Skip to main content
Cloud

What is Shared Responsibility when talking about Public Cloud?

Christian Schou

Recently I read a forum post and actually, it was a question in regards to security and how the shared responsibility was applied between the organization the cloud provider. A user specifically asked, “What is the main difference between security in the public cloud and on-premise is“.

I think that it’s a great question that a lot of people out there could learn a thing or two from. When I first started learning about the cloud, I believed that things would change completely when moving some of the “old” on-premise solutions into the public cloud. They didn’t…

So Christian… Is it the same? Naah – the responsibilities are different, let’s take a look at those.

Quick intro

The fact is that we have been doing security for a long time and most of the things we know about security from on-premise are the same security stuff we apply in the public cloud. We still have to deal with address defense, antimalware, security protocols when talking network, implement best security practices when developing new code, configure logging for our applications and network including alerts for when things go wrong. We actually have to do most of the things we already do or did… depending on where you are right now.

In this article, I will focus on shared responsibility as that is what I think is the biggest difference.

Shared Responsibility in the Public Cloud

When you buy a resource on a public cloud service provider’s infrastructure you have to deal with the fact that you now have a partner hosting your applications etc… This is where shared responsibility comes into the picture.

More precisely – Who is responsible for what? (I’m talking security here, nothing else) This depends on the Cloud Service Model you have chosen when you signed up for the service. Currently, we got:

  • IaaS (Cloud Provider)
  • PaaS (Cloud Provider)
  • SaaS (Cloud Provider)
  • On-Prem (You)

When you pick an IaaS solution the cloud provider is responsible for the core underlying infrastructure security. This includes things such as storage, networking, and the computing unit. When you go from an IaaS to a PaaS or SaaS solution you get less responsibility. On-Prem (Full responsibility) -> SaaS (Almost nothing).

Below is a figure to show you how the shared responsibility works across the four cloud service models I just mentioned above:

Cloud Service Models with Responsibility
Cloud Service Models with Responsibility

Summary

When reflecting on this topic, we can clearly conclude that this is a new approach to security for a lot of people. If you search using Google or any other search machine for Shared Responsibility you will find more in-depth content that will teach you about areas in the public cloud giving you a deeper understanding of what you are responsible for and the other way around. If you are interested in how Microsoft would respond to incidents and their responsibility for cloud computing, you can read the article below.

Microsoft Incident Response and shared responsibility for cloud computing
I’m excited to introduce two new papers that address common topics our customers often ask about. Both papers were designed to help you understand how Microsoft addresses complex processes so you can adopt Azure Cloud Services.

I hope this short article has helped you get a high-level understanding of what shared responsibility means when talking about the public cloud. If you got any questions or suggestions, please let me know in the comments.