Cloud environments are now the common foundation of most IT and app deployments, and the extended use of public cloud infrastructure means that many companies rely on shared systems to manage their data, applications, and computing resources.
While public cloud computing is a cost-effective way to support these kinds of deployments, it also adds several issues related to security and compliance, and it’s up to CSPs and their customers to work together to maintain security.
This article explores the shared responsibility model, how responsibilities differ across service types, and best practices to ensure security and compliance in cloud environments.
Overview of the Shared Responsibility Model
The shared responsibility model defines the security responsibilities of cloud service providers and their customers in cloud environments. It operates on the assumption that, despite the common understanding of cloud infrastructure, providers must fully protect workloads in public cloud systems.
This model clarifies which security tasks are handled by the CSP and which remain the customer’s responsibility. It ensures a secure cloud experience by preventing gaps and redundancies in security coverage.
In traditional on-premises environments, organizations are solely responsible for their entire IT infrastructure, from physical hardware and networking to software and data security. However, in the cloud, CSPs handle part of the security burden, reducing the customer’s workload. The shared responsibility model divides security responsibilities between the CSP and the customer to establish a clear understanding of roles, responsibilities, and expectations.
Why Is the Shared Responsibility Model Important?
Understanding the shared responsibility model is essential for effective cloud security management for several reasons:
- Clarity on Security Roles: By delineating responsibilities, the shared responsibility model reduces confusion over who handles specific security tasks, helping organizations prioritize their efforts and avoid security gaps.
- Improved Compliance Management: Many regulatory frameworks, like GDPR, HIPAA, and FedRAMP, require organizations to protect sensitive data. By clarifying responsibilities, organizations can focus on meeting compliance standards for data within their control while relying on CSPs to manage infrastructure compliance.
- Risk Reduction: When each party understands their responsibilities, security risks are reduced, as there are fewer chances for misconfigured controls or overlooked vulnerabilities.
- Scalability and Agility: The shared responsibility model allows organizations to benefit from the cloud’s scalability and agility without needing to manage and secure all aspects of the underlying infrastructure.
Key Responsibilities in the Shared Responsibility Model
While each CSP has specific security responsibilities, the shared responsibility model can generally be broken down into two main categories:
Security of the Cloud (CSP’s Responsibility)
- Physical Security: Securing physical hardware, data centers, and network infrastructure.
- Infrastructure Management: Managing the underlying hardware, networking, and virtualization components.
- Operational Security: Ensuring patch management, OS updates, and access control for the infrastructure layer.
- Availability and Redundancy: Ensuring cloud resources have proper failover mechanisms to maintain uptime and reliability.
Security in the Cloud (Customer’s Responsibility)
- Data Protection: Protecting customer data, including data encryption, backups, and access control.
- Application Security: Securing applications deployed in the cloud, including managing vulnerabilities, firewalls, and intrusion prevention.
- User Identity and Access Management: Ensuring users have secure access, including multi-factor authentication and role-based access controls.
- Compliance: Meeting regulatory and compliance requirements, such as SOC 2, GDPR, HIPAA, and others that apply to their data and applications.
Shared Responsibility in IaaS, PaaS, and SaaS
Due to the varying levels of access and control afforded users, each cloud service model allocates responsibilities differently:
Infrastructure as a Service (IaaS)
- CSP Responsibility: In an IaaS model, the CSP is responsible for the physical infrastructure, networking, and virtualization layer, covering tasks such as maintaining physical servers, data centers, and network security. They also provide the customer with virtual machines, storage, and network capabilities.
- Customer Responsibility: The customer manages the OS, applications, network configurations, data, and user access. This includes configuring firewall rules, securing virtual machines, patching the OS, managing data, and ensuring application-level security.
Platform as a Service (PaaS)
- CSP Responsibility: In PaaS, the CSP manages the infrastructure, operating system, and runtime environment. This includes server and OS maintenance, middleware updates, and providing development tools.
- Customer Responsibility: Customers are responsible for their data, application security, and user access. They focus on managing applications they develop and deploy on the platform, while the CSP handles the underlying infrastructure and OS updates.
Software as a Service (SaaS)
- CSP Responsibility: In SaaS, the CSP manages everything from the infrastructure and OS to applications. This model provides customers with ready-to-use software applications, which the provider maintains, secures, and updates regularly.
- Customer Responsibility: The customer is responsible primarily for managing access to the SaaS application and ensuring data security within the software. This includes user access controls, data classification, and compliance with data protection regulations.
Challenges in Implementing the Shared Responsibility Model
While the shared responsibility model provides a clear framework for security, implementing it effectively can present several challenges:
- Misunderstanding of Responsibilities: Customers may need to understand the division of responsibilities, assuming the CSP handles more security tasks than they do. This misconception can lead to unprotected assets and vulnerable applications.
- Security Gaps in Configurations: Since customers are responsible for their configurations and access controls, misconfigurations are common, often resulting from an inadequate understanding of cloud security best practices.
- Data Protection and Compliance: Meeting compliance requirements for data stored and processed in the cloud can be complex, as customers must navigate privacy and security standards that apply to their specific data and applications.
- Complex Multi-Cloud Environments: Organizations using multiple CSPs may need help consistently tracking and fulfilling their responsibilities across various platforms, potentially creating security and compliance gaps.
Best Practices for CSPs Managing Responsibilities in Cloud Environments
To effectively implement the shared responsibility model, organizations should consider these best practices:
- Educate Teams on Security Responsibilities: Educating IT and security teams on the specifics of the shared responsibility model for each cloud service type helps reduce misconfigurations and overlooked security gaps. This includes understanding CSP-provided controls and tools, such as AWS Identity and Access Management (IAM) or Azure Security Center, that can enhance the organization’s security posture.
- Implement Identity and Access Management (IAM) Controls: IAM ensures only authorized users access cloud resources. By implementing strong IAM policies, including multi-factor authentication and least privilege principles, organizations can reduce the risk of unauthorized access to data and applications within their responsibility.
- Use Cloud Security Posture Management (CSPM) Tools: CSPM tools help identify and correct misconfigurations in cloud environments by continuously monitoring configurations and enforcing security policies. These tools are valuable for maintaining compliance and reducing security risks across multi-cloud environments.
- Encrypt Data in Transit and at Rest: Although CSPs may offer encryption options, customers should ensure that sensitive data is encrypted at both ends. Encrypting data in transit and at rest helps protect sensitive information from unauthorized access, which is the customer’s responsibility in most cloud environments.
- Conduct Regular Security Audits and Assessments: Regular security assessments and audits help verify that controls are operating effectively. Audits can reveal gaps in the shared responsibility model implementation and help organizations adjust their security strategies to maintain compliance and mitigate risk.
Embrace the Shared Responsibility Model for Secure Cloud Operations
To learn more about how Lazarus Alliance can help, contact us.
- FedRAMP
- StateRAMP
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts