A shared responsibility model is a cloud security framework that dictates the security obligations of a cloud computing provider and its users to ensure accountability.
When an enterprise runs and manages its own IT infrastructure on premises, within its own data center, it is responsible for the security of that infrastructure, as well as the applications and data that run on it. When an organization moves to a public cloud computing model, it hands off some, but not all, of these IT security responsibilities to its cloud provider. Each party -- the cloud provider and cloud user -- is accountable for different aspects of security and must work together to ensure full coverage.
The type of cloud service model -- infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) -- dictates who is responsible for which security tasks. According to the Cloud Standards Customer Council (CSCC), an advocacy group for cloud users, users' responsibilities generally increase as they move from SaaS to PaaS to IaaS.
For example, in IaaS, the cloud provider supplies and is responsible for securing basic cloud infrastructure components, such as virtual machines, disks and networks, according to the CSCC. The provider is also responsible for the physical security of the data centers that house its infrastructure. IaaS users, on the other hand, are generally responsible for the security of the operating system and software stack required to run their applications, as well as their data.
Conversely, in a SaaS model, the provider is primarily responsible for the infrastructure and software stack, as the user has less control over these components, according to the CSCC.
Amazon Web Services (AWS), a major IaaS provider, explains its shared responsibility model as users being responsible for security in the cloud -- including their data -- while AWS is responsible for the security of the cloud, meaning the compute, storage and networks that support the AWS public cloud.
Because user responsibilities differ depending on cloud service model and provider, there is no standard shared responsibility model. To understand their cloud security responsibilities, users should reference the service-level agreements they have with their providers.