Shared Responsibility Model

Shared Responsibility Model – Complete Guide for SC-900

Why Is the Shared Responsibility Model Important?

The Shared Responsibility Model is one of the most foundational concepts in cloud security and is a core topic tested on the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam. Understanding this model is critical because it defines who is responsible for what when it comes to securing cloud resources. Misunderstanding the division of responsibilities is one of the leading causes of security breaches in the cloud. Organizations that fail to grasp this model may leave critical assets unprotected, assuming their cloud provider is handling security tasks that are actually their own responsibility.

What Is the Shared Responsibility Model?

The Shared Responsibility Model is a framework that clarifies the division of security obligations between the cloud service provider (CSP) — such as Microsoft Azure — and the customer (the organization using the cloud services). In simple terms, the cloud provider is always responsible for securing the underlying infrastructure, while the customer is always responsible for their data, identities, and endpoints. The responsibilities in between shift depending on the type of cloud service being used.

The model applies across three cloud service types:

• Infrastructure as a Service (IaaS) — e.g., Azure Virtual Machines
• Platform as a Service (PaaS) — e.g., Azure SQL Database, Azure App Service
• Software as a Service (SaaS) — e.g., Microsoft 365, Dynamics 365

How Does the Shared Responsibility Model Work?

The model divides responsibilities into three categories:

1. Responsibilities that are ALWAYS the cloud provider's:
• Physical hosts, network, and datacenter security
• Physical infrastructure (cooling, power, physical access controls)

2. Responsibilities that are ALWAYS the customer's:
• Data and information stored in the cloud
• Devices (endpoints) that connect to the cloud
• Accounts and identities (user access management)

3. Responsibilities that SHIFT depending on the service model:
• Operating systems
• Network controls
• Applications
• Identity and directory infrastructure

Here is how these shifting responsibilities break down:

On-Premises: The customer is responsible for everything — from the physical datacenter to data, applications, operating systems, network, and identity.

IaaS: The cloud provider manages the physical infrastructure (datacenter, physical network, physical hosts). The customer is responsible for the operating system, network controls, applications, identity, and data. This gives the customer the most control but also the most responsibility.

PaaS: The cloud provider takes on additional responsibility for the operating system and some network controls. The customer is still responsible for applications (partially), identity, and data. Responsibility is more evenly shared.

SaaS: The cloud provider manages almost everything — infrastructure, operating system, network controls, and the application itself. The customer is responsible for their data, devices, and accounts/identities. This gives the customer the least control but also the least infrastructure responsibility.

Key Principle to Remember:
As you move from IaaS → PaaS → SaaS, the cloud provider's responsibility increases and the customer's responsibility decreases — but the customer never loses responsibility for their data, endpoints, and identities.

Visual Summary:

Responsibility         | On-Prem | IaaS | PaaS | SaaS
Physical datacenter    | Customer | CSP | CSP | CSP
Physical network       | Customer | CSP | CSP | CSP
Physical hosts          | Customer | CSP | CSP | CSP
Operating system       | Customer | Customer | CSP | CSP
Network controls       | Customer | Customer | Shared | CSP
Applications            | Customer | Customer | Shared | CSP
Identity & directory    | Customer | Customer | Shared | Shared
Accounts & devices     | Customer | Customer | Customer | Customer
Data                       | Customer | Customer | Customer | Customer

Real-World Example:
If your company uses Microsoft 365 (SaaS), Microsoft secures the physical datacenters, the servers, the operating system, and the application itself. However, you are responsible for configuring user access, setting up multi-factor authentication, managing who has access to what data, protecting your endpoints, and classifying and protecting sensitive data.

Exam Tips: Answering Questions on the Shared Responsibility Model

The SC-900 exam frequently tests your understanding of this model. Here are essential tips:

Tip 1: Know what the customer ALWAYS owns.
No matter the service model, the customer is always responsible for:
• Their data
• Their endpoints/devices
• Their accounts and identities
If a question asks who is responsible for data classification or user account security in any cloud model, the answer is always the customer.

Tip 2: Know what the CSP ALWAYS owns.
The cloud provider is always responsible for:
• Physical datacenter security
• Physical network
• Physical hosts
If a question asks who secures the physical servers in Azure, the answer is always Microsoft.

Tip 3: Understand the spectrum from IaaS to SaaS.
Many questions will present a scenario and ask you to identify who is responsible. Remember: more customer responsibility in IaaS, more provider responsibility in SaaS. If the scenario involves virtual machines (IaaS), the customer has broad responsibilities including OS patching. If it involves Microsoft 365 (SaaS), most infrastructure responsibilities shift to Microsoft.

Tip 4: Watch for the word "shared."
Some responsibilities are shared between the customer and the provider, particularly in PaaS scenarios. Identity and directory infrastructure is a commonly tested shared responsibility.

Tip 5: Don't confuse responsibility with control.
Just because a cloud provider manages the infrastructure doesn't mean the customer can ignore security. The customer must still configure services properly, manage access, and protect data.

Tip 6: Practice scenario-based questions.
The exam often frames questions as scenarios. For example: "Your organization uses Azure SQL Database. Who is responsible for patching the operating system?" Since Azure SQL Database is PaaS, the answer is Microsoft. If the question were about an Azure VM (IaaS), the answer would be the customer.

Tip 7: Remember the mnemonic "DAD" for customer responsibilities.
• Data
• Accounts (and identities)
• Devices (endpoints)
The customer is always the "DAD" of security — always responsible for these three things regardless of the cloud model.

Tip 8: Understand that on-premises means full customer responsibility.
If a question mentions on-premises or private datacenter, the customer is responsible for everything. There is no shared responsibility in an on-premises environment.

Summary:
The Shared Responsibility Model is a fundamental cloud security concept that defines the boundary of security obligations between a cloud provider and a customer. For the SC-900 exam, remember that the customer always owns data, identities, and devices; the provider always owns the physical infrastructure; and the responsibilities in between shift depending on whether the service is IaaS, PaaS, or SaaS. Mastering this concept is essential not only for passing the exam but for building a strong foundation in cloud security.