The Shared Responsibility Model
Security in the cloud is not the sole responsibility of the cloud provider, nor is it the sole responsibility of the customer. It is a shared responsibility — and understanding who is responsible for what is one of the most important concepts in cloud computing.
What is the Shared Responsibility Model?
The shared responsibility model defines the division of security responsibilities between the cloud provider (Microsoft, in the case of Azure) and the customer. The model ensures that both parties understand their obligations so that nothing falls through the cracks.
At a high level:
- Microsoft is responsible for securing the cloud infrastructure itself — the physical data centres, the network, the hypervisor, and the foundational platform services
- The customer is responsible for securing what they put in the cloud — their data, identities, applications, and configurations
The exact division of responsibilities depends on the service model you use: IaaS, PaaS, or SaaS.
Responsibility by Service Model
The following table shows how responsibilities shift between the customer and Microsoft across the three service models:
| Responsibility | On-Premises | IaaS | PaaS | SaaS |
|---|
| Physical data centre | Customer | Microsoft | Microsoft | Microsoft |
| Physical network | Customer | Microsoft | Microsoft | Microsoft |
| Physical hosts | Customer | Microsoft | Microsoft | Microsoft |
| Operating system | Customer | Customer | Microsoft | Microsoft |
| Network controls | Customer | Customer | Shared | Microsoft |
| Applications | Customer | Customer | Customer | Microsoft |
| Identity and access | Customer | Customer | Customer | Shared |
| Data | Customer | Customer | Customer | Customer |
| Devices and endpoints | Customer | Customer | Customer | Customer |
| Account and access management | Customer | Customer | Customer | Customer |
Key observations:
- The customer always retains responsibility for their data, identities, endpoints, and account management, regardless of the service model
- Microsoft always handles the physical infrastructure
- As you move from IaaS to SaaS, more responsibilities shift to Microsoft, reducing the customer's operational burden
Microsoft's Responsibilities
Microsoft is responsible for the security and availability of the underlying Azure platform. This includes:
Physical Security
- Data centres are protected by multiple layers of physical security: perimeter fencing, biometric access, security personnel, CCTV, and mantraps
- Locations are undisclosed and protected against natural disasters, power failures, and physical intrusion
- Hardware is decommissioned and destroyed according to strict data sanitisation standards
Network Infrastructure
- The global backbone network that connects Azure regions is private and encrypted
- DDoS protection is applied to all Azure services at the platform level (Azure DDoS Protection Basic)
- Network segmentation ensures isolation between tenants
Host and Hypervisor
- The hypervisor (the software layer that creates and manages VMs) is hardened and continuously patched
- Tenant isolation ensures that one customer's workloads cannot access another's
- Firmware and hardware updates are managed by Microsoft
Platform Services
For PaaS and SaaS services, Microsoft additionally manages:
- Operating system patching (e.g., Azure App Service, Azure SQL Database)
- Runtime updates and security patches
- High availability within the service's SLA commitments
Customer Responsibilities
Regardless of the service model, the customer is always responsible for:
Data
- Classification — understanding what data you have and how sensitive it is
- Encryption — encrypting data at rest and in transit (Azure provides tools, but you must enable and configure them appropriately)
- Backup — configuring backup policies and testing disaster recovery procedures
- Retention and disposal — complying with data retention regulations
Identity and Access