Shared Responsibility Model: Breakdown & Best Practices


11 Aug 2023

Shared Responsibility Tips for Managing Cloud SaaS

This is a guest post from Michael Marrano, MS, CISSP, CISM, CISA, at Riskigy

There is a widespread misunderstanding regarding cloud services, particularly in relation to Software as a Service (SaaS). Many organizations mistakenly believe that once they migrate to the cloud, the responsibility for all aspects of security and data protection rests solely with the SaaS provider. This misconception creates a false sense of security, which can be detrimental.

The truth is that the responsibility for maintaining a secure cloud environment is a shared endeavor between the organization and the cloud service provider (CSP). While the CSP does play a significant role in securing the underlying infrastructure and application, organizations must also actively participate in implementing critical security measures.

Failing to recognize this shared responsibility can result in critical security oversights, leaving the organization vulnerable to various risks and potential vulnerabilities. It is imperative for organizations to acknowledge and actively address their role in ensuring the security of their data and applications within the cloud environment.

The cloud SaaS shared responsibility model provides a framework to delineate security responsibilities between the cloud service provider and its customers. Within the SaaS model, administrators have reduced control over the software stack, granting the SaaS vendor the responsibility of securing the application and supporting infrastructure. Conversely, customers bear the obligation of managing their data and overseeing security permissions.

Lack of comprehensive comprehension regarding the allocation of security responsibilities between the CSP and the customer within organizations can lead to security gaps. These gaps emerge when the organization mistakenly assumes that the CSP is responsible for certain security aspects that actually fall under the customer’s purview.

What’s the risk?

The concept of cloud supply chain risk encompasses the potential hazards and vulnerabilities that can jeopardize different elements within a CSP’s supply chain. These risks have the potential to impact the security, availability, and performance of the cloud services provided by the CSP.

Cloud service risks include: 

  • Data breaches: Unauthorized access to customer data stored in the cloud can result in data breaches, causing financial losses, damage to reputation, and potential legal liabilities for both the CSP and customers.
  • Geopolitical risks: Political instability, trade restrictions, or economic sanctions can impact the availability or cost of resources required by the CSP, thereby influencing the quality or pricing of the cloud services.
  • Natural disasters and extreme weather events: Natural disasters have the potential to disrupt data centers, network infrastructure, or other crucial components of the CSP’s supply chain, leading to service outages or diminished performance.
  • Regulatory and compliance risks: Changes in regulations, such as data privacy laws or industry-specific requirements, can affect the CSP’s capability to offer compliant cloud services, potentially impacting customers’ operations.
  • Cybersecurity risks: Cyberattacks targeting the CSP or its supply chain can result in service disruptions, data breaches, or other security incidents that affect customers.
  • Software vulnerabilities: Exploiting vulnerabilities in the software used by the CSP can lead to security breaches or service disruptions.

To effectively address cloud supply chain risks, organizations should take the following measures:

  • Conduct thorough vendor assessments: Prior to engaging in a contract, carefully evaluate the security and dependability of the CSP and its supply chain partners.
  • Implement robust access controls: Manage user access to cloud resources by implementing role-based access controls, and regularly review and update permissions.
  • Monitor and audit: Regularly monitor and audit your cloud environment to promptly identify and address any security issues or policy violations.
  • Diversify cloud providers: Consider utilizing multiple cloud providers to reduce reliance on a single vendor, thereby minimizing the potential impact of supply chain disruptions.
  • Develop a comprehensive security strategy: Establish a comprehensive security strategy that encompasses both your organization’s responsibilities and those of the CSP. This strategy should include incident response plans, data protection measures, and compliance requirements.
  • Maintain compliance: Understand the compliance requirements specific to your industry and ensure that both your organization and the CSP adhere to these standards.

How to manage cloud Shared Responsibility

Effectively managing the Shared Responsibility Model (SRM) necessitates a clear comprehension of the roles and obligations of each party involved, including the cloud service provider (CSP), users, and the organization.

Here are some recommendations to facilitate SRM management:

  • Comprehend the division of responsibilities: Gain familiarity with the distinct responsibilities of each party based on the specific cloud service model utilized (IaaS, PaaS, or SaaS). This understanding will enable the identification and resolution of potential security gaps.
  • Select a reputable CSP: Choose a cloud service provider with a strong reputation for security and compliance. Ensure that the CSP’s security policies and procedures align with the organization’s requirements.
  • Establish transparent communication channels: Foster open lines of communication among the organization, CSP, and users to ensure awareness of respective responsibilities and any changes in the cloud environment.
  • Implement robust access controls: Effectively manage user access to cloud resources by implementing role-based access controls and regularly reviewing and updating permissions.
  • Educate users: Train users on security best practices, such as employing strong passwords, enabling multi-factor authentication, and recognizing and avoiding phishing attacks. Encourage users to promptly report any security concerns or incidents.
  • Monitor and audit: Conduct regular monitoring and auditing of the cloud environment to identify and address security issues or policy violations. Collaborate with the CSP to ensure access to appropriate tools and support for monitoring and auditing purposes.
  • Develop a comprehensive security strategy: Formulate a comprehensive security strategy that encompasses the responsibilities of both the organization and the CSP. This strategy should include incident response plans, data protection measures, and compliance requirements.
  • Maintain compliance: Understand the compliance obligations specific to the industry and ensure adherence to these standards by both the organization and the CSP. Regularly assess and update the organization’s compliance posture as necessary.
  • Review and update: Periodically review and update SRM policies and procedures to ensure their relevance and effectiveness in the face of evolving threats and evolving business needs.
  • Leverage CSP expertise: Take advantage of the expertise and resources offered by the CSP, such as documentation, best practices, and support services, to effectively manage the assigned responsibilities.


The Shared Responsibility Model serves as a flexible framework that enables organizations to establish proper data security measures. It delineates the shared responsibilities among the cloud service provider, users, and the organization. Instead of solely relying on the CSP for security, the SRM outlines the specific actions that organizations are accountable for and those that should be managed by other parties.

By adhering to these guidelines, organizations can effectively manage the Shared Responsibility Model and create a secure and compliant cloud environment. Proactive management of cloud supply chain risks allows organizations to minimize potential disruptions and uphold the security and performance of their cloud services.

By adopting a proactive approach to cloud security and comprehending the shared responsibilities, organizations can avoid falling into a false sense of security and maintain a robust and compliant cloud environment.

Guest Blog Spotlight

Thank you to Michael Marrano, MS, CISSP, CISM, CISA, for his valuable contribution to our guest blog. His expertise and insights have greatly enriched our Trust Community, providing our readers with valuable knowledge in cybersecurity.

Michael is an information security expert, practitioner, writer, speaker, and the founder of Riskigy. With an extensive list of degrees, certifications and over 25 years in technology and cybersecurity, Michael specializes in technology and cybersecurity strategy development, and fractional CISO and CIO leadership engagements to help organizations, investors and service providers enhance cybersecurity compliance.

Learn more about Riskigy and connect with Michael on LinkedIn.

[Link to original article