Shared responsibility is a model that describes how the confidentiality, integrity, and availability of data are managed in a cloud computing environment. The shared responsibility model addresses which parties in a shared service environment are responsible for different areas of data management, information systems security, data security, compliance programs, and governance programs. Responsibilities are typically assigned based on which party in a transaction has both the ability and an individualized need to control the data at the applicable cloud layer.
At a high level, the layers of a cloud computing service can be separated into the data layer, the cloud application layer, the operating system layer, and the physical layer, which are explained in the next section. These layers are most easily understood in the context of software as a service (SaaS), where the user’s experience of the software is disassociated from all but the data layer. One or more cloud service providers manage the underlying hardware and software that provides the computational resources and data storage that were historically managed by the user on his or her personal computer. A SaaS customer trusts the cloud service provider or providers to manage the privacy, security, and compliance controls related to the layers of technology supporting the web browser, which the customer inherits in their own operations. However, the inheritance may not be complete. The customer may still be responsible for secure operations in the cloud, while the cloud service provider is responsible for the secure operations of the cloud.