Understanding Cloud Responsibility
When a company operates its IT infrastructure on-premise, it owns the entire technology stack. Managing an on-premise system can be resource-intensive and create security vulnerabilities if responsibilities are left unattended.
Moving to a public cloud eliminates the overhead of running infrastructure on-premise. Cloud providers handle maintenance and security, but they do not fully protect your data. This is where the Shared Responsibility Model comes in.
Table of Contents
What is the Shared Responsibility Model?
Your cloud provider shares responsibility for securing your environment. They handle physical infrastructure, while you manage your data, access, and configuration settings.
Even with comprehensive cloud provider packages, businesses must secure their data, including account and access management. You can either buy directly from cloud providers (Microsoft Azure, AWS, Google Cloud) or work with a Cloud Service Provider (CSP) to manage additional responsibilities.
In this guide, we’ll explain what responsibilities fall under your cloud provider and what your business must manage to ensure a secure cloud environment.
What is a Cloud Provider?
A cloud provider offers IT infrastructure as a service over the internet. This includes:
Physical hosts
Networking infrastructure
Data centers
Cloud services are often provided on a pay-as-you-go model, and offerings fall into three categories:
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
What is a Cloud Service Provider (CSP)?
A Cloud Service Provider (CSP) is a third-party vendor offering cloud management services. CSPs can:
Build and manage cloud environments
Optimize security configurations
Provide managed IT services
CSPs can be major cloud providers like Microsoft, AWS, or Google, or Managed Service Providers (MSPs) offering specialized cloud solutions.
Key Components of Shared Responsibility
What is Shared Responsibility?
Cloud security is a shared duty between the provider and the client. The general rule:
Cloud providers secure the cloud infrastructure.
Clients secure their data and manage access controls.
An MSP or CSP can handle responsibilities not covered by your cloud provider, reducing your workload.
What Does “On-Premise” Mean?
An on-premise system is fully hosted and maintained by a company without outsourcing to a cloud provider.
Even if servers are stored in an external data center, the business is still responsible for all security and management.
Understanding Cloud Service Models
What is Infrastructure as a Service (IaaS)?
IaaS offers virtualized storage and networking while leaving management responsibilities to the client.
Cloud provider secures physical hardware.
Client manages network security, application controls, and endpoint security.
What is Platform as a Service (PaaS)?
PaaS includes IaaS benefits while offloading some management tasks.
Cloud provider manages virtual machines and network resources.
Client uploads and controls applications.
What is Software as a Service (SaaS)?
SaaS is the most comprehensive cloud solution, but security responsibilities remain.
Cloud provider secures infrastructure, software, and applications.
Client must manage data, identity, and access controls.
Responsibilities Breakdown: Cloud Provider vs. Client
Cloud Provider Responsibilities
Cloud providers ensure the security of the cloud, including:
Infrastructure (physical security, hardware, networking)
Software and server maintenance
Multi-factor authentication capabilities
Client Responsibilities
Clients are responsible for securing data within the cloud, including:
Data security (encryption, backup policies)
User access and authentication
Security configurations and monitoring
Key Security Responsibilities Under the Shared Model
Data Governance
Definition: Policies around data storage, classification, and access
Responsibility: Always client-managed
Some SaaS solutions like Microsoft 365 and Google Workspace also offer additional security features that help protect data.
Under the shared responsibility model data governance is always the responsibility of the client.
Client Endpoints
Definition: Devices like laptops, smartphones, and desktops
Responsibility: Always client-managed, though MSPs can help secure them
Under the shared responsibility model, securing client endpoints is always the responsibility of the client. But an MSP can greatly assist in creating and implementing security policies.
It is important to note that as employees continue to work remotely, endpoints can be more difficult to secure.
Remote work can expand attack surfaces for cybercriminals, and SaaS offerings like Microsoft 365 provide secure device management through Microsoft Intune.
Account & Access Management
Definition: Managing user identities and permissions
Responsibility: Client-managed (shared in PaaS & SaaS models)
Under the shared responsibility model, account and access management are a shared responsibility in the case of PaaS and SaaS, but fully the responsibility of the client with IaaS and on-premise.
An MSP can help with planning out account and access management using tools like Azure Active Directory.
Application-Level Controls
Definition: Settings governing how applications function within the cloud
Responsibility: Client-managed (shared in PaaS, handled by cloud provider in SaaS)
Under the shared responsibility model, application-level controls are a shared responsibility in the case of PaaS, but fully the responsibility of the client with IaaS and on-premise.
With SaaS, the cloud provider takes full responsibility for application-level controls, as they handle all software in this case.
Not only can an MSP help monitor application-level controls to protect your current data, but they can also use intelligent monitoring to secure your backups.
Network Controls
Definition: Management of communication, load balancing, and virtual networks
Responsibility: Fully cloud provider-managed in SaaS, shared in PaaS, fully client-managed in IaaS
Network controls are fully the responsibility of the cloud provider in a SaaS setup, as they already have responsibility for the network infrastructure.
PaaS comes with shared responsibility, while IaaS places the responsibility solely on the client.
Host Infrastructure & Security
Definition: Management and configuration of platform services, computing, and storage
Responsibility: Fully cloud provider-managed in PaaS & SaaS, shared in IaaS
Under PaaS and SaaS plans, host infrastructure is fully under the responsibility of the cloud provider. With IaaS, infrastructure and security is a share responsibility between the client and cloud provider, as the client must configure its own permissions and network controls.
Physical Security
Definition: Protection of data centers and physical servers
Responsibility: Always cloud provider-managed unless using on-premise infrastructure
That means if a server is hosted on-premise, it is the responsibility of the business. In any case where a cloud provider is hired, they are fully responsible for the physical security of the infrastructure, even under the shared responsibility model.
Conclusion
Moving to the cloud provides cost savings and flexibility, but securing your data is still your responsibility.
As technology evolves and compliance requirements grow, businesses must stay proactive in securing their cloud environments.
If managing cloud security feels overwhelming, Next Perimeter can help. We provide cloud security, compliance, and management solutions to ensure your cloud remains secure while you focus on business growth.
Next Perimeter can take care of all your cloud maintenance while you focus on what means most to your business. Schedule yourself for a consult with our Virtual CIO today, or give us a call at 888-286-4816.