What is Shared Responsibility Model?

In the simplest definition – a shared responsibility model is a cloud security and compliance framework. Its purpose is to govern the security obligations of any cloud computing providers (CSPs). On the other hand, it dictates the users to ensure accountability.

This includes securing every aspect of the cloud environment. For instance, infrastructure, hardware, data, endpoints, configurations, operating system (OS), settings, access rights, and network controls.

Furthermore, the shared responsibility model dictates the CSPs – Amazon AWS, Microsoft Azure, and Google (GCO) to monitor and promptly respond to threats towards cloud security. In addition, the entire infrastructure.

However, the shared responsibility model is often misunderstood. Therefore, let’s have a better understanding to avoid any security breaches.

What are the Types of Shared Responsibility Model?

The three main cloud service models are:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

Each delivery model is subject to the core concept of the shared responsibility model. Now, let’s see have an overview of each one.

1. Infrastructure as a Service (IaaS)

Cloud providers – Amazon AWS, Microsoft Azure, and Google (GCP) are responsible for storage and services. It also includes infrastructure-level components such as disks, networks, and virtualization layers.

Moreover, the vendor must provide security for the physical data centers. As the user, you are responsible for OS security and the required tech stack to run applications and data.

2. Platform as a Service (PaaS)

PaaS classifies as a platform delivery model. You can purchase and use it for developing, running, and managing applications. In this, the vendor’s role is to provide the hardware and software.

Unlike IaaS, in PaaS, the vendor has to extend responsibility toward operating systems and applications.

3. Software as a Service (SaaS)

SaaS classifies as a software delivery model. Only in this particular model, the vendor is responsible for providing security for every aspect. This includes the underlying infrastructure.

However, as the user, you still bear the responsibility of protecting login credentials. To clarify, the vendor is not responsible if you click a malicious link (phishing) or leak out your credentials to someone (social engineering attacks).

Benefits of the Shared Responsibility Model

Regardless of the complexity and careful considerations required, the shared responsibility model benefits the consumers in multiple ways. The main three benefits of the shared responsibility model are:

1. Maximized Protection

A cloud service provider is always hyper-focused on cloud security. This is the core of their business as consumers need someone to trust. Therefore, they dedicate an incredible amount of resources to ensure that their customers continue to use the platform.

Part of the service agreement with Amazon AWS, Microsoft Azure, and Google (GCP) includes – monitoring, testing, and timely updates.

2. Experts Handling Security

It’s quite obvious that Amazon AWS, Microsoft Azure, and Google (GCP) have higher knowledge and expertise when it comes to security in the cloud. Engaging with a renowned partner lets you benefit from all their experience, assets, and resources.

3. Greater Efficiency

Since almost everything is being taken care of by your vendor. You can free up some IT staff and focus on other tasks. This will help you free up some investments and headcount. As a result, you can greatly improve efficiency.

However, don’t forget, as aforementioned you still bear some responsibility. 

Shared Responsibility Model Examples: AWS, Microsoft Azure, and GCP

The common rule for shared responsibility is – if you own it or can touch it, you are responsible for it. This would imply that the vendor is responsible for everything, including the software and services. On the contrary, when you use the cloud platform to create something, you own it. Looking at it this way makes a lot of sense now.

It is also important to know that the shared responsibility model may also vary based on the vendor. Here are some examples of the top three cloud service providers:

1. Amazon Web Services (AWS)


AWS is by far at the peak of IaaS providers. They explain the shared responsibility model as users being responsible for cloud security. This includes their data. On the other hand, AWS is only responsible for the security of compute, storage, and networks that support their public cloud.

2. Microsoft Azure

Similar to AWS, Microsoft Azure also states that user data and identities belong to the consumers. Therefore, consumers are responsible for the security of their own data and identities. This also includes on-premises resources and cloud components controlled by them.

3. Google Cloud Platform (GCP)


Finally, Google stands with the notion but normally divides the responsibility categories. This makes things a lot clearer for the consumer. For instance, access policies, deployment, web app security, usage, content, operations, identity, network security, networking, audit logging, access and authentication, storage, and encryption.

You may check on the cloud provider’s website and read different wordings. However, you must understand that the details of the shared responsibility models are applicable to all vendors.

Takeaway – Shared Responsibility Model

After everything is said and done, the shared responsibility model is basically the distribution of responsibilities between the cloud service provider and the consumer. These essentially include only security-related aspects of the cloud.

There are three main cloud service models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The security responsibility varies for each one. The most leverage you can get in terms of security is by using SaaS. However, you are responsible for anything you build on the cloud.

To clarify, the cloud service providers will ensure no one can access the physical data centers. In addition, they also ensure the health and functionality of the resources and hardware you use. Anything that you “own” will be your responsibility.

In a nutshell, the shared responsibility model takes a lot off your shoulders but you still bear a minor amount of responsibility.