Chapter 2 — Shared Responsibility Model
2.1 What Cloud Providers Secure
Section titled “2.1 What Cloud Providers Secure”Cloud providers are responsible for the security of the cloud:
Physical Infrastructure
Section titled “Physical Infrastructure”- Data center security: Physical access controls, surveillance, guards
- Environmental controls: Power redundancy, cooling systems, fire suppression
- Network infrastructure: Fiber optic cables, routers, switches
- Hardware maintenance: Server replacement, component upgrades
Virtualization Layer
Section titled “Virtualization Layer”- Hypervisor security: Isolation between tenant environments
- Storage virtualization: Multi-tenant storage systems
- Network virtualization: Software-defined networking components
- Compute virtualization: VM isolation and resource allocation
Platform Services
Section titled “Platform Services”- Global infrastructure: Region and availability zone design
- Edge locations: Content delivery networks, edge computing
- Service mesh: Internal service communication security
- Platform hardening: Default secure configurations
Provider Responsibilities by Service Type
Section titled “Provider Responsibilities by Service Type”| Service Type | Provider Responsibility | Customer Responsibility |
|---|---|---|
| IaaS (EC2, VMs) | Physical infrastructure, hypervisor | OS, applications, data, network |
| PaaS (RDS, Lambda) | Physical + runtime platform | Data, application code, access |
| SaaS (Office 365, Salesforce) | Full stack | User access, data classification |
2.2 What You Must Secure
Section titled “2.2 What You Must Secure”Customers are responsible for security in the cloud:
Identity and Access Management
Section titled “Identity and Access Management”- User authentication: Password policies, MFA configuration
- Authorization: IAM policies, role assignments
- Service identities: Service accounts, managed identities
- Access reviews: Regular permission audits
Data Protection
Section titled “Data Protection”- Data classification: Sensitivity labeling and handling
- Encryption at rest: Customer-managed keys, key rotation
- Encryption in transit: TLS configuration, certificate management, Post Quantum
- Data lifecycle: Retention policies, secure deletion
Application Security
Section titled “Application Security”- Secure coding practices: Input validation, output encoding
- Dependency management: Vulnerability scanning, patch management
- API security: Authentication, authorization, rate limiting
- Runtime protection: WAF, RASP, application monitoring
Network Security
Section titled “Network Security”- VPC configuration: Subnet design, routing tables
- Security groups/firewalls: Network access controls
- Network segmentation: Application tier isolation
- Connectivity: VPN, Direct Connect, peering configuration
Monitoring and Logging
Section titled “Monitoring and Logging”- Audit logging: CloudTrail, Activity Logs, audit trails
- Security monitoring: Threat detection, anomaly detection
- Log analysis: SIEM integration, correlation rules
- Metrics and alerting: Performance and security KPIs
Compliance and Governance
Section titled “Compliance and Governance”- Policy implementation: Organizational security policies
- Compliance frameworks: SOC 2, ISO 27001, PCI DSS, HIPAA
- Risk management: Risk assessments, treatment plans
- Documentation: Architecture diagrams, runbooks, procedures
2.3 Why Misunderstandings Happen
Section titled “2.3 Why Misunderstandings Happen”Common Misconceptions
Section titled “Common Misconceptions”“If we move to the cloud, security is handled for us.”
This dangerous assumption leads to:
- Neglected IAM configurations
- Unsecured application deployments
- Missing monitoring and logging
- Inadequate incident response planning
The Complexity Problem
Section titled “The Complexity Problem”Shared responsibility varies by service type:
| Scenario | Misunderstanding | Reality |
|---|---|---|
| Managed databases | ”AWS handles all security” | You secure data, access, backups |
| Serverless functions | ”No servers means no security” | You secure code, permissions, data |
| Kubernetes clusters | ”GKE handles everything” | You secure nodes, pods, networking |
| SaaS applications | ”Vendor handles compliance” | You handle user access, data classification |
The Hidden Responsibilities
Section titled “The Hidden Responsibilities”Often-overlooked customer responsibilities:
- Service mesh configuration: Istio, Linkerd policies
- Container registry security: Image scanning, access controls
- Secrets management: Parameter Store, Key Vault usage
- Backup verification: Restore testing, retention policies
- Cost allocation: Security spend tracking, optimization
A Better Mindset
Section titled “A Better Mindset”The provider secures the platform — you secure what you build on it.
This perspective leads to:
- Clear ownership boundaries
- Proper security investments
- Effective compliance programs
- Successful cloud adoption
Decision Framework
Section titled “Decision Framework”Use this decision tree to determine responsibilities:
- Is it physical infrastructure? → Provider
- Is it the cloud service itself? → Provider
- Is it how you use the service? → Customer
- Is it data you put in the service? → Customer
- Is it who can access the service? → Customer
Accountability Matrix
Section titled “Accountability Matrix”| Domain | Primary Owner | Shared Responsibilities |
|---|---|---|
| Physical Security | Provider | Physical access reporting |
| Network Infrastructure | Provider | Network configuration |
| Identity Management | Customer | Identity federation |
| Data Encryption | Customer | Key management with provider |
| Application Security | Customer | Runtime protection with provider |
| Compliance | Customer | Provider certification support |
Understanding these boundaries is crucial for building a comprehensive cloud security program.