SaaS where boundaries tend to be ambiguous, organize at the specific configuration item level
  • Establish Security Baselines: Define minimum security settings (encryption enablement, log configuration, access control policies) for each service and verify compliance through automated checks
  • Regular Training: Ensure development and operations teams understand the shared responsibility model. In particular, when adopting new services, clarify the responsibility boundaries before use
  • Leverage Compliance Tools: Use tools like AWS Security Hub, Azure Security Center, and GCP Security Command Center to continuously monitor whether customer-side responsibilities are being fulfilled

To learn more about this topic, see Cloud Storage Security: How to Keep Your Data Safe in the Cloud.

Common Misconceptions

Moving to the cloud means the provider handles all security
The provider is only responsible for physical infrastructure and platform foundations. Data protection, access control, application configuration, and enabling encryption are the customer's responsibility, requiring the same or greater security awareness as on-premises environments.
Using managed services eliminates nearly all customer security responsibilities
Managed services reduce the burden of OS and middleware management, but IAM settings, network access control, data encryption, and log enablement remain the customer's responsibility. The scope of responsibility narrows but does not disappear.
Share

Related Terms

IAM (Identity and Access Management) A framework for centrally managing the authentication (verifying identity) and a… Cloud Storage Security The set of measures to ensure the confidentiality, integrity, and availability o… Container Security The comprehensive set of security practices for safely building, deploying, and … Serverless Security Security challenges and best practices specific to serverless computing environm… Data Encryption The process of transforming readable plaintext data into unreadable ciphertext u… Server A computer or software that provides services and data to other computers (clien…

Related Articles

Cloud Storage Security: How to Keep Your Data Safe in the Cloud Weigh the convenience and risks of cloud storage, and learn practical measures like encryption and a… What Is Zero Trust Security: The 'Never Trust' Approach Learn how zero trust differs from traditional perimeter security, its core principles, and how to ap… Where Is 'the Cloud' Actually Located? The Truth About Other People's Computers Learn that the cloud consists of physical servers in data centers worldwide, the network diagram 'cl…
← Glossary