Shared Responsibility Model
Slide deck explaining the shared responsibility model in Azure, how responsibilities are split between Microsoft and customers across IaaS, PaaS, and SaaS service models, and common security considerations.
Shared Responsibility Model
Introduction to the shared responsibility model in Azure, explaining how Microsoft and customers share responsibilities and how the split depends on the service model.
Shared Responsibility Model
Introduction to the shared responsibility model in Azure, explaining how Microsoft and customers share responsibilities and how the split depends on the service model.
The cloud doesn't remove responsibility
In Azure, Microsoft and you share responsibilities—and the split depends on the service model. The 'who owns what?' question prevents security gaps. Responsibilities shift, they don't vanish. The split changes across IaaS, PaaS, and SaaS. Some items are always your job: data, access, accounts, endpoints.
Shared responsibility: the basic split
Microsoft owns what you can't control; you own what you can control. Provider responsibilities: datacenters, physical infrastructure, core platform. Customer responsibilities: configuration, identities, access, data usage. The split changes per service. If you can configure it, assume you must secure it.
Security of vs. security in the cloud
Microsoft secures the platform; you secure what you deploy and configure. Security of the cloud equals Azure infrastructure plus platform protection. Security in the cloud equals your configuration, identities, data, and access. Tools are shared; decisions are yours. Misconfigurations are usually customer-owned.
Always yours: the 'D-E-A-A' list
Data, Endpoints, Accounts, and Access management stay with you in every model. Data: classification, protection, governance. Endpoints: device security for connecting users and systems. Accounts: identity lifecycle (create, manage, disable). Access management: permissions plus regular reviews.
Responsibility shifts with the service model
More managed service equals more Microsoft responsibility, but never zero customer responsibility. IaaS: you manage more (VM guest OS, patching, apps). PaaS: Microsoft manages more platform; you manage config, identity, and data. SaaS: Microsoft runs the app; you manage access and data governance. Always yours: data, endpoints, accounts, access.
IaaS: you still run (and secure) the workload
In IaaS, Microsoft protects the foundation, but you secure the VM and what's inside it. Microsoft: datacenter, physical infrastructure, core platform. You: VM guest OS patching and hardening. You: applications, configs, and network choices you control. You: identities, access, and data protection.
PaaS: fewer chores, not fewer responsibilities
PaaS reduces platform work, but your identity, access, data, and config remain your job. Microsoft: more platform components (runtime/OS). You: identities and permissions. You: data protection and governance decisions. You: service configuration (safe defaults aren't guaranteed).
SaaS: Microsoft runs the app, you run access + governance
Even in SaaS, you still control access decisions, accounts, endpoints, and data governance. Microsoft: application operations. You: who has access and what permissions they get. You: account management (joiner/mover/leaver). You: data governance and endpoint security.
Reliability is shared too
Microsoft provides resilient building blocks; you choose, configure, and validate recovery for your workload. Microsoft: core platform reliability. Microsoft: regions, availability zones, backup capabilities. You: select and configure backups (retention, restore). You: recovery testing and Business Continuity and Disaster Recovery (BCDR) plan.
Avoid the big mistakes (and start with access)
Most cloud incidents come from customer-owned misconfigurations—especially identity and access. Mistake: 'Microsoft handles all security' → Fix: platform vs your config. Mistake: 'Same split for IaaS/PaaS/SaaS' → Fix: verify per service. Mistake: ignore identity/access → Fix: review permissions early. Review: admins, roles, access paths.