Shared Responsibility Model: IaaS, PaaS, SaaS
Map out exactly which security controls the cloud provider handles versus the customer across the three main service models.
Cloud Service Models Overview
Cloud services are delivered in three primary models, each offering a different level of abstraction. Infrastructure as a Service (IaaS) provides raw compute, storage, and networking. Platform as a Service (PaaS) adds OS, middleware, and runtime environments. Software as a Service (SaaS) delivers fully functional applications over the internet. Understanding these models is essential because the security responsibilities differ dramatically across them.
# Cloud service model examples
# IaaS: AWS EC2, Azure VMs, Google Compute Engine
# You manage: OS, runtime, applications, data
# Provider manages: hypervisor, physical hardware, datacenter
# PaaS: AWS Elastic Beanstalk, Azure App Service, Heroku
# You manage: applications, data, configurations
# Provider manages: OS patches, runtime, scaling
# SaaS: Microsoft 365, Salesforce, Google Workspace
# You manage: user access, data content, configuration
# Provider manages: everything elseThe Shared Responsibility Model
The shared responsibility model defines which security tasks are the cloud provider's obligation and which belong to the customer. The model is often summarized as: the provider is responsible for security of the cloud (physical datacenters, hypervisors, network infrastructure), while the customer is responsible for security in the cloud (data, access management, application security, and configuration). Misunderstanding this boundary is a leading cause of cloud security incidents.
All lessons in this course
- Shared Responsibility Model: IaaS, PaaS, SaaS
- Cloud Storage Security and Data Exposure Risks
- Cloud Identity: IAM Roles and Service Accounts
- Cloud Security Posture Management (CSPM)