What Is The Shared Responsibility Model?

How the “shared responsibility” model works, and what it means for cloud services.
Tom King
April 19, 2023

What Is The Shared Responsibility Model?

The shared responsibility model refers to a cloud security framework that outlines how cloud service providers and users can work together to secure their cloud environment. This model explains how the two parties must work together and share accountability to reduce the chances of anything going wrong.  

The shared responsibility model focuses on two key areas: security and compliance. Microsoft and AWS have been promoting a shared responsibility approach to handling data and services in the cloud.

In a traditional on-prem environment, an organization will run and manage its own IT infrastructure. It will have its own, in-house, IT team that can oversee maintenance and security of the organization’s own data centers. Admins can ensure that measures and protocols are properly implemented and in line with compliance guidelines. In this way of working, it is clear where the responsibility and expectations lie: in-house.

The shared responsibility model is designed for more complex environments. Today, there are very few companies who still manage their entire technology stack. Oganizations who use cloud services need to have protocols that clearly define responsibility and expectations for security and compliance.

The shared responsibility model should be examined when you sign-up to a new service. This will detail the expectation on the vendor and the customer. You can then ensure that you know who is responsible for what, and ensure that nothing is missed.

What Are The Different Types Of Shared Responsibility

There are three types of shared responsibility model that define responsibility for different services. They are Infrastructure-as-a-service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). Each one follows a different responsibility model with specific caveats and requirements for each.

Software-as-a-Service

For companies using SaaS products, the service provider is responsible for most (if not all) security procedures relating to the application or service itself. They will have to ensure that data is properly secured, and that there is sufficient infrastructure to protect your accounts. They will be responsible for managing and maintaining their application.

This does not, however, mean that the customer organization is without responsibility. The user is responsible for managing their own endpoints and network security. Data should be handled appropriately, without doing anything that could jeopardize application security.

It is worth checking your specific agreement to understand who owns the data that is used or stored in a SaaS product. It is easy to assume that you still own your data, however some companies may use and sell this information.

Infrastructure-as-a-Service

In the case of an IaaS environment, the IaaS vendor will be responsible for the storage, virtualization, and network servers that it provides. IaaS vendors are also responsible for maintaining their own data centres and relevant security. If a data centre is attacked, or fails, that is the IaaS providers responsibility.

IaaS tends to be a light-touch solution – it provides the framework for an organization to use. In this case, users are responsible the security of their operating systems, software, environments, users, and data. Essentially, everything other than the infrastructure itself.

Platform-as-a-Service

Platform-as-a-service (PaaS) environments are often execution environments for things like application development. In this case, the service provider will be responsible for platform security and any software or hardware needed to fulfil this function. It is the user’s responsibility to protect anything developed on the platform (such as applications), as well as their own endpoints, networks, and users.

Basic Responsibilities

Regardless of the type of service that you use, there will be some basic responsibilities and expectations on the user end. Cloud providers will take on partial responsibility, but your organization may still be responsible for areas such as:

  • Ensuring the solution meets, or can be configured to meet, relevant compliance or governance regulation
  • The data that is created and stored within the service
  • Ensuring third-party applications and integrations are configured correctly
  • Making sure your users behave appropriately and carefully while using the service
  • Access management

Implementing An Environment With A Shared Responsibility Model

When choosing a cloud provider and assessing what level of service your organization may need, it can be difficult to make sense of a vendors’ shared responsibility model. This is, however, an important step as it will ensure that you know where you stand, and what your responsibilities are.

It is worth taking the time to investigate the specific criteria of each services’ agreement. While there may be general themes across shared responsibility models, they are not all the same.

For Amazon Web Services Shared Security, AWS maintains that they are responsible for protecting and maintaining all the hardware, software, facilities, and networking that run on the AWS Cloud. In turn, Microsoft Azure is responsible for physical hosts, networks, and their data centers for SaaS, PaaS, and IaaS, but not on-premises services.

Benefits Of The Shared Responsibility Model

Shared responsibility models clearly outline and define the parameters of your responsibility. This is beneficial as it reduces the chances of miscommunication and, therefore, any issues. As all parties know who is responsible for what, you can ensure there are no loopholes or vulnerabilities.

If, for example, you are responsible for your data security, you can put into place sufficient tools, policies, and infrastructure to mitigate this. Without a shared responsibility model, you may assume the service provider will cover this, while they might assume that it is your responsibility. Through using effective shared responsibility models, organizations can improve overall security, whilst gaining clarity over expectations, responsibility, and culpability.

It may be the case that having a service provider be responsible is not only better for you economically, but in security terms too. A large service provider will be able to implement advanced and complex security infrastructure that may be unobtainable for small organizations.

A shared responsibility model that puts emphasis on the service provider can also reduce your workload. By managing tasks, solutions, and services externally, your employees can spend their time focused on other, in-house tasks. It simplifies procedures on the consumer’s side and can deliver peace of mind that certain processes and protocols are being handled well.

Summary

Adopting any strategy, platform, or solution that uses the shared responsibility model can be a daunting task. The agreements will often be highly specific, and you want to ensure that you understand it in its entirety. Shared responsibility models are, however, very effective and useful solutions. By making it clear who is responsible for what, you are able to put into place effective protocols on your end, knowing that your provider is doing the same on their side.

The shared responsibility model is there to ensure that responsibility and culpability is understood and shared across all relevant parties. Rather than just paying for a service, organizations who adopt a shared responsibility model enter into a form of partnership. It is in both parties’ interests to ensure security is robust and that policies are understood. Shared responsibility models help to create transparency and to apportion culpability on both sides, as well as encouraging collaboration to ensure full security and compliance expectations are met.

Contact us