Shared Responsibility in the Divided Cloud

In the cloud computing space, it’s important to understand that using a cloud service provider (CSP) isn’t a “set it and forget it” relationship. The shared responsibility model clearly divides security, compliance, and operational tasks between CSPs and the organizations that use their services. However, nothing solidifies these concepts like seeing them in real-world examples. This article explores three brief case studies—each drawn from a different cloud service model (IaaS, PaaS, and SaaS)—to highlight how responsibilities shift across the spectrum. 

Case Study 1: Infrastructure as a Service (IaaS) 

A medium-sized retail company wanted to migrate from an on-premises data center to a cloud provider, initially planning to host its e-commerce platform on AWS using Amazon EC2 and Amazon S3 to store their assets. They needed maximum flexibility and control to integrate some existing on-premises databases and inventory-management tools with the cloud services. 

Who does what? 

Cloud Service Provider (AWS) 

• Provided AWS Well-Architected Framework describing how to best implement network security and access controls between their data center and cloud solution.  

• Managed physical infrastructure and underlying virtualization (servers, networking, data center operations). 

• Provided infrastructure monitoring tools (CloudWatch) and network security features such as AWS Security Groups. 

The Retail Customer 

• At the Virtual Private Cloud (VPC) level, configured secure access controls and firewalls. 

• Made sure they timely updates to their EC2 operating systems and applications.  

• Implemented data encryption for customer credit card data (both in transit using SSL/TLS and at rest via server-side encryption in their on-prem data center). 

• Established backup strategies, multi-region replication, and a disaster recovery plan. 

Takeaways 

1. Monitoring with Amazon CloudWatch revealed latency issues with communication between their services and their database. A better approach would be to host the services and database in the same region and with the same cloud provider.  

2. Early on, they accidentally left an S3 bucket open to the public. Once discovered, they quickly remediated it by tightening IAM roles and policies and using Amazon CloudFront to distribute their assets. 

3. Setting up alerts through Amazon CloudWatch helped catch unusual spikes in resource usage, enabling the team to respond to potential security threats. 

Case Study 2: Platform as a Service (PaaS) 

A SaaS startup chose to build its latest application on Azure App Service. The company appreciated the speed of development and flexibility of deployment. The platform freed them from having to worry about managing the underlying servers and operating systems on which their services ran. 

Who does what? 

Cloud Service Provider (Microsoft Azure) 

• Provided and automatically updated the underlying OS, runtime environment, and core platform services. 

• Managed high availability (up-time, resource availability, system availability) at the platform level and handled networking between Azure components. 

The Startup Customer 

• Wrote secure application code and handled user authentication logic. 

• Considered long-term needs and decided to containerize their service as part of their standard software development lifecycle (CI/CD).  

• Ensured sensitive data stored in Azure SQL Database was encrypted at rest and followed necessary compliance practices based on their industry. 

• Monitored for unexpected traffic on their application endpoints using Azure Monitor.  

Takeaways 

1. Migrating away from Azure App Service could require substantial effort to re-architect the application, underscoring the importance of early planning for portability. 

2. Because they didn’t have to manage servers directly, the developers could focus on feature development. 

3. Using a PaaS allowed them to iterate more rapidly, enabling them to go live sooner.  

‍

Case Study 3: Software as a Service (SaaS) 

A consulting firm adopted Salesforce for CRM. They wanted to minimize infrastructure responsibilities and leverage built-in compliance features, especially for client data. 

Who does what? 

Cloud Service Providers (Salesforce, Microsoft) 

• Managed the software platforms, including updates, patches, and security at the infrastructure and application layers. 

• Ensured global availability and compliance certifications (e.g., SOC 2, GDPR). 

The Consulting Firm 

• Configured user roles and permissions, enforcing least-privilege policies. 

• Set up data classification guidelines, ensuring sensitive client data was stored properly. 

• Maintained endpoint security on employee devices accessing Salesforce. 

Takeaways 

1. Mismanaging user permissions could expose confidential data, so the firm invested in robust IAM policies. 

2. Even when using SaaS, you must still handle data governance, set retention policies, and comply with data privacy regulations. Choose a SaaS product that meets your industry and regulatory needs.  

‍

Whether you’re adopting IaaS, PaaS, or SaaS, the underlying theme is clear: The cloud provider handles the physical and foundational aspects, while you retain responsibility for securely configuring, maintaining, and governing what you build on top of it. Understanding your data, industry segment, and general company needs will help you to choose the cloud service model that best fits your organization. As they say, “Measure twice, cut once.” By understanding and defining each party’s role at the outset, you can minimize missteps that could be costly and time-consuming to fix later on. 

‍