The Shared Responsibility Model: Who Secures What (2026)
Last verified: June 17, 2026 · Format: Breakdown
'%20stroke-width='3'%20opacity='0.4'%20stroke-dasharray='6%206'/%3E%3Cg%3E%3Crect%20x='90'%20y='105'%20width='430'%20height='150'%20rx='14'%20fill='%23FFFFFF'%20stroke='%230EA5E9'%20stroke-width='2'/%3E%3Ctext%20x='305'%20y='135'%20text-anchor='middle'%20font-family='Arial,sans-serif'%20font-size='18'%20font-weight='700'%20fill='%230369A1'%3EYou%20(the%20customer)%20secure%3C/text%3E%3Ctext%20x='305'%20y='168'%20text-anchor='middle'%20font-family='Arial,sans-serif'%20font-size='14'%20fill='%236B7280'%3EData%20%E2%80%A2%20Identities%20%26amp;%20access%20%E2%80%A2%20Configuration%3C/text%3E%3Ctext%20x='305'%20y='192'%20text-anchor='middle'%20font-family='Arial,sans-serif'%20font-size='14'%20fill='%236B7280'%3EClient%20devices%20%E2%80%A2%20Apps%20%26amp;%20OS%20(in%20IaaS)%3C/text%3E%3Ctext%20x='305'%20y='228'%20text-anchor='middle'%20font-family='Arial,sans-serif'%20font-size='12'%20fill='%236B7280'%3Esecurity%20IN%20the%20cloud%3C/text%3E%3C/g%3E%3Cg%3E%3Crect%20x='680'%20y='105'%20width='430'%20height='150'%20rx='14'%20fill='%23FFFFFF'%20stroke='%230369A1'%20stroke-width='2'/%3E%3Ctext%20x='895'%20y='135'%20text-anchor='middle'%20font-family='Arial,sans-serif'%20font-size='18'%20font-weight='700'%20fill='%230369A1'%3EThe%20provider%20secures%3C/text%3E%3Ctext%20x='895'%20y='168'%20text-anchor='middle'%20font-family='Arial,sans-serif'%20font-size='14'%20fill='%236B7280'%3EPhysical%20datacenter%20%E2%80%A2%20Network%20%E2%80%A2%20Hosts%3C/text%3E%3Ctext%20x='895'%20y='192'%20text-anchor='middle'%20font-family='Arial,sans-serif'%20font-size='14'%20fill='%236B7280'%3EHypervisor%20%E2%80%A2%20Managed%20services%3C/text%3E%3Ctext%20x='895'%20y='228'%20text-anchor='middle'%20font-family='Arial,sans-serif'%20font-size='12'%20fill='%236B7280'%3Esecurity%20OF%20the%20cloud%3C/text%3E%3C/g%3E%3C/svg%3E)
The shared responsibility model is the agreement that decides who secures what once your systems run in the cloud. In one line: the provider secures the cloud, and you secure what you put in it. The provider takes care of the physical datacenters, the network, the host servers, and the hypervisor that separates one tenant from another. You take care of your data, your user identities, your access rules, and how you configure the services you switch on. Misread that split and you can ship something that is technically running yet quietly wide open, which is exactly how most cloud incidents begin.
The catch is that the dividing line is not fixed. It slides depending on whether you rent raw infrastructure, a managed platform, or a finished application. This breakdown walks the shared responsibility model end to end: the AWS framing, a full responsibility matrix you can read at a glance, how the three big providers describe it, and the handful of things you own no matter what. Provider descriptions below were checked against official documentation on June 17, 2026.
What the shared responsibility model is
The shared responsibility model is a security division of labor between you and your cloud provider. It exists because the cloud is not one indivisible thing you either trust or do not; it is a stack of layers, and the shared responsibility model is what makes the trust boundary inside it explicit. Different layers sit under different people's control. Your provider runs the building, the power, the racks, the physical network, and the virtualization software. You run the workloads, the data, and the accounts that reach them. The shared responsibility model simply draws a clear line through that stack so neither side assumes the other has it covered.
Two principles hold true on every cloud and in every service model. First, the provider always secures the lowest layers: the physical facility, the underlying hardware and network, and the hypervisor. You can neither see nor touch those, so you cannot be responsible for them. Second, you always secure your own data and the identities that access it. No provider can decide which records are sensitive, who in your organization should reach them, or whether multi-factor authentication is switched on. Everything between those two fixed ends is what moves.
It helps to start with shared vocabulary. If the words IaaS, PaaS, and SaaS are not yet second nature, the companion explainer on what cloud computing is sets out the service models this article builds on, and the Cloud Tools Hub collects the wider set of foundations.
Security "of" vs "in" the cloud (AWS)
AWS gave the shared responsibility model its most quoted phrasing, and it is worth borrowing because it is genuinely clarifying. AWS is responsible for security "of" the cloud, the hardware, software, networking, and facilities that run AWS services. You are responsible for security "in" the cloud, meaning everything you build and place on top. Where exactly that "in" line falls depends on which service you choose, so the customer's share grows or shrinks with the service.
AWS also sorts controls into three useful buckets. Inherited controls are ones you get for free from AWS, such as physical and environmental protections in the datacenter. Shared controls apply to both sides at different layers, patch management is the classic example: AWS patches the underlying infrastructure, and you patch the guest operating system and applications you run. Customer-specific controls are entirely yours, such as classifying your data or configuring a service to meet your own compliance needs.
A concrete pair makes it click. With Amazon EC2, an infrastructure service, you manage the guest operating system, including its updates and security patches, the application software, and the firewall rules in your security groups; AWS handles the host, the hypervisor, and the physical layer. Move to an abstracted service like Amazon S3 or DynamoDB and AWS operates the infrastructure layer for you, so your job narrows to managing your data, classifying it, and setting access with encryption and identity permissions. Same provider, very different customer workload, because the shared responsibility model shifts with the service.
The mental shortcut: the more managed the service, the less of the stack you operate, but never zero. Even on the most abstracted service, your data and who can reach it stay yours to secure.
The responsibility matrix by service model (IaaS/PaaS/SaaS)
This is the centerpiece, and the single most useful way to hold the whole shared responsibility model in your head. Microsoft publishes a responsibility matrix. It maps each layer of the stack against the four ways you can run software: on-premises, IaaS, PaaS, and SaaS, and marks who owns each cell. Read any row left to right and you watch responsibility hand off from you to the provider as the service becomes more managed.
| Responsibility layer | On-prem | IaaS | PaaS | SaaS |
|---|---|---|---|---|
| Data classification & protection | Customer | Customer | Customer | Customer |
| Configuration & settings | Customer | Customer | Customer | Customer |
| Identities & user accounts | Customer | Customer | Customer | Customer |
| Client / endpoint devices | Customer | Customer | Customer | Customer |
| Applications | Customer | Customer | Shared | Shared |
| Network controls | Customer | Customer | Shared | Microsoft |
| Operating system | Customer | Customer | Microsoft | Microsoft |
| Physical hosts | Customer | Microsoft | Microsoft | Microsoft |
| Physical network | Customer | Microsoft | Microsoft | Microsoft |
| Physical datacenter | Customer | Microsoft | Microsoft | Microsoft |
Customer = you own it · Shared = both sides at different layers · Microsoft = the provider owns it. Mapped from Microsoft's published Azure responsibility matrix; verified June 17, 2026.
Three things jump out of the grid. The top four rows, data, configuration, identities, and client devices, are Customer across every column, even SaaS: those never transfer. The bottom three rows, the physical layers, are the provider's the moment you leave on-premises. And the middle, applications, network, and the operating system, is the part that actually shifts, sliding from you toward the provider as you move from IaaS to PaaS to SaaS. Function as a service behaves like the SaaS column for these purposes. That moving middle is where most confusion about the shared responsibility model, and most risk, lives.
How AWS, Azure and Google Cloud describe it
All three major providers teach the same model, but each frames it in its own language, and the differences are worth knowing if you work across clouds. The shape is identical; the vocabulary and the extra programs are not.
AWS: "of" the cloud vs "in" the cloud
AWS keeps this split crisp with the "of versus in" phrasing covered above, backed by the inherited, shared, and customer-specific control classes. Its version of the model emphasizes how your duties expand or contract with each service, from a full guest OS on EC2 down to just data and access on an abstracted store.
Azure: a responsibility matrix
Microsoft leans on the matrix you just read. It states plainly that data, endpoints, accounts, and access management responsibilities always stay with the customer regardless of deployment type, and that physical hosts, network, and datacenter are always Microsoft's. The matrix is the clearest single artifact for seeing how the operating system, applications, and network controls migrate across IaaS, PaaS, and SaaS.
Google Cloud: shared responsibility evolving into shared fate
Google Cloud starts from the same IaaS, PaaS, SaaS split, then goes a step further with what it calls shared fate. The argument is that handing customers a responsibility chart and walking away is not enough, so Google takes a more active role in helping you stay secure. In practice that means secure-by-default landing zones and blueprints (infrastructure as code with safe defaults baked in), a Risk Protection Program that connects qualified customers with cyber-insurance offerings from insurers such as Munich Re and Allianz, and tooling including Assured Workloads, Security Command Center, and Confidential Computing. Shared fate does not rewrite the shared responsibility model; it tries to make the customer's side of the line easier to hold.
Worth attributing carefully: the Cloud Security Alliance, cited by Google, has identified misconfiguration as a leading cause of cloud breaches. The lesson is not a precise statistic but a direction: the customer side of the line, where configuration lives, is where attention pays off most.
What you ALWAYS own (data + identities)
Strip away every difference between providers and service models, and the shared responsibility model leaves a short, non-negotiable list of duties with you. These cells stayed Customer across the entire matrix for a reason: no provider can make these decisions for you, because only you know your business, your data, and your people.
Classifying what is sensitive, protecting it, and choosing how it is encrypted at rest and in transit. The provider stores the bytes; deciding what they are worth and how they are guarded is yours.
Always: CustomerManaging accounts and access with role-based access control, multi-factor authentication, and conditional access. Who can reach what is a decision only your organization can make.
Always: CustomerSetting up each service safely, from storage permissions to network rules. The defaults are a starting point, not an audit; a single careless setting is the classic source of an exposed bucket or database.
Always: CustomerSecuring the laptops, phones, and workstations your people use to reach the cloud. The most hardened service still trusts a logged-in session from a compromised device.
Always: CustomerIf you remember nothing else about the shared responsibility model, remember this list. Whether you run a fleet of virtual machines or a single SaaS subscription, your data, your identities and access, your configuration, and your endpoints are yours to secure. The provider can hand you better tools and safer defaults, but it cannot make these choices on your behalf. Choosing a provider in the first place is a related decision; the pillar pages on AWS, Microsoft Azure, and Google Cloud break down how each one approaches security and services.
Where the model goes wrong
Almost every cloud security failure traces back to one side misreading the line. The shared responsibility model is simple to state and easy to get wrong in practice. These are the recurring traps.
The most common and most expensive mistake. Providers protect the infrastructure, not your records. If you leave a storage bucket public or skip encryption, that is your side of the line, and an exposure here is a customer responsibility, not a provider failure.
Teams that learn the split on infrastructure services sometimes carry the same assumptions to a managed platform, or the reverse. On IaaS you patch the operating system; on PaaS the provider does. Re-check the boundary every time the service model changes.
Default settings are built for getting started, not for your threat model. Configuration is firmly on your side of the line in every service model, so review permissions, network rules, and logging rather than trusting that out-of-the-box is safe.
Strong infrastructure does not help if an attacker logs in with valid credentials from an unmanaged laptop. Identities, access management, and client devices are always yours; multi-factor authentication and device hygiene are not optional extras.
Frequently Asked Questions
Go Deeper
Resources from across Tech Jacks Solutions
Cloud Tools Hub
Browse cloud foundations and provider guides, by topic and provider
Glossary
Plain-language definitions for cloud, security, and infrastructure terms
FREEGovernance Charter
Set the rules for cloud and AI tooling before they scale across your team
EU AI Act Overview
How regulation frames cloud deployments and data handling