The shared responsibility model is a core concept in cloud security that outlines the division of responsibilities between cloud service providers and their customers. At a high level, this model suggests that cloud providers are responsible for security “of” the cloud, while customers are responsible for security “in” the cloud. The details of this model vary depending on the cloud service model and deployment model being used.

Infrastructure as a Service (IaaS) is considered the cloud service model where customers have the most responsibility. With IaaS, the cloud provider is responsible for securing the physical and environmental infrastructure that run the virtualized computing resources such as servers, storage, and networking. This includes the physical security of data centers, server, storage, and network device protection, continuous monitoring and vulnerability management of the hypervisor and operating systems.

The customer takes responsibility for everything abstracted above the hypervisor including guest operating systems, network configuration and firewall rules, encryption of data, security patching, identity and access management controls for their virtual servers and applications. Customers are also responsible for any data stored on their virtual disks or uploaded into object storage services. Data security while in transit also lies with the customer in most IaaS models.

Platform as a Service (PaaS) splits responsibilities differently as the provider now takes care of more layers including the OS and underlying infrastructure. With PaaS, the provider secures the operating system, hardware, storage and networking components. Customers are now responsible for securing their applications, data, identity controls, vulnerability management, penetration testing and configuration reviews for their applications. Responsibility for patching the runtime environment remains with the provider in most cases.

With Software as a Service (SaaS), the provider takes on the most responsibility securing the entire stack from the network and infrastructure to the operating system, software, application security controls and identity access management. Customers only bear responsibility for their data within the application and user access controls. Security of the application itself is entirely handled by the provider.

The deployment model being used along with the service model further refines the split of duties. Public cloud has the most clearly defined split where the provider and customer are distinct entities. Private cloud shifts some responsibilities to the cloud customer as they have greater administrative access. Hybrid and multi-cloud complicate assignments as workloads can span different providers and deployment types.

Some key responsibilities that typically fall under cloud providers across models include secure host environment configuration; infrastructure vulnerability management; system health and performance monitoring; logging and auditing access to networks, systems and applications; disaster recovery and business continuity; physical security of data centers; hardware maintenance and patching of system software.

Customers usually take lead in areas like encryption of data-at-rest and data-in-transit; authentication and authorization infrastructure for users, applications and services; vulnerability management of their workload software like databases and frameworks; configuration management and security hardening of virtual machines; adherence to security compliance regulations applicable to their industry and data classification levels; managing application access controls, input validation and privileges; incident response in coordination with providers.

Sharing responsibility effectively requires close cooperation and transparency between providers and customers. Customers need insights into provider security controls and oversight for assurance. Likewise, providers need informed participation from customers to secure workloads effectively and remediate issues in a shared environment. Security responsibilities are never completely moved but cooperation to secure respective domains enables stronger security for both parties in the cloud.

The takeaway is that the shared responsibility model allocates security duties in a clear but dynamic manner based on factors like deployment, service and in some cases operating models. It provides an overarching framework for defining security accountabilities but requires collaboration across the whole stack to achieve security in the cloud holistically.