* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Workload Protection Platform](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* Avoiding the Pitfalls of ...

# Avoiding the Pitfalls of the Shared Responsibility Model for Cloud Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fpitfalls-shared-responsibility-cloud-security%2F)  
[](https://twitter.com/share?text=Avoiding+the+Pitfalls+of+the+Shared+Responsibility+Model+for+Cloud+Security&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fpitfalls-shared-responsibility-cloud-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fpitfalls-shared-responsibility-cloud-security%2F&title=Avoiding+the+Pitfalls+of+the+Shared+Responsibility+Model+for+Cloud+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/pitfalls-shared-responsibility-cloud-security/&ts=markdown)  
\[\](mailto:?subject=Avoiding the Pitfalls of the Shared Responsibility Model for Cloud Security)  
Link copied  
By [Chris Tozzi](https://www.paloaltonetworks.com/blog/author/chris-tozzi/?ts=markdown "Posts by Chris Tozzi")  
Sep 24, 2020  
8 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Shared Responsibility Model](https://www.paloaltonetworks.com/blog/tag/shared-responsibility-model/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/cloud-security/pitfalls-shared-responsibility-cloud-security/?lang=ja "Switch to Japanese(日本語)")

The shared responsibility model for cloud security is one of those things that seems simple enough on the surface, but is actually very complex when you try to put it into practice. That's probably why as many as [73% of organizations report being unsure](https://www.paloaltonetworks.com/blog/2020/06/cloud-native-security-genome/) about where their cloud service providers' (CSP) responsibility for securing cloud workloads stops and where theirs begins.

Overcoming this confusion by understanding the details of the shared responsibility concept and how to put it into practice is critical for securing modern, cloud native workloads. This article offers an overview of what shared responsibility means and how to navigate its complexities.

## **What Is Shared Responsibility in Cloud Security?**

At a high level, the shared responsibility model is easy enough to define: it's a concept that specifies that CSPs share responsibility with their customers when it comes to securing workloads hosted on their clouds. The various CSPs have their own definitions -- like those from [Amazon Web Services](https://aws.amazon.com/compliance/shared-responsibility-model/) (AWS) and [Azure](https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility) -- but they all boil down to the same core idea.

The shared responsibility concept makes sense given that CSPs don't have full control over everything users do on their clouds. They can't force customers to configure [IAM policies](https://www.paloaltonetworks.com/blog/2020/02/cloud-iam-security/) in a secure way or make sure that they patch their applications against the latest vulnerabilities, for example.

Likewise, organizations that use public clouds have limited control over their cloud infrastructure. They can't monitor for vulnerabilities in a CSP's servers or detect intrusions inside its network.

Thus, it's only reasonable that CSPs and their customers must share responsibility for security, with each party taking the lead in securing the resources it controls.

![A visualization of the shared responsibility model in cloud security, with the organizations roles on the top and the cloud service providers roles on the bottom.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/Shared-Responsibility-Model.png)
Visualizing the shared responsibility model in cloud security.

## **Why Shared Responsibility Can Be Confusing**

The shared responsibility concept probably sounds straightforward enough. For several reasons, however, it can be very difficult for organizations to understand how to apply it and ensure that they don't mistakenly assume their CSP (or CSPs, if they use multiple clouds) is securing resources when it's actually not.

## **Shared Responsibility Differences between IaaS, SaaS and PaaS**

Probably the greatest source of confusion surrounding shared responsibility is the fact that the way organizations consume cloud resources varies widely. There are three main cloud service models -- infrastructure-as-a-service (IaaS), software-as-a-service (SaaS) and platform-as-a-service (PaaS) -- and each has different implications for shared responsibility.

### **IaaS**

The shared responsibility concept can be applied most cleanly when you're dealing with IaaS, which is the bread-and-butter service model for major public clouds like AWS and Azure. IaaS means that the CSP provides access to cloud-based hardware resources, such as virtual machines and storage, which organizations access over the internet. Under this architecture, it's pretty clear that the CSP is responsible for the security of the infrastructure it provides, while the customer has to take charge for securing any applications and data that it chooses to run on that infrastructure.

### **SaaS**

Things get a bit murkier when you are dealing with SaaS. If a CSP offers a SaaS application, meaning it provides the host infrastructure as well as the software, the line separating customer responsibility from CSP responsibility can be harder to define. Because the CSP rather than the customer controls the software in this case, responsibility for ensuring that the SaaS application is free of vulnerabilities shifts to the CSP. Likewise, the CSP is typically responsible for securely storing any customer data that the SaaS application ingests. At the same time, however, organizations that use the SaaS software are responsible for securing any data they download from it as well as securing access to it.

To put this into context, consider an organization that uses Microsoft 365, Microsoft's cloud-based productivity suite. Microsoft is responsible for ensuring that the software it delivers through the Microsoft 365 platform is secure. It also takes responsibility for ensuring that Word documents or emails (among other files) that you create in the platform and store in its cloud can't be accessed by people to whom you haven't given access. But it's up to the organization to ensure that access to Microsoft 365 resources is properly locked down, and that any files downloaded to local infrastructure are secure. The organization can't blame Microsoft if one employee reads another employee's email because access controls were not properly configured, for example.

### **PaaS**

Matters may be even more complicated if you use a PaaS, which lets you develop and run applications in the cloud, because a PaaS blends SaaS and IaaS together. The CSP would be responsible for securing any underlying infrastructure that hosts the PaaS offering, but responsibility for securing software testing and deployment environments lies with users. Software applications that the CSP provides as part of the PaaS must be secured by the CSP, but software developed with them (including software offered to end-users using an SaaS model via a PaaS service) has to be secured by users.

In short, then, the meaning of shared responsibility depends in part on which type of cloud service model you are using. Given that most major CSPs offer IaaS, SaaS, and PaaS solutions, you need to be cognizant of which type of offering you are using in order to understand how shared responsibility breaks down between you and the CSP. It's not as simple as saying "on AWS shared responsibility means this, while on Google Cloud it means that," for example.

### **Multi-Cloud, Hybrid Cloud, and Shared Responsibility**

The fact that many organizations now use multiple clouds at once can also complicate shared responsibility, especially if some of their workloads run in a public cloud and others run in a private cloud.

If, for example, you have a private cloud running on-premises to host some of your applications, and you host other workloads in a public cloud, the conventional shared responsibility model only applies to the public cloud portions of your workload. Responsibility for securing your private cloud lies solely with you, because you manage both the infrastructure and the workloads running on it.

![Dashboard in Prisma Cloud showing several security data points for a multi-cloud environment.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/multi-cloud-dashboard.png)
Multi-cloud security dashboard in Prisma Cloud.

If you use multiple public clouds, your various CSPs should all follow the same shared responsibility guidelines. Keep in mind, however, that the extent to which a CSP secures your data and workloads depends on which category of cloud service you are using, as noted above. Thus, if you are using AWS just for IaaS but you rely on Azure for SaaS, those two CSPs will provide different levels of security services.

### **Managed Cloud Services and Shared Responsibility**

Matters can be complicated further if you use a "managed" cloud service. While different companies have different ways of defining what counts as a managed cloud service, it generally entails a solution where an external provider takes responsibility for deploying, configuring, and (usually) updating your software. The provider (which could be a CSP or a company that merely provides management services for cloud-based workloads) may also provide hosting infrastructure for your workloads, or it may not. It may even offer security-as-a-service as part of its management offering, or it may not.

Given all of the variables at play when using a managed service, there's no one-size-fits-all rule for applying the shared responsibility model in the context of managed cloud services. You'll need to look at the details of what your service provider does and doesn't manage.

And above all, don't assume that just because you are using a managed service, the provider takes full responsibility for security. For example, if you use Amazon Elastic Kubernetes Service (EKS), a managed Kubernetes service, AWS is responsible for securing the Kubernetes instance that it provides, but it's up to you to make sure applications you deploy on Kubernetes are secure. Likewise, if you use Platform9 to manage an OpenStack cloud, Platform9 will provide security updates and other services, but it won't secure the underlying hosting infrastructure, because Platform9 doesn't provide infrastructure.

## **Applying the Shared Responsibility Model**

Putting the shared security concept into practice for your cloud workloads requires assessing the details of the way those workloads are configured. As a rule of thumb, you should assume that you are responsible for securing anything that you have the power to secure within the context of whichever cloud service model you use. That approach will mitigate the risk that some security considerations might fall through the cracks, because neither your CSP nor you deal with them adequately.

However if the line between your workloads and the CPSs security still seems blurry, you're not alone. One of the most common cloud security myths is that a CSP will handle all of the security a company needs. To learn some of the others and for a further rundown of shared responsibility, check out the recent webcast [3 Myths Of Cloud Native Security](https://register.paloaltonetworks.com/3mythsofcloudnativesecurity), hosted by Matt Chiodi, CSO for Public Cloud at Palo Alto Networks.

*** ** * ** ***

## Related Blogs

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Kubernetes: A Practitioner's Guide to KSPM](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Anatomy of a Kubernetes Attack: How Cortex Cloud Provides End-to-End Protection](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-attack-detection-response/)

### [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Cloud Workload Protection, Now Operating at Full Context](https://www2.paloaltonetworks.com/blog/cloud-security/beyond-cloud-workload-protection-cwp/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Vulnerability Management](https://www.paloaltonetworks.com/blog/cloud-security/category/vulnerability-management/?ts=markdown)

[#### Analyze Vulnerabilities (CVEs) with Confidence](https://www2.paloaltonetworks.com/blog/cloud-security/vulnerability-management-intelligence-stream/)

### [Cloud Native Application Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-platform/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Vulnerability Management](https://www.paloaltonetworks.com/blog/category/vulnerability-management/?ts=markdown)

[#### Implementing a Comprehensive Cloud Vulnerability Management Program](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-vulnerability-management-program-implementation/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Prisma Cloud Offers Certified Red Hat Vulnerability Scanning for Red Hat OpenShift](https://www2.paloaltonetworks.com/blog/cloud-security/certified-red-hat-vulnerability-scan-2/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language