Businesses rely on cloud providers such as AWS, Microsoft Azure and Google Cloud. Cloud computing is flexible, scalable, and cost-efficient, but it introduces an important concept that many businesses misunderstand. , the Shared Responsibilities Model.
Cloud security breaches are often caused by a misunderstanding of this model. This guide will explain or the Shared Responsibilities Model, simply and break down who’s responsible for what. It will also show you how to avoid costly mistakes.
What is the shared responsibility model?
The Shared Responsibilities Model defines the division of security and compliance responsibility between a Cloud Service Provider (CSP) as well as the Customer.
In simple terms:
-
Cloud providers are responsible for security in cloud
-
Security is the responsibility of the customer on cloud
The shared approach helps both parties to understand their respective roles and work together in order to maintain a safe cloud environment.
Why Shared Responsibility is Important
Most businesses believe that when they move to the cloud, the provider will handle all Security. This is a dangerous assumption.
Understanding the Shared Responsibilities Model will help you:
-
Preventing data breaches and incorrect configurations
-
Comply with regulatory requirements
-
Define clearly internal security responsibilities
-
Save money and avoid reputational damage
You cannot outsource responsibility even if you are outsourcing infrastructure.
Who is responsible for what?
Security in the Cloud (Responsibilities of Cloud Providers)
Cloud providers are responsible to protect the infrastructure which runs cloud services. This includes:
-
Data centers and physical buildings
-
Hardware for servers, storage and networking
-
Controls for power, cooling and the environment
-
Hypervisors, core cloud infrastructure
AWS, for example, ensures that its data centers are protected against threats like theft, fire or natural disasters.
Customers Responsibilities in Cloud Security
The customer is responsible for the way they manage and protect anything they put into the cloud. This usually includes:
-
Encryption and protection of data
-
Identity and Access Management (IAM)
-
Operating systems and patches (depending on the service type)
-
Configuration of the network (firewalls and security groups)
-
Application Security
-
Compliance with regulations (HIPAA GDPR PCI-DSS, HIPAA, GDPR)
If your cloud storage bucket has been exposed to the public, it’s not your fault.
What Responsibilities are Different by Cloud Service Type
Shared responsibility models vary depending on what type of cloud services you use.
Infrastructure as a Service
Examples: AWS EC2, Azure Virtual Machines
Provider handles:
-
Physical Infrastructure
-
Networking Hardware
-
Data center security
Customer handles:
-
Operating systems
-
Apps
-
The following are some of the most effective ways to reduce your risk.
-
Firewall rules and network controls
The customer is primarily responsible for the majority of their actions.
Platform as a Service
Examples: Azure App Service, Google App Engine
Provider handles:
-
-
Operating systems
-
Runtime environments
Customer handles:
-
Apps
-
The following are some of the most effective ways to reduce your risk.
-
User Access
-
Application-level security
The balance of responsibility is better.
Software as a Service
Examples: Microsoft 365, Google Workspace, Salesforce
Provider handles:
-
-
Apps
-
Platform Security
Customer handles:
-
Access management for users
-
Data classification and protection
-
Use and compliance policies
The main responsibility of the customer is data and access.
Common misconceptions about the shared responsibility model
The cloud provider will handle everything related to security
False. False.
“If there is a breach, the fault lies with the provider”
Not always. Most breaches are caused by customer errors, weak passwords or access controls.
We can now use SaaS without doing any security work.
You are still responsible for the user permissions, compliance, and data protection even if you use SaaS.
Real-World Example
Renting an apartment is a great idea.
-
The building structure, including the locks at the main entrance, is the responsibility of the landlord.
-
It is your responsibility to lock your door, protect your valuables and control who enters.
The cloud is the same.
Best Practices to Manage Your Responsibilities
Stay safe in the Cloud:
-
Document clearly the roles and responsibilities of security personnel
-
Strong identity and Access Management (IAM).
-
Activate logging, monitoring and alerts
-
Audit cloud configurations regularly
-
Encrypt sensitive data
-
Cloud security basics: Train your staff
Final Thoughts
Shared Responsibilities Model goes beyond a concept. It’s an attitude. Cloud providers provide powerful tools and secure infrastructure. But security depends on the way you use these.
Understanding this model will help you protect your data, maintain compliance and build trust with your clients.
You are already a part of the Shared Responsibilities Model if you use the cloud. Do your part.
