The shared responsibility model is a structured division of duties between the cloud provider and the customer.
The shared responsibility model is a structured division of duties between the cloud provider and the customer. The provider secures and operates the underlying cloud service infrastructure it owns. The customer secures what it chooses to build, configure, store, expose, integrate, and operate inside that environment. That is the core definition, but the practical meaning is narrower and more useful: the model describes who controls a layer, who can change it, and who must answer when something goes wrong.
That definition matters because teams often hear a softer and more dangerous version: “the provider handles security.” That sentence is not just incomplete. It is usually false in the places that matter most to the customer, such as identity policy, data handling, network exposure, application logic, tenant configuration, logging choices, retention rules, and recovery design. The provider may secure the platform. It does not know which users should have admin rights, which storage bucket should never be public, which API should require stronger validation, or how long a regulated dataset must be retained.
The clearest way to understand the model is as a layered boundary:
flowchart TD
A["Cloud service consumed by customer"] --> B["Provider-operated layer"]
A --> C["Customer-operated layer"]
B --> D["Facilities, hardware, core network, host fleet, platform runtime"]
C --> E["Identity policy, tenant configuration, data placement, application logic, exposure choices"]
E --> F["Business risk still belongs to the customer"]
What to notice:
The most useful test is not “Who touched the hardware?” but “Who can decide and change the control?” If the provider controls the data center access system, that is provider responsibility. If the customer decides whether a workload can be reached from the public internet, that is customer responsibility. If the customer chooses whether multi-factor authentication is mandatory for administrators, that is customer responsibility even if the platform offers the mechanism.
This is why the model is often described as “security of the cloud” versus “security in the cloud.” That wording is imperfect, but it points to a real boundary. The provider usually owns the security of the foundational service stack it operates. The customer owns the security of the way it uses that stack.
The following example is intentionally vendor-neutral. It shows how one managed storage service still leaves important decisions with the customer.
1service: managed-object-storage
2
3provider_responsibilities:
4 - physical_facility_security
5 - storage_fleet_patch_and_host_hardening
6 - service_control_plane_operations
7 - baseline_service_availability
8
9customer_responsibilities:
10 - data_classification
11 - bucket_or_container_exposure
12 - retention_and_deletion_policy
13 - encryption_key_strategy
14 - identity_and_access_policy
15 - logging_and_alerting_configuration
What this demonstrates:
Teams often confuse three related but different ideas:
A provider may perform host patching for a managed database service. The customer may still be accountable for ensuring the database is not exposed too broadly, that sensitive data is handled correctly, and that required logs are retained. Shared responsibility therefore never means “the provider does some work, so the customer can stop caring.” It means the customer must understand exactly which part of the chain it still owns.
A team stores regulated data in a provider-managed database service and says the database is now “the provider’s responsibility.” The service is fully managed, but the team still decides who can access it, which data goes into it, whether logs are enabled, and how long backups are retained. Is the team’s statement accurate?
No. The stronger answer is that the provider operates the database platform, but the customer still owns critical decisions about data placement, identity policy, retention, monitoring, and lawful use. The service being managed does not move those governance and risk decisions to the provider.