1. Home
  2. Blog
  3. Cloud
  4. Understanding the Shared Responsibility Model for Cloud Security

Last updated September 19th, 2023 by Avigdor Book

Cloud computing has become a vital component of our digital lives, powering everything from our personal emails to the applications we use at work. This paradigm shift from on-premises data centers to the cloud has made understanding the shared responsibility model crucial. This model delineates the security responsibilities of cloud service providers (CSPs), such as Microsoft Azure, and their customers in maintaining cloud security and safeguarding against vulnerabilities.

What is the Shared Responsibility Model?

In a shared responsibility model, cloud security is a joint effort between the CSP and the customer. The CSP is responsible for securing the cloud infrastructure, including the software, hardware, networking components, and virtualization layer. They also handle physical security of the cloud resources. On the other hand, the customer is responsible for securing the apps they deploy in the cloud, managing their data security, and handling identity and access management (IAM) permissions.

Let’s consider an example. In the AWS shared responsibility model, Amazon Web Services provides a secure cloud infrastructure and services, while the customer is responsible for securing their data, applications, and operating system within that environment. This includes patching, lifecycle management, and alerting for security risks within their cloud-native applications.

Shared Responsibility across Different Cloud Services

The exact distribution of responsibilities varies with different cloud services:

  • Software as a Service (SaaS): In SaaS models like Salesforce, the CSP manages most of the security aspects, including the applications, operating system, infrastructure, and API endpoints. The customer’s responsibility is primarily around managing their data, user access controls, and handling potential misconfigurations.

  • Platform as a Service (PaaS): In PaaS models such as Azure, the CSP manages the underlying infrastructure and runtime environment, including serverless components and the security of the cloud. The customer is responsible for securing the applications they develop and deploy, as well as their data.

  • Infrastructure as a Service (IaaS): In IaaS models like AWS or Google Cloud, the customer has more responsibilities, including securing their data, applications, operating system, and certain aspects of the network controls.

Why is the Shared Responsibility Model Important?

The shared responsibility model is vital for several reasons:

  • Clarifies Responsibilities: It demarcates what aspects of security are handled by the CSP and what falls under the customer’s purview, such as IAM and authentication. This clarity helps avoid gaps in security coverage.

  • Facilitates Compliance: Many industries require compliance with specific data protection and cybersecurity regulations. Understanding who is responsible for what helps organizations maintain compliance and acquire necessary certifications.

  • Promotes Security: By sharing the responsibility, both the CSP and the customer play active roles in ensuring a secure cloud environment, reducing the risks of data breaches.

Tufin and Shared Responsibility Model

Tufin helps organizations navigate their security responsibilities in a shared responsibility model. Tufin’s Orchestration Suite provides visibility, analysis, and automation to manage security policies across different cloud environments, including multi-cloud setups. This can help organizations secure their workloads and data in the cloud, as outlined in this Swisscom case study.


The shared responsibility model is a fundamental aspect of cloud security. While CSPs secure the cloud infrastructure, customers must ensure the security of their workloads, applications, and data. Tools like Tufin can help manage these responsibilities effectively, ensuring a robust security posture in the cloud.


1. How does the AWS shared responsibility model work?

In the AWS shared responsibility model, AWS is responsible for the security “of” the cloud, which includes the hardware, software, networking, and facilities. The customer, on the other hand, is in charge of security “in” the cloud, which encompasses customer data, applications, and other elements. Read more about how Tufin automates change management for AWS third party firewalls and Security Groups.

2. What is an example of a shared responsibility model in the cloud?

An example of a shared responsibility model is the SaaS model, where the cloud service provider manages most of the security aspects, and the customer is mostly responsible for managing their data and access controls. Here’s an example of a large company managing their firewall policy and responsibilities.

3. What are the customer responsibilities in the shared responsibility model?

Customers are primarily responsible for securing their data, managing user access, securing the applications they develop and deploy in the cloud, and sometimes, managing certain aspects of network controls. Learn more about managing cloud security policies with shared responsibilities.

Wrapping Up

Regardless of whether you’re using AWS, Azure, or any other public cloud service, a robust understanding of this model ensures that no aspect of your cloud security is neglected. Click here for a demo to learn more about how Tufin can manage network security in your multi-cloud environment.

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Try Tufin for Free


In this post:

Background Image