Shared Responsibility 

How providers and user companies protect the cloud

When it comes to protecting the public cloud, the provider and the company using the cloud share the responsibility. The shared responsibility model defines precisely how.

Text: Christoph Widmer, Images: tnt-graphics, 28 may 2019

Computing power at the touch of a button. Business-relevant applications that can be accessed at any time. Prefabricated development environments that are available to IT departments: The cloud has fundamentally changed the way IT is consumed. However, the issue of information security (IT security, information and data protection) has also become more complex as a result. The security of the public cloud in particular often leads to misunderstandings and false assumptions among cloud consumers. As much as they are used to classic outsourcing models and want to be unburdened in terms of security, they cannot simply pass on the issue of cloud security entirely to the cloud provider. Cloud consumers are jointly responsible for cloud security if they really want to obtain applications, development environments and/or virtualised server instances securely from the public cloud.

“In principle, the cloud provider is responsible for the security of the cloud infrastructure, while the cloud consumer is responsible for security within the cloud.”

Klaus Gribi, Swisscom Senior Security Consultant

The shared responsibility model defines the respective areas of responsibility of cloud users and cloud providers. Originally formulated by Amazon Web Services and Microsoft Azure, the division underlying this responsibility model for security and compliance is now also employed by other cloud providers. “Essentially, shared responsibility distinguishes between the security of the public cloud itself and security within the public cloud,” explains Swisscom Senior Security Consultant Klaus Gribi. “In principle, the cloud provider is responsible for the security of the cloud infrastructure, while the cloud consumer is responsible for security within the cloud”

Microsoft Azure shared responsibility model.  

The responsibilities vary depending on the cloud service model that the cloud consumer is using:

  • Infrastructure as a service: Cloud providers assume little responsibility
    In the majority of cases, cloud consumers bear sole responsibility for the security of IaaS solutions. They are responsible for the security of the operating system, the data and the applications. The cloud provider is only responsible for protecting the virtualisation platform.

  • Platform as a service: The cloud provider has greater obligations
    With PaaS, cloud providers take care of the security of the entire development environment as well as the operating systems and databases. For his part, the cloud consumer is responsible for the security and management of the applications developed and running on the platform and the data.

  • Software as a service: Users are unburdened
    With SaaS solutions, the service provider is responsible for the majority of the security aspects. Aside from user management and the data stored in the cloud, the service provider takes care of all the cloud security. The SaaS users are responsible for protecting the data and information. “Users of SaaS solutions are still essentially responsible for ensuring that identity and access management is implemented correctly and that only the data which they really want in the cloud gets into the cloud,” says Gribi. “Cloud consumers can protect outsourced data further by encrypting it.”

Areas of responsibility may differ

Although the shared responsibility model is often merely a rule of thumb, the technical areas for which cloud consumers and providers are responsible can differ from case to case. “Although an IaaS customer is responsible for cloud security from the operating system level, some providers also install components in the operating system, e.g. to monitor the performance of virtualised instances,” Gribi explains. “Shared responsibility is therefore subject to provider-specific limits that may be dynamic.”


What’s more, a cloud consumer may also outsource individual tasks. If, for example, he chooses a managed OS of an IaaS instance, responsibility for the operating system no longer lies with him, but with the cloud provider or third-party provider. However, under certain circumstances, firewall management may remain a task for the cloud consumer. Shared responsibility is thus becoming more complex. The service level agreements (SLAs) of the cloud provider define exactly how the responsibilities are divided between the provider and the consumer in each case. That’s why cloud consumers must study the SLAs in detail. Only then can they take appropriate security measures themselves and provide the best possible protection at their end for the cloud services they use.

Technical and organisational factors are also decisive

In addition to these technical aspects, shared responsibility also extends to other factors. For example, cloud consumers need to determine how their chief information security officer can collaborate with the cloud provider’s security organisation:


  • How exactly are vulnerability management processes handled?
  • How does the provider conduct security incident management?
  • How is the information made available by the cloud provider’s cloud security portal integrated into the consumer’s own security processes?


“The topic of cloud security thus does not end at the technical security level, but also affects cloud consumers from an administrative and organisational perspective,” Gribi notes. “These factors are therefore fundamental from as early as the evaluation and selection of a suitable cloud provider.”

Hand with smartphone


Would you like to regularly receive interesting articles and whitepapers on current ICT topics?

More on the topic