Skip to main content

Shared Responsibility Model

The shared responsibility model divides cloud security between provider and customer, with the boundary shifting by service model and configuration owned by the customer.

The shared responsibility model defines who is accountable for which parts of security in the cloud. The provider is responsible for security of the cloud, meaning the physical facilities, hardware, and the virtualization and managed-service layers. The customer is responsible for security in the cloud, meaning their data, configurations, access controls, and applications.

How It Works

The exact dividing line shifts with the service model. With infrastructure as a service, the customer manages the operating system, patching, network configuration, and everything above, while the provider secures the hypervisor and below. With platform as a service, the provider also manages the operating system and runtime, narrowing the customer's scope to applications and data. With software as a service, the provider handles almost everything except user access, data, and configuration. Regardless of model, the customer almost always owns data classification, identity and access management, and correct configuration. Misconfiguration by the customer, not provider failure, is the leading cause of cloud breaches.

Why It Matters

Understanding the model prevents dangerous assumptions. Teams sometimes believe the provider secures everything, leaving data exposed through public storage buckets, weak access policies, or unpatched instances. Mapping responsibilities explicitly for each service in use, and verifying that customer-side controls are in place, is essential for compliance and breach prevention. It also informs contracts, audits, and incident response planning.

Related Terms

The shared responsibility model frames security across infrastructure-as-a-service, platform-as-a-service, and managed services.