What is the Shared Responsibility Model?

The Shared Responsibility Model is a security and compliance framework that outlines the responsibilities of cloud service providers (CSPs) and customers for securing every aspect of the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating system (OS), network controls and access rights.

In its simplest terms, the Shared Responsibility Model dictates that the cloud provider—such as Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP)—must monitor and respond to security threats related to the cloud itself and its underlying infrastructure. Meanwhile, end users, including individuals and companies, are responsible for protecting data and other assets they store in any cloud environment.

Unfortunately, this notion of shared responsibility can be misunderstood, leading to the assumption that cloud workloads – as well as any applications, data or activity associated with them – are fully protected by the cloud provider. This can result in users unknowingly running workloads in a public cloud that are not fully protected, making them vulnerable to attacks that target the operating system, data or applications. Even securely configured workloads can become a target at runtime, as they are vulnerable to zero-day exploits.

Shared Responsibility across the three cloud service delivery models

There are three main cloud service models:

1. Software as a service (SaaS)
2. Infrastructure as a service (IaaS)
3. Platform as a service (PaaS)

Each of these cloud delivery models are subject to the concept of shared responsibility. However, ownership of security tasks and functions varies depending on the delivery model in use.

Software as a service (SaaS): SaaS is a software delivery model wherein the vendor centrally hosts an application in the cloud that can be used by a subscriber. In this model, the provider is responsible for application security, as well as its maintenance and management.

Platform as a service (PaaS): PaaS is a platform delivery model that can be purchased and used to develop, run and manage applications. In the cloud platform model, the vendor provides both the hardware and software generally used by application developers; the service provider is also responsible for security of the platform and its infrastructure.

Infrastructure as a service (IaaS): IaaS is an infrastructure delivery model wherein a vendor provides a wide range of compute resources such as virtualized servers, storage and network equipment over the internet. In this model, the business is responsible for maintaining security of anything they own or install on the cloud infrastructure, such as the operating system, applications, middleware, containers, workloads, data and code.

Service Type	Vendor Responsibility	User Responsibility
SaaS	Application security	Endpoints, user and network security; misconfigurations, workloads and data
PaaS	Platform security, including all hardware and software	Security of applications developed on the platform Endpoints, user and network security, and workloads
IaaS	Security of all infrastructure components	Security of any application installed on the infrastructure (e.g. OS, applications, middleware) Endpoints, user and network security, workloads, and data

Element	SaaS	PaaS	IaaS
Application Security	CSP	User	User
Platform Security	CSP	CSP	User
Infrastructure	CSP	User	CSP
Endpoint Security	User	User	User
Data Security / Data Protection	User	User	User
Network Security	CSP	CSP	User
User Security	User	User	User
Containers and Cloud Workloads	User	User	User
APIs and Middleware	CSP	User	User
Code	User	User	User
Virtualization	CSP	CSP	User

The Shared Responsibility Model in practice

Direct Control

While the Shared Responsibility Model is based on the idea that two or more parties play a role in ensuring security of distinct elements within the public cloud environment, it is important to note that the customer and CSP do not share responsibility for the same asset.

Rather, the CSP or the customer has full and complete responsibility for the security of all assets under their direct control, regardless of the service model type.

For example, the customer will always have responsibility for data security, compliance and access regardless of whether they are following a SaaS, PaaS or IaaS model. Practically speaking, this is because CSPs have no visibility into data that is stored in the public cloud and therefore cannot effectively manage data security or access.

Customers are typically also responsible for:

• Identity Access and Management (IAM)
• User security and credentials
• Endpoint security
• Network security
• Security of workloads and containers
• Configurations
• APIs and middleware
• Code

Meanwhile, the cloud provider—such as Amazon, Microsoft or Google—are responsible for areas for which they possess direct control. This typically includes security of:

• The physical layer and all associated hardware and infrastructure
• The virtualization layer
• Network controls and provider services
• Facilities that run cloud resources

Divided responsibilities

In some IaaS and PaaS models, security responsibilities may vary depending on the cloud provider or the terms outlined in the service level agreement (SLA).

For example, when it comes to a network control like a firewall, the cloud service provider may be responsible for providing the firewall service. However, it is up to the user to manage all other aspects such as configuration, rules, monitoring and response. While both parties play a role in the security element, the responsibilities are still clearly defined and divided.

Likewise, if a customer is using a public cloud data storage service offered by a CSP, then the cloud provider is responsible for all aspects of that cloud datacenter, including security, monitoring, maintenance and updating. However, the customer is still wholly responsible for securing any data within the cloud environment, as well as ensuring only authorized users can access it.

Based on the concept of divided responsibility, no party has authority over another in terms of how they protect their assets. For example, a customer cannot dictate how or when their CSP performs monitoring and testing. That said, the service agreement should outline the steps the provider will take to protect customers, as well as how documentation for that activity will be shared. Typically, cloud vendors produce regular audit reports to confirm that they are taking the necessary and proper steps to protect their customers.

Shared Responsibility Model Advantages

While a shared security model is complex and requires careful consideration and coordination between the CSP and customer, the approach offers several important benefits to users. These include:

• Efficiency: Though the customer bears significant levels of responsibility under the Shared Responsibility Model, some key aspects of security – such as security of hardware, infrastructure and the virtualization layer – are almost always managed by the CSP. In a traditional on-premises model, these aspects were managed by the customer. The shift to the cloud frees up IT staff to refocus efforts on other tasks and needs, as well as dedicate available resources and investments to those areas for which they bear responsibility.
• Enhanced protection: Cloud service providers are hyper focused on the security of their cloud environment and typically dedicate significant resources to ensuring their customers are fully protected. As part of the service agreement, CSPs conduct robust monitoring and testing, as well as timely patching and updating.
• Expertise: CSPs often have a higher level of knowledge and expertise when it comes to the emerging field of cloud security. When customers engage a cloud vendor, they benefit from the partner organization’s experience, assets and resources.

Shared Responsibility Best Practices

As organizations shift to the cloud, many are defining their relationships with CSPs for the first time. As companies navigate this complex territory, we offer the following best practices:

1. Carefully review the SLA. Security responsibilities will differ depending on the cloud model, cloud provider and other variables. It is critical for organizations to carefully review their SLA with their cloud vendor to ensure they are fully aware of their security responsibilities and to identify any potential gray areas that need to be clarified. In the event the organization is changing cloud providers or shifting to a new delivery model, they must carefully reevaluate their contract and identify any changes. While the SLA may appear to be very similar to a past agreement, even slight changes in wording can leave the organization vulnerable to serious security risks. Finally, for organizations operating a multi-cloud environment, it is crucial to review each SLA individually as the terms are not standard across vendors. Small differences across these agreements must be factored into the overarching cloud security strategy and architecture.
2. Prioritize data security. Cloud customers are always fully responsible for any data stored in the cloud or produced by applications in the cloud. As such, organizations must develop a robust data security strategy specifically designed to protect cloud-based data, whether it is in use, at rest or in motion.
3. Ensure robust identity and access management. The cloud customer is also completely responsible for defining access rights to cloud-based resources and granting access to authorized users. These efforts should be incorporated into the organization’s broader IAM policy and solution set.
4. Embrace DevSecOps. DevSecOps – short for Development Security and Operations – is the practice of integrating security continuously throughout the software and/or application development lifecycle in order to minimize security vulnerabilities and improve compliance – all without impacting speed of release cycles. A DevSecOps or shift left mindset is an absolute necessity for any IT organization that is leveraging containers or the cloud, both of which require new security guidelines, policies, practices, and tools.
5. Identify a trusted cybersecurity partner. Cloud security is fundamentally different from securing on premises networks. Updating and adapting the cybersecurity strategy and toolset to address new cloud-based risks can be both overwhelming and complicated – especially if the organization is operating a hybrid or multi-cloud environment. A cybersecurity partner can assist the organization’s internal security team in managing all aspects of cloud security – from selecting a CSP, to understanding their specific security responsibilities to deploying and integrating the tools and solutions that will protect the business.

CrowdStrike’s Cloud Security Solutions

CrowdStrike has redefined security with the world’s most advanced cloud-native platform that protects and enables the people, processes and technologies that drive modern enterprise. The industry continues to recognize CrowdStrike as a leader, most recently with CRN naming CrowdStrike a Winner of the 2022 Tech Innovator Award for Best Cloud Security.

Powered by the CrowdStrike Security Cloud, the CrowdStrike Falcon® Platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Learn more about CrowdStrike’s Cloud Security Solutions – including our services specific to AWS, GCP, and Azure, below:

• Cloud Security Posture Management
• Cloud Workload Protection
• AWS Security
• GCP Security
• Azure Security
• Managed Detection and Response for Cloud Workloads