Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog

What is the Shared Responsibility Model in the Cloud?

Home
Industry Insights
What is the Shared Responsibility Model in the Cloud?

Blog Article Published: 01/25/2024

Written by Noelle Sheck, Communications Coordinator, CSA.

In cloud computing, understanding the shared responsibility model is crucial. As the name implies, the shared responsibility model delineates who is responsible for what in regards to the cloud service. This responsibility matrix varies based on the cloud provider, service model, and deployment model. Here, we’ll cover how the shared responsibility model is applied to security, governance, compliance, and business continuity and disaster recovery (BC/DR) in the cloud.


Security

At the core of cloud security lies the delineation of responsibilities between the cloud service provider (CSP) and the cloud service consumer (CSC). This division typically falls along a spectrum, depending on the type of service.

Security Responsibility of IaaS, PaaS, and SaaS

For Infrastructure as a Service (IaaS), the CSP secures the foundational infrastructure, while the CSC is responsible for everything built on top of it. Platform as a Service (PaaS) sits in the middle, with the CSP securing the platform and the CSC managing their implementations, including configuring security features. In Software as a Service (SaaS), the CSP takes on most of the security responsibilities, leaving the CSC to manage application authorization and entitlements.

However, the presence of cloud brokers or intermediaries can complicate these roles. In this case, it would be wise to break down who is responsible for what on a granular level. If a CSP has gaps in security controls that the CSC or intermediaries cannot fill, opt for another CSP.

Key Recommendations:

  • CSPs should clearly document their security controls.
  • CSCs should create a responsibilities matrix for each cloud project, aligning it with necessary compliance standards.

For detailed information on cloud security controls, resources like the Consensus Assessments Initiative Questionnaire (CAIQ) or the Cloud Controls Matrix (CCM) are available.


Governance

Cloud computing impacts governance by introducing third parties or altering internal structures. A critical point here is that governance responsibility cannot be outsourced, even with external cloud services. Organizations can choose to delegate risk management but not the accountability for managing these risks.


Compliance

Compliance in the cloud mirrors the shared responsibility model seen in security. Both the CSP and the CSC have roles to play, but the ultimate responsibility for compliance lies with the CSC. Contracts, audits, assessments, and specific compliance requirements delineate this responsibility.


Business Continuity and Disaster Recovery

BC/DR in cloud computing is another area where shared responsibility is evident. While the CSP manages certain aspects, the CSC is ultimately responsible for their use and management of the cloud service. This responsibility becomes particularly crucial when planning for potential outages. Again, the level of control and responsibility varies across IaaS, PaaS, and SaaS.


Conclusion

Navigating the shared responsibility model in cloud computing requires a clear understanding of the roles and responsibilities of both the CSP and the CSC across various domains. By carefully managing security, governance, compliance, and BC/DR, organizations can effectively leverage cloud services while maintaining control and fulfilling their responsibilities. This balance is key to a successful and secure cloud experience. For more information on the shared responsibility model, download the CSA Security Guidance for Critical Areas of Focus in Cloud Computing.

Security GuidanceShared Responsibility ModelTransitioning to the cloud

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Virtual Cloud Trust Summit 2024
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Do You Know These 7 Terms About Cyber Threats and Vulnerabilities?

Published: 04/19/2024

Navigating Your Cloud Journey in 2024: Key Resources from the Cloud Security Alliance

Published: 04/05/2024

Runtime is the Way

Published: 04/04/2024

10 Essential Identity and Access Management (IAM) Terms

Published: 03/30/2024