Shared Responsibility Model
The shared responsibility model defines which security controls the cloud provider owns versus the customer — referenced often in cloud security reviews.
Definition
The shared responsibility model is a cloud security framework that divides security and compliance responsibilities between the cloud service provider and the customer. The provider typically secures the underlying cloud infrastructure, while the customer is responsible for how applications, identities, configurations, and data are managed within that environment.
Context
Buyers use shared-responsibility questions to understand where a vendor's controls begin and end. In questionnaires, vendors are often asked to explain which controls rely on AWS, Azure, or GCP; how customer configurations affect security posture; and how the vendor documents inherited versus managed controls. Clear shared-responsibility explanations reduce confusion around encryption, logging, patching, identity management, and backup obligations.
Why it matters
The shared responsibility model defines how security obligations are divided between a cloud service provider and its customers. Under IaaS, the provider secures physical infrastructure and hypervisor layers while the customer manages operating systems, applications, and data. PaaS shifts more responsibility to the provider, and SaaS concentrates nearly all infrastructure duties with the provider, leaving customers responsible for access management, data classification, and configuration. Security questionnaire responses must clearly articulate which controls fall under each party's ownership to avoid ambiguous accountability.
A frequent pitfall is assuming the cloud provider handles security comprehensively, leading to misconfigured storage buckets, overly permissive identity policies, or unencrypted data at rest. Organizations completing security questionnaires should map each control to a responsible party and identify any gaps where neither side has explicitly accepted ownership. Network segmentation, logging configuration, key management, and backup strategy are areas where responsibility boundaries are commonly misunderstood, particularly in multi-cloud or hybrid environments where models differ across providers.
Industry trends show shared responsibility frameworks becoming more granular as cloud services grow more complex. Major providers now publish detailed responsibility matrices for individual services rather than broad platform-level guidance. During vendor assessments, mature organizations request these matrices and validate them against their own control frameworks. The emergence of cloud security posture management tools that continuously audit configuration against shared responsibility boundaries reflects growing recognition that static questionnaire responses alone cannot capture the dynamic nature of cloud security obligations.