Shared Responsibility Model
What is Shared Responsibility Model?
Shared Responsibility ModelA cloud security framework that splits security duties between the cloud provider (security of the cloud) and the customer (security in the cloud).
The shared responsibility model defines which security controls a cloud provider operates and which the customer must implement themselves. For IaaS, the provider secures the physical data centre, hypervisor, and core network, while the customer is responsible for guest OS patching, IAM, network configuration, encryption, and application code. For PaaS and SaaS, the provider absorbs more layers, but customer obligations such as identity, data classification, sharing settings, and integration security remain. Misunderstanding these boundaries is a leading cause of cloud breaches: customers often assume the provider secures workloads or data when it does not. Each major provider (AWS, Azure, GCP) publishes a model that should drive cloud control mappings.
● Examples
- 01
AWS secures the S3 service; the customer is responsible for bucket policies and object encryption.
- 02
Microsoft secures the Microsoft 365 platform; the tenant must configure conditional access and DLP.
● Frequently asked questions
What is Shared Responsibility Model?
A cloud security framework that splits security duties between the cloud provider (security of the cloud) and the customer (security in the cloud). It belongs to the Cloud Security category of cybersecurity.
What does Shared Responsibility Model mean?
A cloud security framework that splits security duties between the cloud provider (security of the cloud) and the customer (security in the cloud).
How do you defend against Shared Responsibility Model?
Defences for Shared Responsibility Model typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Shared Responsibility Model?
Common alternative names include: Shared responsibility, Cloud responsibility matrix.