Getty Images

Tip

What the cloud shared responsibility model requires of you

The shared responsibility model is an integral part of managing any cloud infrastructure. Review your cloud deployment today to ensure your business fulfills its responsibilities.

Damon Garn
By
Published: 25 Jul 2025

Cloud services create many new challenges for system and network administration, as well as cybersecurity. Managing and securing distributed data and processes is far more complex than managing on-premises network environments with strict boundaries and complete control of resources.

These new challenges led to the cloud shared responsibility model. Under this framework, service providers and customers maintain two separate facets of cloud management and security. While cloud service providers (CSPs) provide the services and security of the cloud, customers retain management within the cloud. The model differentiates the responsibilities for specific aspects of cloud administration.

Let's explore the shared responsibility model, including its advantages and disadvantages. We'll also review examples of responsibilities, documents and different approaches by the major CSPs.

The shared responsibility model

The cloud shared responsibility model -- sometimes called the shared security model -- divides responsibilities between the customer and CSP. This clear delineation covers all aspects of configuration, security and maintenance, reducing risks and improving an organization's overall availability and security.

The shared responsibility model emerged from the growth of the cloud computing industry and became standard practice by about 2010. AWS was one of the first major cloud service providers to clearly define the responsibilities, especially with the growth of IaaS.

Let's start by looking at the shared responsibilities between CSPs and their customers. Customer responsibilities include the following:

  • Identity and access management.
  • Data protection, which includes backups, encryption and access controls
  • Application security and patching.
  • Cloud resource configuration for VMs, containers, webapps and virtual networks.
  • Endpoint and network access security.

The customer is responsible for access to the data in the cloud, which pertains to user account management, permissions, backups, resource configuration and application management. It also encompasses the user systems and networks that access data in the cloud.

Cloud provider responsibilities include the following:

  • Physical security and availability of data centers.
  • Hardware, network and infrastructure supporting cloud services, including patching.
  • Virtualization layers.
  • Data centers and infrastructure where customer resources reside.

Some organizations outsource cloud computing support and administration to third-party providers or even the primary CSPs. In those cases, the providers manage some or all customer responsibilities.

Responsibilities also vary by service type, with cloud providers taking on more management tasks in SaaS deployments while customers do more with IaaS services.

Breakdown of the cloud shared responsibility model.
Use this guide to understand consumer and provider responsibilities under the shared responsibility model for the three main cloud service models.

CSP responsibilities

The specific responsibilities of the CSP vary depending on the service model. Here are the general aspects CSPs manage:

SaaS

For SaaS, the CSP retains responsibility for the entire supporting application infrastructure, including hardware, OS and the application itself. Using Windows 365, Microsoft maintains the data centers and systems. Microsoft also upgrades and patches the applications that make up the service.

PaaS

PaaS models are similar, though application configuration and management are customer responsibilities. The CSP retains control of the infrastructure and OS.

IaaS

IaaS deployments consist of the CSP managing the hardware and virtualization layers, including drivers, device failures, device capabilities and virtualization software or container engines. These functions remain hidden from the cloud customer.

Cloud customer responsibilities

Organizational responsibilities also vary by service model.

Generally, anything not covered by the CSP's responsibilities falls onto individual cloud management staff, including:

SaaS

Customers relying on SaaS services must carefully monitor subscriptions and application access. These customers can also develop specific application customizations. Continuing the example of Windows 365 from above, customers maintain control over which employees access services.

PaaS

Developers, database administrators and other users who need PaaS access retain control over the data generated by the platform. The business also retains access control, ensuring only authorized employees can use the PaaS service.

IaaS

A business's IT staff controls the VMs making up the IaaS platform. Administrators define VMs, install OSes, build networking solutions and create any custom configurations. Note that this team is also responsible for OS and application patching. The business also retains control of data production at this level.

Keep in mind that IT staff might need to develop cloud-specific skills to handle the responsibilities because they differ from on-premises deployments. Hybrid and multi-cloud deployments vary even further. Engaging third-party and cloud service providers' technical services helps with these tasks.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.

Dig Deeper on Cloud provider platforms and tools