A graphic showing different cloud services under the words "shared responsibility"

Shared Responsibility Guide: Your Business’s Duties to Achieve a Secure Cloud11 Min Well Spent

When a company operates their entire IT infrastructure on-premise, they own the entire stack of technology. 

Often, resources can be limited when managing an entire on-premise stack, leaving responsibilities unattended to and creating security vulnerabilities.

Moving to a public cloud can be a great decision for your business, eliminating the overhead of running servers and other infrastructure on-premise. Public clouds can also take the responsibility of maintenance and security off your hands and place it with the cloud provider.

That is why modern companies outsource their cloud management so often.

While cloud providers offer varying levels of service that protect your data environment, they do not fully cover your customer and company data at any level. 

They work on what is called the “Shared Responsibility Model,” and it operates exactly how it sounds.

Your provider shares responsibility for securing your environment, starting with the physical infrastructure, while the rest is on you. 

Depending on your plan, the provider (often Microsoft AzureAmazon Web Services, or Google) is accountable for certain aspects of your cloud.

Anything not covered by the chosen plan is handled by the customer, hopefully resulting in full coverage.

Even with the most comprehensive packages from cloud providers, your business is still in charge of securing your data. This includes account and access management, which determines who can access your data and how.

Businesses choosing to move to the public cloud can choose to buy straight from their chosen cloud provider. 

Additionally, they can buy from a reputable cloud service provider (CSP), which can help manage the leftover responsibilities not covered by your cloud provider.

In this post, we’ll explain what responsibilities are covered by the most popular cloud providers, how their levels of service vary, and what you must do to secure your cloud in each case.

If you need help fully securing your cloud environment, or want to see how the cloud can best serve you, get on a call with us as soon as possible.

Table of Contents
    Add a header to begin generating the table of contents
    What is a Cloud Provider?

    A cloud provider is any entity that offers the infrastructure to host a cloud environment as a service over the internet. 

    This includes physical hosts, the physical network to connect to, and the data center in which the hardware is housed.

    Often, cloud capabilities will be provided in a “pay as you go” model, meaning your costs are determined by how much computing power you use. 

    Providers generally group these offerings into infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

    What is a Cloud Service Provider (CSP)?

    A cloud service provider (CSP) is a third-party vendor that offers components of cloud computing as a service. 

    That can include actually building out the cloud environment like a cloud provider, or simply managing aspects of a private cloud for the business running it.

    Cloud providers like Microsoft, Amazon, or Google are also CSPs because they offer several cloud services along with the infrastructure. 

    Managed service providers (MSPs) like IT Support Guys can also be CSPs, as most offer cloud management services on demand.

    These services include running virtual machines, processing data, and large quantities of storage. CSPs look to optimize your ROI by balancing resources that maximize productivity while minimizing costs.

    What is shared responsibility?

    As stated above, “shared responsibility” is the notion that cloud providers and their clients are collectively responsible for the cybersecurity of your environment, and the data therein.

    The saying goes that cloud providers are responsible for the security “of the cloud,” while the customer is responsible for the security of what is “in the cloud.” 

    Clients will always have the responsibility of securing and governing their own data, while cloud providers are always responsible for the security of the infrastructure running your cloud.

    A CSP or MSP can be important to help manage any leftover responsibility not covered by your cloud provider, limiting your sole responsibility to managing customer data, content, data governance, and rights management.

    What does “on-premise” mean?

    “On-premise,” for the context of this post, means a technology environment that is fully hosted and maintained by the company operating it. 

    Essentially, it means not to utilize a CSP, and all responsibilities are assumed by the business.

    Keep in mind, a cloud can be on-premise, even if the data center housing a company’s servers is in a different physical location than the business headquarters.

    What is infrastructure as a service (IaaS)?

    A man standing in front of a server rack, with the text

    In cloud computing, infrastructure as a service (IaaS) is a type of outsourced service that offers just the essential storage and networking aspects of the cloud. 

    IaaS is the most flexible option, allowing you to rent hardware, but have complete control of it.

    In this subscription service, the cloud provider manages the physical servers that run your public cloud, keeping the hardware updated and secure. 

    An IaaS plan eliminates the costs of operating an on-premise data center and allows businesses to scale globally. 

    On the other hand, it leaves all network and application controls, data classification and accountability, and endpoint security to the client.

    What is platform as a service (PaaS)?

    A wall with icons and coding that says

    In addition to the benefits of an IaaS plan, platform as a service (PaaS) plans lift the burden of some application-level and network control management. 

    Largely, the benefits are development, business intelligence, and database management tools.

    With PaaS, the cloud provider manages virtual machines and network resources, while the client uploads internal web applications that will run on the provided platform.

    What is software as a service (SaaS)?

    Two men working on a computer with finance software running, with the text

    Software as a Service (SaaS) is the complete package for outsourced cloud solutions. It still does not cover all aspects of cybersecurity.

    With all your infrastructure provided and housed by your cloud provider, SaaS adds hosted software to the mix. 

    Employees will now connect to an app that connects them to the cloud, while the CSP manages all updates to hardware and software.

    With SaaS, the cloud provider assumes the responsibility of the application-level and network controls, leaving just data classification, endpoint security, and identity and access management to the client.

    What are the responsibilities of the cloud provider?

    A cloud provider ensures the safety of your cloud, meaning the infrastructure on which your cloud lives. 

    This includes the actual cloud servers, as well as the data centers where the servers are housed. 

    It also includes the software that runs your cloud, as well as the networks that allow your data to travel from the cloud to your endpoints.

    It is also up to the provider to provide the capability for clients to uphold their duties. Without services like encryption, security groups, and multi-factor authentication, a cloud provider is not worth it.

    What are the responsibilities of the client?

    The client is responsible for what is in the cloud, and that does not just mean the data that lives there. 

    It also includes who has access to that data, and how they are given access.

    Generally, the configuration of the environment is still up to the client. In every case, the client is responsible for data, endpoints, accounts, and access management.

    That means it is up to you to make use of encryption by providing and maintaining security guidelines. A cloud provider also cannot set your security groups, access assignments, and permissions for you.

    A chart showing what clients, public cloud providers and MSPs are responsible for under the shared responsibility model.

    So, which shared responsibility falls into each of these categories, and what determines who is responsible?

    What is data governance?

    Data governance is the way that you handle your data, including how you make it available and how you secure it. 

    This involves creating policies around how data is used, and what measures are in place to protect critical information.

    Governance also includes the classification of data and how it is sorted. If data is not correctly classified, it may cause compliance issues. 

    Not knowing who has access to data will also complicate your rights management, as access can become inconsistent over time.

    Some SaaS solutions like Microsoft 365 and Google Workspace also offer additional security features that help protect data. 

    Under the shared responsibility model data governance is always the responsibility of the client.

    What are client endpoints?

    Client endpoints are the destination of any transfer of data, generally hardware like a desktop, laptop, or smartphone. 

    Endpoints represent some of the most vulnerable attack surfaces for cybercriminals and must be secured to the best possible degree.

    Under the shared responsibility model, securing client endpoints is always the responsibility of the client. But an MSP can greatly assist in creating and implementing security policies.

    It is important to note that as employees continue to work remotely, endpoints can be more difficult to secure. 

    Remote work can expand attack surfaces for cybercriminals, and SaaS offerings like Microsoft 365 provide secure device management through Microsoft Intune.

    What is account and access management?

    Account management is the process of creating and assigning profiles to users, and access management is controlling the permissions of each user within your system. 

    As part of data governance, businesses usually create policies around what departments and roles have access to different categories of data.

    By keeping data restricted to certain individuals or groups, companies can secure it from being misused or stolen by bad actors.

    The best account and access management takes both authentication and authorization into account. 

    Authentication verifies and validates the identity of someone looking to access data, ensuring they are who they say. Authorization determines when and how the authorized party can access the data.

    Role-based access control is an important aspect of any company’s cybersecurity, as is multi-factor authentication.

    Under the shared responsibility model, account and access management are a shared responsibility in the case of PaaS and SaaS, but fully the responsibility of the client with IaaS and on-premise. 

    An MSP can help with planning out account and access management using tools like Azure Active Directory.

    What are application-level controls?

    Application-level controls are settings that allow or prohibit applications from operating in different ways. 

    By limiting some functions of business applications, companies can keep unauthorized applications from putting data at risk.

    Businesses are dependent on several applications in the modern world, so controlling how they can operate within your system will increase efficiency and security.

    Under the shared responsibility model, application-level controls are a shared responsibility in the case of PaaS, but fully the responsibility of the client with IaaS and on-premise. 

    With SaaS, the cloud provider takes full responsibility for application-level controls, as they handle all software in this case.

    Not only can an MSP help monitor application-level controls to protect your current data, but they can also use intelligent monitoring to secure your backups.

    What are network controls?

    Network controls are the management of communication and interoperability on a company’s network. This includes setting up virtual networks, load balancing, and domain name systems (DNS).

    Network controls are fully the responsibility of the cloud provider in a SaaS setup, as they already have responsibility for the network infrastructure. 

    PaaS comes with shared responsibility, while IaaS places the responsibility solely on the client.

    What are host infrastructure and security?

    Host infrastructure is the management and configuration of the platform services, as well as computing and storage services of the cloud. Host security is the configuration and security of the infrastructure.

    Under PaaS and SaaS plans, host infrastructure is fully under the responsibility of the cloud provider. 

    With IaaS, infrastructure and security is a share responsibility between the client and cloud provider, as the client must configure its own permissions and network controls.

    What is physical security?

    Physical security is the security of the actual servers, server rooms, and data centers that host the public cloud being utilized.

    That means if a server is hosted on-premise, it is the responsibility of the business. In any case where a cloud provider is hired, they are fully responsible for the physical security of the infrastructure, even under the shared responsibility model.


    A move to the public cloud is a great start, but the responsibility of fully securing your environment does not end when you utilize a cloud provider.

    There are still many configurations that must be handled on the client side to ensure that everything in the cloud remains protected.

    This is an involved, hands-on process that evolves over time. As employees are on- and offboarded, as technology evolves, and as data changes, there will be steps you need to take to ensure security and compliance.

    We know this can be a lot to handle, and that’s why we’re here to help. If you need assistance with the tedious tasks that come along with cloud security maintenance, look no further.

    ITSG can take care of all your cloud maintenance while you focus on what means most to your business. Schedule yourself for a consult with our Virtual CIO today, or give us a call at (855) 4IT-GUYS.