Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

What is the Shared Responsibility Model in the Cloud?

What is the Shared Responsibility Model in the Cloud?

Blog Article Published: 01/25/2024

Written by Noelle Sheck, Communications Coordinator, CSA.

In cloud computing, understanding the shared responsibility model is crucial. As the name implies, the shared responsibility model delineates who is responsible for what in regards to the cloud service. This responsibility matrix varies based on the cloud provider, service model, and deployment model. Here, we’ll cover how the shared responsibility model is applied to security, governance, compliance, and business continuity and disaster recovery (BC/DR) in the cloud.


At the core of cloud security lies the delineation of responsibilities between the cloud service provider (CSP) and the cloud service consumer (CSC). This division typically falls along a spectrum, depending on the type of service.

Security Responsibility of IaaS, PaaS, and SaaS

For Infrastructure as a Service (IaaS), the CSP secures the foundational infrastructure, while the CSC is responsible for everything built on top of it. Platform as a Service (PaaS) sits in the middle, with the CSP securing the platform and the CSC managing their implementations, including configuring security features. In Software as a Service (SaaS), the CSP takes on most of the security responsibilities, leaving the CSC to manage application authorization and entitlements.

However, the presence of cloud brokers or intermediaries can complicate these roles. In this case, it would be wise to break down who is responsible for what on a granular level. If a CSP has gaps in security controls that the CSC or intermediaries cannot fill, opt for another CSP.

Key Recommendations:

  • CSPs should clearly document their security controls.
  • CSCs should create a responsibilities matrix for each cloud project, aligning it with necessary compliance standards.

For detailed information on cloud security controls, resources like the Consensus Assessments Initiative Questionnaire (CAIQ) or the Cloud Controls Matrix (CCM) are available.


Cloud computing impacts governance by introducing third parties or altering internal structures. A critical point here is that governance responsibility cannot be outsourced, even with external cloud services. Organizations can choose to delegate risk management but not the accountability for managing these risks.


Compliance in the cloud mirrors the shared responsibility model seen in security. Both the CSP and the CSC have roles to play, but the ultimate responsibility for compliance lies with the CSC. Contracts, audits, assessments, and specific compliance requirements delineate this responsibility.

Business Continuity and Disaster Recovery

BC/DR in cloud computing is another area where shared responsibility is evident. While the CSP manages certain aspects, the CSC is ultimately responsible for their use and management of the cloud service. This responsibility becomes particularly crucial when planning for potential outages. Again, the level of control and responsibility varies across IaaS, PaaS, and SaaS.


Navigating the shared responsibility model in cloud computing requires a clear understanding of the roles and responsibilities of both the CSP and the CSC across various domains. By carefully managing security, governance, compliance, and BC/DR, organizations can effectively leverage cloud services while maintaining control and fulfilling their responsibilities. This balance is key to a successful and secure cloud experience. For more information on the shared responsibility model, download the CSA Security Guidance for Critical Areas of Focus in Cloud Computing.

Share this content on your favorite social network today!