Understanding shared responsibility models in the cloud


We are becoming increasingly dependent on cloud services for specialized technology solutions as well as to facilitate day-to-day operations in remote working environments. This is forcing organizations to continuously reevaluate how to approach security in increasingly complex environments.

In fully, or partly, cloud-based environments, determining who is responsible for which security facets is critical. Your security boundary is only as strong as its weakest link, and there can be no blind spots when it comes to cloud vulnerabilities or active threats.


LIFARS-as-Service can validate your compliance and controls to help you maintain your compliance. We evaluate your current approach and create a strong security foundation.


The CSCC is one of the leading organizations working on developing best practices and shared responsibility cloud security models to address these concerns.

There are three main types of cloud service models each with a unique combination of responsibilities divided between the cloud provider and its users.

Generally, these cloud service model types can be ordered from where the least responsibility falls to the user to the most, in the following order:

Shared responsibility models in the cloud- BMC


SaaS (software-as-a-service)

In this cloud service model, nearly all security-related responsibility falls to the provider. The provider is directly in charge of supplying and managing the physical devices, software platform, data, and network. However, users are still responsible for personal security in the cloud, such as using secure credentials, etc.

These are the most commonly used type of cloud services, typically running from within your browser. Examples include Google Workspace, Dropbox, and Salesforce. The user has very little control over how the application functions, using it as an out-of-the-box solution.

The primary concern here is the large volumes of data being moved to and from publicly accessible entities as well as compliance with regulatory frameworks or internal security practices.

PaaS (platform-as-a-service)

PaaS services usually act as complete development and deployment environment in the cloud. They provide a framework for developers to build and deploy certain apps which can vary in scale and complexity. In this type of model, users retain more control over the actual applications and data generated within the platform.

Examples include AWS Elastic Beanstalk, Microsoft Azure, and the Google App Engine. In this case, the provider still manages the infrastructure such as servers, networking, and storage as well as the underlying software logic, including the OS, middleware, and virtualization. The chief concerns here are regarding data storage and transmissions with third-party vendors and various public interfaces in the mix.

IaaS (infrastructure-as-a-service)

As the name suggests, IaaS providers offer access to highly scalable and automated cloud computing resources. Customers typically purchase on-demand resources, scaling them according to their requirements. It’s typically a self-service solution with minimal interference from the provider once it’s provisioned.

Clients are typically in full control of the vast majority of their apps and data. However, these systems may still be subject to network or system-related vulnerabilities. There might also not be watertight isolation between separate client VMs if they live on multi-tenant resources. Examples include DigitalOcean, Rackspace, and Google Compute Engine (GCE).

These are just the most widely used examples of cloud service models used by businesses today. However, in an increasingly cloud-based future, new types of services are emerging all the time or mutating as entirely new technologies emerge or business requirements evolve.

For example, XaaS (everything-as-a-service) models may include the features of some (or all) of the above or BaaS (blockchain-as-a-service) which can take different forms and come with its own unique security considerations.

Because of this, there is no single shared responsibility cloud security model. Shared responsibility in the cloud is highly dependent on a number of factors, including:

  • The types of cloud-based service models you use
  • Your entire technology and software stack
  • Your organization’s unique threat landscape
  • Internal security resources and procedures
  • The specific SLAs (service-level agreements) between you and any cloud providers



SaaS vs PaaS vs IaaS: What’s The Difference & How To Choose

Shared responsibility model