Skip to content

Explain the cloud shared responsibility model.

Short answer

The provider secures the cloud itself — physical data centers, hardware, the hypervisor, and the managed services they run. You secure what you put in the cloud — your data, identities, configurations, OS patching where applicable, and access controls. The exact line shifts: with IaaS you own the OS up, with SaaS you mostly own data and access.

The shared responsibility model exists because moving to the cloud does not move all security to the provider — it splits the work. The provider is accountable for security of the cloud; you are accountable for security in the cloud. Misunderstanding this line is the single most common root cause of cloud breaches, because teams assume "the provider handles it" and leave their own half unguarded.

Where the line sits

  • Provider always owns: physical facilities, power, networking hardware, the hypervisor, and the integrity of the managed services they expose.
  • Customer always owns: their data, who can access it (identities and permissions), and how services are configured.
  • The middle moves by service model. With IaaS (a raw VM) you own the guest OS, patching, runtime, and app. With PaaS (a managed database or function platform) the provider patches the OS and engine, but you still own schema, data, and access. With SaaS you mostly own just your data, user accounts, and sharing settings.

Why it matters

Nearly every headline cloud breach — exposed storage buckets, leaked keys, over-permissive roles — falls squarely on the customer side. The provider's infrastructure was never breached; a configuration the customer owned was wrong. The model also clarifies compliance: certifications like SOC 2 cover the provider's layer, but you must still prove controls on your layer.

What interviewers look for

A candidate who states the "of vs in" distinction, knows the line shifts by service model, and recognizes that most breaches are customer-side misconfigurations — not provider failures.

Likely follow-ups

  • How does the responsibility line move between IaaS, PaaS, and SaaS?
  • Who is responsible for patching a managed database versus an EC2 instance?
  • Where do most real-world cloud breaches actually fall on this line?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.