Key Takeaways:
- Cloud security is shared: Your cloud provider secures the infrastructure, but you are always responsible for your own data, account access, and backup strategy.
- Responsibility depends on the model: In IaaS, you manage the OS and data. In SaaS, your focus is on identity, access, and protecting your information. Know what’s yours to protect.
- Backup is never their job — it’s yours: Built-in redundancy or replication doesn’t equal backup. Even in SaaS apps like Microsoft 365 or Salesforce, you must back up your data.
- Veeam supports your role in the model: With support across IaaS, PaaS, and SaaS, Veeam ensures that your part of the responsibility — especially data protection — is fully covered.
- The 3-2-1-1-0 rule still applies: To meet your side of the responsibility, keep multiple copies of data, use different media, have an off-site and immutable backup, and test for errors.
The shared responsibility model is one of the most important features of effective cloud security and your organization’s overall security posture. This applies whether you use a Software-as-a-Service (SaaS) model, such as Microsoft 365, or an all-encompassing Infrastructure-as-a-Service (IaaS) model. There are always responsibilities shared between you and the cloud service provider. The model defines the individual responsibilities of the cloud service provider (CSP) and the customer. It also covers shared accountabilities where both parties have a role to play. The advantages of the shared responsibility model include an improved cybersecurity posture, greater accountability, and lower costs compared to more traditional deployments. But as a cloud customer, you’re always responsible for your organization’s data security, which includes backups and restores. You must ensure you have safe, secure, and reliable backups. In the realities of the modern digital landscape, it is a question of business continuity.
This article breaks down how responsibilities shift across SaaS, PaaS, and IaaS, and how solutions like Veeam Data Platform can help ensure your organization’s data is always safe and recoverable, no matter who manages the infrastructure.
When you move workloads to the cloud, your responsibilities change. The cloud service provider becomes accountable for the provision of certain services while you retain responsibility for the remainder. In some cases, you and the cloud provider share specific responsibilities. This is known as a cloud shared responsibility model.
The distribution of responsibilities may differ depending on the CSP and the type of service you use. In each instance, you, the user, have specific responsibilities regarding cloud security and compliance. You’re always responsible for the security of your data and your backups. By taking the time to fully understand these requirements and implement appropriate security measures, you can alleviate concerns regarding cloud security.
The division of responsibilities depends on the cloud solution you employ. At one extreme is the bare-bones IaaS model, where all the CSP provides is a cloud-based host structure. On the other side of this extreme is the SaaS model, which includes everything from the basic hardware to a complete software application.
It’s important to note the nuances of each CSP’s offering you’re considering or employ. For example, not all SaaS applications are the same. In some instances, the provider claims responsibility for everything except the client’s data, while in others, customer responsibilities include also access control, application configuration, and data security.
Each model, SaaS, IaaS, or PaaS, defines a different balance of responsibility between the cloud provider and the customer. By understanding the distinctions between these models, organizations can better identify which security and management tasks fall to them and which are handled by the provider.
IaaS: Infrastructure as a Service
IaaS is the closest equivalent to having an on-premises data center, except it’s in the cloud. The CSP’s responsibility is the provision of a physical or virtual host, network, and data center. This includes the security, management, and software maintenance of these facilities. As the user, you’re responsible for the security of the operating system, software applications, network management, data storage, backups, application configuration, accounts, and identity controls.
PaaS: Platform as a Service
The main difference between IaaS and PaaS is how much the provider manages. With IaaS, the cloud provider supplies the core infrastructure, including servers, storage, and networking. They may also provide the operating system, depending on the service. Customers are responsible for managing the OS (if not included), applications, and data.
With PaaS, the provider manages more, including the operating system, middleware, and services like managed databases. Customers don’t install or manage the OS or database engine. Instead, they simply use the platform’s services for their applications, and handle application configuration, data, and access management.
SaaS: Software as a Service
With the SaaS model, the CSP provides and is responsible for the infrastructure, operating system, and application. As a user, you just need to initialize and configure the application to your needs and start using it. Examples include Microsoft 365, Salesforce, Dropbox, and Slack — you remain responsible for the security of your data. While the CSP has a shared responsibility to ensure the security of the infrastructure and applications, you must do your part by maintaining secure accounts, user identities, and data integrity. Actual responsibilities differ depending on the application and the extent to which you can alter its configuration.
Cloud Service Provider Responsibilities
CSP responsibilities vary depending on the cloud model. In all instances, the CSP is responsible for the provision and security of the physical data center, host software, and internal networks. They do this through physical measures, strong security software, firewalls, and protocols. A CSP protects against unplanned downtime through rapid failover services to mirror data centers, comprehensive internal backups, and sophisticated disaster recovery solutions. They manage virtualization layers that allow users to access and provision resources. The CSP also provides security measures to help safeguard customer accounts from external threats and unauthorized access.
However, customers are responsible for setting up and securing their own accounts, identities, and data. This includes tasks like creating strong passwords, managing permissions, and maintaining reliable backups.
In the case of SaaS and PaaS solutions, the CSP manages all resources up to an agreed level related to the service provided and the customer’s needs. These include software updates, security patches, and all aspects of operational security for services provided by the CSP.
Customer Security Responsibilities
Let’s take a closer look at your organization’s responsibilities as a cloud customer. The easiest way to determine whether something falls under your responsibility is to consider if that aspect of managing the server or application is under your control. In general, if you have sufficient rights to manage something, it’s your responsibility. Some items that would fall under your responsibility include:
- Your data (encrypting, backing up, and protecting the data)
- Endpoint security
- Account management
- External network connections
- System configurations
- Software updates and security patches (where applicable)
- Regulatory compliance (e.g., data retention)
- Identity and access management (such as Microsoft Entra ID)
It’s also the customer’s responsibility to ensure that only authorized individuals have access to the cloud platform and that users are only granted the privileges they need. Following security best practices, such as separation of duties, access segmentation, and the principle of least privilege, can help with this.
The same goes for identity and access management. For example, as detailed in Veeam’s Entra ID Shared Responsibility Model, while SaaS (Microsoft) provides the underlying security and availability of the Entra ID platform, organizations remain responsible for managing identity lifecycles, configuring access policies, and protecting against data loss.
Veeam’s 2025 Risk to Resilience Report highlights that many cloud users don’t fully appreciate these responsibilities. These concerns extend to data retention periods and data security. It highlights that many cloud users don’t fully appreciate these responsibilities.
| Cloud Provider Responsibilities | Customer Responsibilities | |
| SaaS | • Physical data center security • Network infrastructure • Physical hosts • Virtualization layer • Operating system (OS) • Middleware • Application | • Data (protection, backup, encryption) • Identity & access management • User access controls • Application configuration (if applicable) • Compliance & governance |
| IaaS | • Physical data center security • Network infrastructure • Physical hosts • Virtualization layer | • OS (install, patch, secure) • Applications (install, configure, secure) • Data (protection, backup, encryption) • Identity & access management |
| PaaS | • Physical data center security • Network infrastructure • Physical hosts • Virtualization layer • Operating system • Middleware (database engines, runtime) | • Applications (build, configure, secure) • Data (protection, backup, encryption) • Identity & access management • Compliance & governance |
At a time when many companies’ IT departments are stretched, the shared responsibility model is a strategic approach that strengthens cloud security and streamlines operations. With larger budgets and technical depth, CSPs can relieve your team of significant responsibilities. Benefits include an improved security posture, a clear division of responsibilities, greater flexibility, and reduced costs.
- Improved security posture: With broader obligations, CSPs devote significant resources to security, and their teams have significantly greater expertise. They ensure their teams deploy firmware and software updates and patches in a timely manner. Their teams focus on keeping systems secure and free of malware, and they constantly monitor their systems for cyber threats.
- Clear division of responsibilities: Shared responsibility models clearly define roles and accountabilities. Both parties understand who does what, which avoids confusion. The cloud shared responsibility model helps eliminate skill or resource gaps and frees client resources to focus efforts on priority areas.
- Flexibility and scalability: Compared to on-premises solutions, the cloud provides immense flexibility, allowing users to tailor their applications to suit current needs while still having the ability to scale as needed.
- Operational Efficiency: offloading infrastructure-level tasks to the provider allows internal teams to prioritize application-level controls and strategic initiatives.
- Regulatory alignment: with defined data ownership, you can implement policies and controls aligned to compliance standards like GDPR, HIPAA, or ISO27001.
- Scalability with control: whether in SaaS, IaaS, or PaaS models, you can scale services quickly while retaining governance over critical areas like access policies and data protection.
Understanding your role is one thing, having to execute it well is another. These best practices help you uphold your part of the shared responsibility model, which will reduce the chance of a breach or data loss incidents.
- Service level agreement: Study the SLA between you and your CSP. Note that these agreements differ between providers and can depend on the services you use. Identify and address any gray areas and carefully define your responsibilities.
- Security considerations: You’re always responsible for the security of your data, so prioritize developing a data protection strategy.
- Identify and Access Management (IAM) policy: Use role-based access controls, multifactor authentications (MFA), and least privilege principles. These measures secure accounts and limit exposure.
- Encryption and data backup: Even if the provider protects the infrastructure, you’re still responsible for securing, encrypting, and backing up your data across workloads.
- Develop a data protection strategy: Have a documented, tested plan for backup, retention, and recovery. Veeam solutions like the Data Platform can help automate and enforce this.
- Monitor for misconfigurations and threats: Use tools like Veeam ONE to continuously scan for unusual activity, changes in workloads, or configuration drift that may expose vulnerabilities.
- Compliance: Conduct a comprehensive review of all laws and regulations regarding data security and privacy that apply to your data. Make sure your CSP can comply with these requirements.
- Audits: Continually audit your systems using threat hunting and forensic tools to detect unauthorized or malicious traffic. If relevant, scan for data exfiltration or unusual user behavior.
- Governance framework: Check that your provider has a governance framework that includes a person responsible for security and a security and compliance policy.
To gain a better perspective on the shared responsibility model, let’s look at three popular cloud platforms: AWS, Microsoft 365, and Salesforce. Each covers a different area of cloud services. AWS is primarily an IaaS model, but it offers PaaS and SaaS services. Office 365 and Salesforce are both SaaS cloud models.
AWS is currently the largest cloud service provider. The company has three main cloud platforms, including:
- EC2: Amazon EC2 is a virtual machine/compute resources service offering scalable computing.
- Glacier: Amazon Glacier is a low-cost, long-term data storage service for archiving data.
- Amazon S3: Amazon Simple Storage Service is a high-performance data storage system intended for frequently accessed data.
Amazon EC2 is an IaaS solution that uses Glacier and Amazon S3 for storage. AWS provides the hardware and hypervisor layers over which customers install their guest operating systems and applications. The AWS Shared Responsibility Model specifies that customers are responsible for managing their data and applying identity access and management tools.
Microsoft 365 is an extremely popular cloud version of Microsoft’s Office Suite. Microsoft 365 is a SaaS service built on the Microsoft Azure cloud service. One of the attractive features of 365 is its built-in data replication service, which ensures your data is safe should something go wrong at one of Microsoft’s data centers. Many users assume the data replication service is the same as a backup service. It isn’t, nor is Microsoft 365’s recycle bin, which only offers short-term recovery options. The Microsoft 365 Shared Responsibility Model states that customers are responsible for securing and backing up their data, account information, and identities.
Salesforce offers a comprehensive suite of sales, marketing, and commercial software products under the Customer 360 brand name. Like Microsoft, Salesforce operates multiple data centers with full failover capabilities. However, this service doesn’t constitute a backup. It doesn’t protect against inadvertent deletion, corruption, or ransomware. The Salesforce Shared Responsibility Model makes it clear that it’s the customers’ responsibility to secure their Salesforce instance.
Secure Your Cloud Environment With Veeam
One constant across any cloud service provider is that the customer is always responsible for the security of their data, backups, configurations, and identity/account management. Retain full control and ownership of your data with Veeam’s platform native Hybrid Cloud Backup Solutions. Veeam helps organizations align with the shared responsibility model by enabling backup and recovery across cloud-native and hybrid workloads, providing immutable storage and verified recoverability, and providing seamless integration with identity and access controls.
Staying secure in the cloud isn’t about relying on the provider. It’s about understanding your role and having the right tools to meet it. Veeam helps fill the protection gaps so you can meet today’s security expectations with confidence.
Frequently Asked Questions
- What is the cloud shared responsibility model in cybersecurity?
The cloud shared responsibility model defines the split of security and management responsibilities between the cloud service provider (CSP) and the customer. While CSPs secure the infrastructure, customers are always responsible for securing their data, accounts, backups, and access management. - How do responsibilities differ between IaaS, PaaS, and SaaS in the shared responsibility model?
– IaaS: The customer manages the operating system, applications, data, and access controls, while the CSP secures infrastructure and networks.
– PaaS: The provider manages infrastructure and platform services, but the customer is responsible for application configuration, data, and identity management.
– SaaS: The provider manages infrastructure and the application, while the customer handles data protection, account security, and user access. - Why is data backup still the customer’s responsibility in cloud services?
Even in SaaS or PaaS models, cloud providers don’t guarantee complete data protection against deletion, corruption, or ransomware. Customers must back up data independently to ensure recovery and compliance — solutions like Veeam help fulfill this critical role. - What are the customer’s responsibilities in the cloud shared responsibility model?
Customers are responsible for:
– Protecting and backing up their data
– Managing user accounts and identities
– Configuring systems and access policies
– Ensuring endpoint security
– Meeting regulatory compliance requirements - What are the benefits of the cloud shared responsibility model?
– Improved security posture through CSP expertise
– Clear division of roles and accountability
– Flexibility and scalability for businesses
– Cost savings compared to full on-premises security management - How does Veeam support the shared responsibility model?
Veeam helps organizations fulfill their responsibilities by securing backups, protecting data across cloud platforms, and helping you recover fast in case of data loss or attacks, whether you are using IaaS, PaaS, or SaaS services. - What best practices should customers follow under the cloud shared responsibility model?
– Understand your SLA with the CSP
– Implement strong identity and access management (IAM)
– Regularly back up data independently
– Stay compliant with data security regulations
– Perform regular audits and monitoring