Skip to content
Cloud Security Architecture Guide

Chapter 2 — Shared Responsibility Model

PART I — FOUNDATIONS OF CLOUD SECURITY

2.1 What Cloud Providers Secure

Section titled “2.1 What Cloud Providers Secure”

Cloud providers are responsible for the security of the cloud:

Physical Infrastructure

Section titled “Physical Infrastructure”
  • Data center security: Physical access controls, surveillance, guards
  • Environmental controls: Power redundancy, cooling systems, fire suppression
  • Network infrastructure: Fiber optic cables, routers, switches
  • Hardware maintenance: Server replacement, component upgrades

Virtualization Layer

Section titled “Virtualization Layer”
  • Hypervisor security: Isolation between tenant environments
  • Storage virtualization: Multi-tenant storage systems
  • Network virtualization: Software-defined networking components
  • Compute virtualization: VM isolation and resource allocation

Platform Services

Section titled “Platform Services”
  • Global infrastructure: Region and availability zone design
  • Edge locations: Content delivery networks, edge computing
  • Service mesh: Internal service communication security
  • Platform hardening: Default secure configurations

Provider Responsibilities by Service Type

Section titled “Provider Responsibilities by Service Type”
Service TypeProvider ResponsibilityCustomer Responsibility
IaaS (EC2, VMs)Physical infrastructure, hypervisorOS, applications, data, network
PaaS (RDS, Lambda)Physical + runtime platformData, application code, access
SaaS (Office 365, Salesforce)Full stackUser access, data classification

Visualizing Responsibility Shifts:

graph TD
    %% Define Classes for Styling
    classDef customer fill:#d1fae5,stroke:#059669,stroke-width:2px,color:#065f46
    classDef provider fill:#dbeafe,stroke:#2563eb,stroke-width:2px,color:#1e40af
    classDef shared fill:#fce7f3,stroke:#db2777,stroke-width:2px,color:#9d174d

    subgraph OnPrem [On-Premises]
        direction TB
        OP_Data[Data & Content]:::customer
        OP_App[Applications]:::customer
        OP_Runtime[Runtime]:::customer
        OP_OS[Operating System]:::customer
        OP_Phys[Physical Infra]:::customer
    end

    subgraph IaaS [Infrastructure as a Service]
        direction TB
        IaaS_Data[Data & Content]:::customer
        IaaS_App[Applications]:::customer
        IaaS_Runtime[Runtime]:::customer
        IaaS_OS[Operating System]:::customer
        IaaS_Phys[Physical Infra]:::provider
    end

    subgraph PaaS [Platform as a Service]
        direction TB
        PaaS_Data[Data & Content]:::customer
        PaaS_App[Applications]:::customer
        PaaS_Runtime[Runtime]:::shared
        PaaS_OS[Operating System]:::provider
        PaaS_Phys[Physical Infra]:::provider
    end

    subgraph SaaS [Software as a Service]
        direction TB
        SaaS_Data[Data & Content]:::customer
        SaaS_App[Applications]:::provider
        SaaS_Runtime[Runtime]:::provider
        SaaS_OS[Operating System]:::provider
        SaaS_Phys[Physical Infra]:::provider
    end

    %% Stylized Links
    OP_Data ~~~ IaaS_Data ~~~ PaaS_Data ~~~ SaaS_Data

    %% Subgraph Styling
    style OnPrem fill:#111827,stroke:#374151,stroke-width:2px,rx:5,ry:5
    style IaaS fill:#1f293b,stroke:#475569,stroke-width:2px,rx:5,ry:5
    style PaaS fill:#1f293b,stroke:#475569,stroke-width:2px,rx:5,ry:5
    style SaaS fill:#1f293b,stroke:#475569,stroke-width:2px,rx:5,ry:5

2.2 What You Must Secure

Section titled “2.2 What You Must Secure”

Customers are responsible for security in the cloud:

Identity and Access Management

Section titled “Identity and Access Management”
  • User authentication: Password policies, MFA configuration
  • Authorization: IAM policies, role assignments
  • Service identities: Service accounts, managed identities
  • Access reviews: Regular permission audits

Data Protection

Section titled “Data Protection”
  • Data classification: Sensitivity labeling and handling
  • Encryption at rest: Customer-managed keys, key rotation
  • Encryption in transit: TLS configuration, certificate management, Post Quantum
  • Data lifecycle: Retention policies, secure deletion

Application Security

Section titled “Application Security”
  • Secure coding practices: Input validation, output encoding
  • Dependency management: Vulnerability scanning, patch management
  • API security: Authentication, authorization, rate limiting
  • Runtime protection: WAF, RASP, application monitoring

Network Security

Section titled “Network Security”
  • VPC configuration: Subnet design, routing tables
  • Security groups/firewalls: Network access controls
  • Network segmentation: Application tier isolation
  • Connectivity: VPN, Direct Connect, peering configuration

Monitoring and Logging

Section titled “Monitoring and Logging”
  • Audit logging: CloudTrail, Activity Logs, audit trails
  • Security monitoring: Threat detection, anomaly detection
  • Log analysis: SIEM integration, correlation rules
  • Metrics and alerting: Performance and security KPIs

Compliance and Governance

Section titled “Compliance and Governance”
  • Policy implementation: Organizational security policies
  • Compliance frameworks: SOC 2, ISO 27001, PCI DSS, HIPAA
  • Risk management: Risk assessments, treatment plans
  • Documentation: Architecture diagrams, runbooks, procedures

2.3 Why Misunderstandings Happen

Section titled “2.3 Why Misunderstandings Happen”

Common Misconceptions

Section titled “Common Misconceptions”

“If we move to the cloud, security is handled for us.”

This dangerous assumption leads to:

  • Neglected IAM configurations
  • Unsecured application deployments
  • Missing monitoring and logging
  • Inadequate incident response planning

The Complexity Problem

Section titled “The Complexity Problem”

Shared responsibility varies by service type:

ScenarioMisunderstandingReality
Managed databases”AWS handles all security”You secure data, access, backups
Serverless functions”No servers means no security”You secure code, permissions, data
Kubernetes clusters”GKE handles everything”You secure nodes, pods, networking
SaaS applications”Vendor handles compliance”You handle user access, data classification

The Hidden Responsibilities

Section titled “The Hidden Responsibilities”

Often-overlooked customer responsibilities:

  • Service mesh configuration: Istio, Linkerd policies
  • Container registry security: Image scanning, access controls
  • Secrets management: Parameter Store, Key Vault usage
  • Backup verification: Restore testing, retention policies
  • Cost allocation: Security spend tracking, optimization

A Better Mindset

Section titled “A Better Mindset”

The provider secures the platform — you secure what you build on it.

This perspective leads to:

  • Clear ownership boundaries
  • Proper security investments
  • Effective compliance programs
  • Successful cloud adoption

Decision Framework

Section titled “Decision Framework”

Use this decision tree to determine responsibilities:

  1. Is it physical infrastructure? → Provider
  2. Is it the cloud service itself? → Provider
  3. Is it how you use the service? → Customer
  4. Is it data you put in the service? → Customer
  5. Is it who can access the service? → Customer

Accountability Matrix

Section titled “Accountability Matrix”
DomainPrimary OwnerShared Responsibilities
Physical SecurityProviderPhysical access reporting
Network InfrastructureProviderNetwork configuration
Identity ManagementCustomerIdentity federation
Data EncryptionCustomerKey management with provider
Application SecurityCustomerRuntime protection with provider
ComplianceCustomerProvider certification support

Understanding these boundaries is crucial for building a comprehensive cloud security program.