Chapter 06 — The Shared Responsibility Model - Clinux

What is the Shared Responsibility Model?

When you move to the cloud, security and management responsibilities are split between you (the customer) and the cloud provider (Microsoft Azure). This division is called the Shared Responsibility Model.

It answers the critical question: "Who is responsible for what?"

In traditional on-premises IT, YOU are responsible for everything. In cloud, some responsibilities shift to the provider — but not all of them.

Why This Matters

Understanding shared responsibility:

Prevents security gaps (assuming the provider covers something they don't)
Helps with compliance (knowing what you need to prove vs. what Azure proves)
Is directly tested on the AZ-900 exam

The Full Responsibility Stack

Here is every layer of a typical IT environment, and who owns it:

Layer                   On-Premises  │  IaaS     │  PaaS     │  SaaS
────────────────────────────────────┼───────────┼───────────┼──────────
Physical data center        You     │  Azure    │  Azure    │  Azure
Physical network            You     │  Azure    │  Azure    │  Azure
Physical hosts              You     │  Azure    │  Azure    │  Azure
Operating System            You     │  You      │  Azure    │  Azure
Network controls            You     │  You      │  Azure    │  Azure
Applications                You     │  You      │  You      │  Azure
Identity & Access           You     │  You      │  You      │  You
Data                        You     │  You      │  You      │  You

Key insight: Some responsibilities (like your own data and identity) are always yours — regardless of which cloud model you use.

What Azure Always Owns

Microsoft Azure is always responsible for:

Azure's Responsibility	Details
Physical security	Locked data centers, security guards, surveillance
Physical hardware	Servers, storage, networking equipment
Physical networking	Cables, routers, switches in their data centers
Power and cooling	Reliable electricity and temperature control
Virtualization layer	The hypervisor software that creates VMs

You never visit an Azure data center. Microsoft keeps all physical infrastructure secure and running.

What You Always Own

Regardless of the service model, you are always responsible for:

Your Responsibility	Details
Your data	What you store in the cloud — you own and control it
Identity and access	Who gets access to your resources (user accounts, permissions)
Devices	Laptops, phones, and endpoints your users use
Accounts	Managing your own user accounts and credentials

Responsibility by Service Model

IaaS — Most Responsibility on Customer

You get full control but also carry more responsibility:

Azure's Responsibility:
  ✓ Physical hardware
  ✓ Physical network
  ✓ Virtualization

Your Responsibility:
  ✓ Operating system (patching, updates)
  ✓ Network configuration (firewalls, NSGs)
  ✓ Application
  ✓ Runtime
  ✓ Data
  ✓ Identity & access management

Example: If you run a VM and forget to patch the OS, that's your security risk — not Azure's.

PaaS — Responsibility Shifts to Azure

Azure manages more:

Azure's Responsibility:
  ✓ Physical hardware
  ✓ Virtualization
  ✓ Operating system (automatic updates)
  ✓ Runtime and middleware

Your Responsibility:
  ✓ Application code
  ✓ Data
  ✓ Identity & access management

Example: Azure App Service automatically patches its OS. You just deploy your code.

SaaS — Minimum Customer Responsibility

Azure manages almost everything:

Azure's Responsibility:
  ✓ Everything — hardware, OS, runtime, application

Your Responsibility:
  ✓ Your data (what you enter and store)
  ✓ User accounts and access
  ✓ Devices your users use

Example: In Microsoft 365, Microsoft manages all servers. You manage who in your company can access which documents.

Visual Summary

                         You        Azure
                       ───────     ───────
Your Data                ✓
Identity & Access        ✓
Devices                  ✓
Applications             ✓          [IaaS only: also you]
OS                       ✓ (IaaS)     ✓ (PaaS/SaaS)
Virtualization                        ✓
Physical hardware                     ✓
Physical network                      ✓
Physical security                     ✓

Common Misconceptions

Misconception	Reality
"Azure secures my data"	Azure secures the platform. Your data's security (encryption, access) is your job.
"Azure manages my user accounts"	No — you create and manage your own accounts using Entra ID.
"PaaS means no security work"	You still manage identity, access control, and your application's security.
"If I use SaaS, I have zero responsibility"	You're still responsible for your data and who has access to it.

Practical Example — A Company Using Azure

A company runs their HR system on Azure:

Azure (Provider):
  ✓ Data center physical security
  ✓ Server hardware and networking
  ✓ OS patching (if using PaaS/SaaS)

Company (Customer):
  ✓ Who can log in to the HR system (RBAC)
  ✓ What data is stored (employee records)
  ✓ Encrypting sensitive HR data at rest
  ✓ Ensuring employees only access their own data
  ✓ Securing the devices employees use

AZ-900 Exam Tips

Know which responsibilities always belong to you (data, identity, devices)
Know which responsibilities always belong to Azure (physical hardware, network, data center security)
Know how responsibility shifts as you move from IaaS → PaaS → SaaS
Remember: More managed service = Less your responsibility for infrastructure

Quick Recap

Shared Responsibility = "We both handle security, just different parts."

Always Azure's:   Physical data center, hardware, network
Always Yours:     Your data, identity, access, devices

IaaS → You do more (OS, app, config)
PaaS → Azure does more (OS, runtime)
SaaS → Azure does almost everything

Official References

Next Chapter → Chapter 07: Azure Global Infrastructure — Regions, Availability Zones & Region Pairs