Shared Responsibility Model

Natasha Ong
This is some text inside of a div block.
4 min read

In a nutshell:

In the cloud, responsibilities are shared between the provider (Azure) and the user.
Responsibility distribution depends on the cloud service type (IaaS, PaaS, SaaS), with users having varying control over OS, network, and applications.
Users always manage data, devices, and access control, while Azure always handles physical infrastructure like data centres, networks, and hardware.

In the world of cloud computing, how do you know what you're responsible for? How would you know which tasks Azure is already taking care of for you?

For example, we've learnt that we won't need to worry about the operating system for some services (e.g. Azure Functions), but this doesn't apply to all of them (e.g. Azure Virtual Machines).

No stress! The Shared Responsibility Model is here to help us understand it. It uses the different cloud service types (IaaS, PaaS, SaaS) to break down exactly what you vs Azure should take care of.

The Shared Responsibility Model

In a traditional corporate data centre, the company takes care of everything:

  • Securing the storage space that holds all their on-premise servers
  • Maintaining and replacing their servers
  • Figure out the infrastructure and network needed to keep the data centre working
  • Software updates

It's a lot to handle.

But when we enter the cloud, these responsibilities are shared between the cloud provider and the cloud user.

  • What is the cloud provider responsible for? Physical security, power, cooling, network connectivity of the data centre.
  • What is the cloud user responsible for? Safeguarding the data and information stored in the cloud. Managing who has access to the data, ensuring only authorised people can see it.

Now, there are some grey areas that depend on the situation. For example, if you're using a cloud database, the cloud provider takes care of the database maintenance, while you're responsible for the data you put into it.

But if you set up a virtual machine and installed your own database on it, you take charge of database maintenance and the data within it.

Here's the cool part: the Shared Responsibility Model is closely linked to the types of cloud service you're using:

  1. Infrastructure as a Service (IaaS): This one puts more responsibility on you. The cloud provider handles the basics like physical security, power, and connections of the data centres (i.e. everything that's related to hardware), but you take care of the rest, like operating systems and applications.
  2. Platform as a Service (PaaS): Responsibility is evenly split between you and the provider. You handle some aspects, and they handle the others. What you handle depends on the specific PaaS service.
  3. Software as a Service (SaaS): Here, the provider takes on most of the responsibility. You focus on the data and who has access to it. The rest is their job.

This nifty diagram (kudos to Microsoft!) illustrates who's responsible for what, depending on the type of cloud service.

Diagram showing the responsibilities of the shared responsibility model.

And that's a wrap!

Feeling curious? Here are explanations for each tier in the Shared Responsibility Model: