1-888-310-4540 (main) / 1-888-707-6150 (support) info@spkaa.com
Select Page

Cloud Security: The Shared Responsibilty Model Explained

Written by Michael Roberts
Published on February 3, 2023
Categories: Atlassian | AWS | Azure | Cloud | Cybersecurity

Transformative tech trends like the internet of things (IoT), artificial intelligence (AI), virtual reality (VR) and dispersed workforces have increased cloud adoption. Why? Because it provides the ability for agility, productivity, and scalability like no other infrastructure. And whilst the cloud isn’t necessarily new, it does still leave plenty of organizations with questions. Particularly around security. The Shared Responsibility Model is a term you should familiarize yourself with as you explore your cloud journey. It could be the difference between cloud protection and brand damage.

Clearing Up Cloud Security

Cloud service providers such as AWS, Azure, and Atlassian provide an unimaginable scaling opportunity for businesses globally. Not only does it remove the need for expensive upfront capital expenditure it also enables unlimited access to scalable data servers on a pay-as-you-go model. In just a few clicks. Additionally, you can configure new employee machines from anywhere in the world, and protect them without the need to purchase, deploy and wait for the arrival of new hardware. It’s all digital. It’s Infrastructure as a Service (IaaS).

In 2023 and beyond, cloud adoption will continue to grow. Companies that don’t adopt it will undoubtedly be left snapping at the heels of earlier adopters. In fact, Gartner forecast that by 2025 cloud spending will overtake traditional IT expenditure

The cloud shift accelerated during the pandemic, and now there’s no going back. Organizations capitalized on its potential and they’re reaping the benefits fast. In 2022, more than $1.3 trillion in enterprise IT spending was at stake from the shift to cloud, growing to almost $1.8 trillion in 2025, according to Gartner. 

And, as more organizations migrate their own, and customer-sensitive data to the cloud, it opens up the question of who is responsible for the data that is now hosted there. Is it the cloud service provider? Or is it the organization purchasing the service from the host?

Who’s Responsibility Is It To Protect Cloud Data?

It’s true that cloud service providers offer the likes of compliance certifications and their own security. But, it’s not true that they offer complete security. In fact, cloud security is a shared responsibility between the vendor and the business. This isn’t much different from when you bought that PC back in 1995 at home and it came pre-loaded with the latest out-of-the-box anti-virus software like McAfee. Just because it was there didn’t mean it was McAfee’s responsibility to protect your PC for years to come. Or as you downloaded new software. Yes, it might flag a potential threat, but if your PC was infected by a new, undiscovered virus, you certainly weren’t going to take McAfee to court for not remaining up to scratch with the latest market threats. It was your responsibility to continually assess if that out-of-the-box solution matched your requirements, and that you kept it updated.

Now, as more data is hosted in the cloud, the principle remains the same. Your organization has specific requirements to protect your customer data. That might require very different layers of security for a small business compared to a large enterprise cataloging customer data. For example, think of the health industry.


The Shared Responsibility Model

The Shared Responsibility Model lays out an agreement between cloud service providers and organizations utilizing their hosted services. Essentially, the model clarifies that cloud service providers are responsible for protecting the overall infrastructure in the cloud. This is known as the “security of the cloud”. Conversely, you maintain responsibility for the security of any content, platform, applications, systems and networks you choose to host there. This is known as “security in the cloud”.

Cloud service providers’ responsibility includes:

  • Control the host operating components of the system and virtualization layers. 
  • Physical security of the offices and data centers the host operates from. 
  • Protection services such as encryption.
  • Security groups.
  • Multi-factor authentication capabilities.

As an organization, you are responsible for:

  • Assessing your chosen security solution.
  • Maintaining the integrity of the cloud infrastructure.
  • Updates and patches to application software.
  • Configuration of firewalls.
  • Deploying security utilizing the hosts protection services such as access assignments and permission levels.
  • Additionally, you can increase security by using host-based firewalls, threat-based detection and encryption

Recovering Deleted Cloud Data

In 2021, Co-Founder and CEO of SPK and Associates Christine McHale, interviewed Vish Reddy, Co-Founder of Revyz, a cloud backup solution. 

Revyz was created after Vish realized that a colleague had deleted valuable data in the cloud, only to find that data in the cloud is not backed-up automatically. A common misconception of cloud service users. 

In the interview, Vish explains:

“Imagine this. You’re the user of the application and the administrator. You accidentally press the wrong thing and things get deleted. Who is responsible for that? That action was taken by you as the customer. Now, that could have been a legitimate action. You want to actually go delete something. Microsoft can’t go and revert whatever you want to actually delete and get rid of, right? That’s where the shared responsibility model comes into play. It means you as the customer are responsible for certain things which are protecting your data. Microsoft, Atlassian or Salesforce, will give you the structure or the mechanisms to protect the data but you have to do it yourself. The Cloud Security Alliance updated their questionnaire, or their assessment mechanism, to include the shared responsibility model related questions. Because they found that this understanding of every administrator out there was, as people assume, in the cloud. That people don’t need to worry about it. Therefore, they don’t need a cloud backup solution.”

Cloud backup solutions like Revyz and AFI Backup are well worth the investment for organizations looking to deliver on the Shared Responsibility Model well.

The Responsibility Model Overview Vs Infrastructure


The customer is 100% responsible for information and data right down to the physical infrastructure.
The customer has greater control in compliance scenarios because they have 100% control and it also provides flexibility in supporting legacy technologies. Your cloud platforms will only support software versions so far into the past so this relieves any pressure to move forward before the customer is ready.

Infrastructure-as-a-Service (IaaS)

The Cloud Service Provider takes on the responsibility of managing the data center facilities, the network and server infrastructure. It is the customer’s responsibility to manage all other security and integrity aspects.
This reduces or eliminates the customer's need to manage a physical data center and server infrastructure. An example of an IaaS service would be Azure Virtual Machines.

Platform-as-a-service (PaaS)

The Cloud Service Provider assumes some additional responsibility, this time for network controls, operating systems and identities. Responsibility for network controls and identities along with applications is shared between the cloud service provider and the customer, meaning that the customer has some configuration control.
This typically reduces the customer's cloud operating cost as compared to Infrastructure as a Service. An example of a PaaS service would be Azure SQL Database.

Software-as-a-Service (SaaS)

The cloud service provider assumes more responsibility for applications and network controls. The customer shares some responsibilities around identity and directory infrastructure and the customer continues to assume 100% responsibility for access control, the devices used to access the service and the security of their data.
The customer has more protection from the cloud service provider, and remains in more control of their organizations data protection. An example of a SaaS service would be Microsoft or what you may know as Office 365.


It’s critical to understand the Shared Responsibility Model in depth. A solid understanding of these protection layers will also provide a solid foundation for the cloud security of your data. By clearly defining whether you, the customer, or the cloud service provider is responsible for cloud-hosted data, you will be able to better protect both customer and market-sensitive data.

Cloud backup solutions like Revyz and AFI Backup are worth their weight in gold as an extra layer of protection in the Shared Responsibility Model agreement.

If you need further support on protecting your cloud services, you can contact our expert managed services team here for a no-obligation discussion. At SPK, we partner with the largest players in the cloud market including AWS and Azure. We were also recently accoladed as Atlassian Gold Partners for our work on successful integrations and migrations, so you can trust our team to support yours.

Latest White Papers

PLM and ERP: Their respective roles in modern manufacturing

PLM and ERP: Their respective roles in modern manufacturing

Integrating engineering with manufacturing doesn't have to be difficult. This downloadable white paper from PTC and SPK discusses how to successfully integrate Enterprise Resource Planning (ERP) and Product Lifecycle Management (PLM) to benefit your business. You will...

Related Resources

Migrate your VMware workloads with Microsoft Azure eBook

Migrate your VMware workloads with Microsoft Azure eBook

Digital transformation and cloud adoption don’t have to be a hassle. With the new flexible solution from Microsoft, organizations can meet diverse needs by modernizing their workflows. This solution in partnership with VMware is called Azure VMware Solution. Learn...

A Review of Revyz Data Manager for Confluence

A Review of Revyz Data Manager for Confluence

Confluence by Atlassian is an amazing tool for project management. However, it can be easy to accumulate a mess of attachments and pages in the workspace. Although there are some manual ways to keep Confluence tidy, Revyz.io has released a simpler solution. Revyz.io,...

Resiliency with Microsoft Azure

Resiliency with Microsoft Azure

When researching cloud computing services, there are many key components to analyze. A main factor many organizations look at is the resiliency of a service. Resilience is about how well a system can recover from a disruption or system failure. It can range from...